IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Supplying<br />
a<br />
failure<br />
reason<br />
across<br />
a<br />
junction<br />
Authorization<br />
rules<br />
allow<br />
you<br />
to<br />
set<br />
up<br />
special,<br />
and<br />
often<br />
complex,<br />
conditions<br />
governing<br />
the<br />
ability<br />
to<br />
access<br />
a<br />
protected<br />
resource.<br />
However,<br />
the<br />
standard<br />
result<br />
of<br />
a<br />
failed<br />
authorization<br />
decision<br />
is<br />
to<br />
stop<br />
the<br />
progress<br />
of<br />
the<br />
request<br />
to<br />
the<br />
service<br />
application<br />
that<br />
controls<br />
the<br />
resource,<br />
and<br />
present<br />
the<br />
client<br />
with<br />
a<br />
″<strong>for</strong>bidden″<br />
message.<br />
If<br />
the<br />
authorization<br />
rule<br />
is<br />
written<br />
to<br />
include<br />
a<br />
failure<br />
reason,<br />
and<br />
is<br />
evaluated<br />
as<br />
FALSE<br />
by<br />
the<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
authorization<br />
rules<br />
evaluator,<br />
<strong>WebSEAL</strong><br />
receives<br />
the<br />
reason<br />
<strong>for</strong><br />
the<br />
rule’s<br />
failure<br />
along<br />
with<br />
the<br />
standard<br />
″<strong>for</strong>bidden″<br />
message<br />
from<br />
the<br />
authorization<br />
service.<br />
The<br />
failure<br />
reason<br />
is<br />
usually<br />
ignored<br />
and<br />
the<br />
″<strong>for</strong>bidden″<br />
decision<br />
is<br />
en<strong>for</strong>ced<br />
You<br />
can<br />
optionally<br />
configure<br />
<strong>WebSEAL</strong><br />
to<br />
reject<br />
this<br />
standard<br />
response<br />
and<br />
allow<br />
denied<br />
requests<br />
to<br />
proceed<br />
across<br />
a<br />
junction<br />
to<br />
a<br />
back-end<br />
service<br />
application.<br />
The<br />
request<br />
is<br />
accompanied<br />
by<br />
the<br />
failure<br />
reason<br />
provided<br />
in<br />
the<br />
authorization<br />
rule.<br />
The<br />
back-end<br />
service<br />
application<br />
can<br />
then<br />
have<br />
the<br />
opportunity<br />
to<br />
proceed<br />
with<br />
its<br />
own<br />
response<br />
to<br />
the<br />
situation.<br />
This<br />
optional<br />
configuration<br />
occurs<br />
during<br />
the<br />
creation<br />
of<br />
the<br />
junction<br />
to<br />
the<br />
back-end<br />
service<br />
application.<br />
Authorization<br />
rules<br />
are<br />
typically<br />
used<br />
in<br />
conjunction<br />
with<br />
service<br />
applications<br />
that<br />
can<br />
understand<br />
and<br />
handle<br />
this<br />
more<br />
sophisticated<br />
level<br />
of<br />
access<br />
control.<br />
In<br />
some<br />
cases,<br />
it<br />
is<br />
necessary<br />
<strong>for</strong><br />
the<br />
service<br />
application<br />
to<br />
receive<br />
a<br />
request<br />
that<br />
is<br />
denied<br />
by<br />
the<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
authorization<br />
service.<br />
Such<br />
an<br />
application<br />
is<br />
written<br />
to<br />
understand<br />
failure<br />
reason<br />
in<strong>for</strong>mation<br />
and<br />
can<br />
provide<br />
its<br />
own<br />
response<br />
to<br />
a<br />
request<br />
that<br />
has<br />
failed<br />
a<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
authorization<br />
rule.<br />
For<br />
example,<br />
the<br />
order<br />
processing<br />
component<br />
of<br />
a<br />
shopping<br />
cart<br />
application<br />
can<br />
be<br />
governed<br />
by<br />
an<br />
authorization<br />
rule<br />
that<br />
denies<br />
action<br />
on<br />
an<br />
order<br />
if<br />
the<br />
total<br />
purchase<br />
price<br />
exceeds<br />
the<br />
user’s<br />
credit<br />
limit.<br />
It<br />
is<br />
important<br />
<strong>for</strong><br />
the<br />
shopping<br />
cart<br />
application<br />
to<br />
receive<br />
the<br />
entire<br />
request<br />
and<br />
the<br />
reason<br />
<strong>for</strong><br />
failure.<br />
Now<br />
the<br />
shopping<br />
cart<br />
application<br />
can<br />
take<br />
matters<br />
into<br />
its<br />
own<br />
hands<br />
and<br />
provide<br />
a<br />
user-friendly<br />
response,<br />
such<br />
as<br />
advising<br />
the<br />
user<br />
to<br />
eliminate<br />
a<br />
portion<br />
of<br />
the<br />
order.<br />
The<br />
interaction<br />
with<br />
the<br />
user<br />
is<br />
preserved<br />
rather<br />
than<br />
cut<br />
off.<br />
To<br />
allow<br />
denied<br />
requests<br />
and<br />
failure<br />
reason<br />
in<strong>for</strong>mation<br />
to<br />
proceed<br />
across<br />
a<br />
junction<br />
to<br />
the<br />
back-end<br />
service<br />
application,<br />
configure<br />
the<br />
junction<br />
with<br />
the<br />
–R<br />
option.<br />
When<br />
<strong>WebSEAL</strong><br />
receives<br />
an<br />
access<br />
denied<br />
decision<br />
on<br />
a<br />
request<br />
<strong>for</strong><br />
an<br />
object<br />
located<br />
on<br />
a<br />
–R<br />
junction,<br />
<strong>WebSEAL</strong><br />
reverses<br />
the<br />
denial<br />
response,<br />
inserts<br />
the<br />
failure<br />
reason<br />
into<br />
an<br />
HTTP<br />
header<br />
called<br />
″AM_AZN_FAILURE″,<br />
inserts<br />
that<br />
header<br />
into<br />
the<br />
request,<br />
and<br />
passes<br />
the<br />
request<br />
on<br />
to<br />
the<br />
back-end<br />
application.<br />
Always<br />
use<br />
this<br />
option<br />
with<br />
caution.<br />
It<br />
is<br />
important<br />
to<br />
coordinate<br />
the<br />
use<br />
of<br />
failure<br />
reasons<br />
in<br />
authorization<br />
rules<br />
with<br />
a<br />
service<br />
application’s<br />
ability<br />
to<br />
interpret<br />
and<br />
respond<br />
to<br />
this<br />
in<strong>for</strong>mation.<br />
You<br />
do<br />
not<br />
want<br />
to<br />
accidently<br />
create<br />
a<br />
situation<br />
where<br />
access<br />
is<br />
granted<br />
to<br />
a<br />
resource<br />
controlled<br />
by<br />
an<br />
application<br />
that<br />
cannot<br />
respond<br />
accurately<br />
to<br />
the<br />
AM_AZN_FAILURE<br />
header.<br />
Chapter<br />
13.<br />
Authorization<br />
decision<br />
in<strong>for</strong>mation<br />
retrieval<br />
363