[azn-decision-info] stanza

Add extra information from the HTTP request to the authorization decision information. 

<attr_ID> = <http_info>

This stanza defines any extra information that is available to the authorization framework when it makes authorization decisions. This extra information can be obtained from various elements of the HTTP request, namely:

If the requested element is not in the HTTP request, no corresponding attribute is added to the authorization decision information.

Options

WebSEAL support for POST data

WebSEAL supports two types of POST data:

where the <post-data-name> is the name of the selected form data field in the request. WebSEAL adds the corresponding value for this field to the authorization decision information.

  • JavaScript Object Notation (JSON) data, which is the application/json content-type. For information about the JSON syntax, see http://www.json.org.To search for a key in the JSON data and add its value to the HTTP request, use the following format:
    post-data:/"<JSON-node-id>"[[/"<JSON-node-id>"][<JSON-array-indx>]]...

    where:

      "<JSON-node-id>"
      The name of a node in the JSON data.

      JSON data is essentially a hierarchy of name-value pairs. The forward slash character (/) that precedes each "<JSON-node-id>" identifies a level of the JSON hierarchy. We can repeatedly add [/<JSON-node-id>] elements to move through the JSON data hierarchy and identify the node containing the value that we want WebSEAL to add to the authorization decision information. Each <JSON-node-id> must be:

      • Enclosed in double quotation marks.
      • Preceded by a forward slash character (/).
      • A case-sensitive match with a node in the JSON data hierarchy.

        If WebSEAL does not find a matching node name in the POST data, no corresponding attribute is added to the authorization decision information.

      <JSON-array-indx>

      The contents of a node in the JSON data might be a JSON array. If we configure WebSEAL to search for a JSON node that contains an array, specify the array index of the value that we want WebSEAL to use. Use a base of 0. In other words, the first entry in the array has an index of 0. The <JSON-array-indx> is not enclosed in double quotation marks.

    Usage notes:

    • The square brackets ([]) in this syntax indicate an optional element. Do not include square brackets in the configuration entry. Similarly, the ellipsis (...) indicates that we can repeat the optional elements that precede it. Do not include the ellipsis in the configuration entry.

    • WebSEAL returns only node values of the following JSON types:

      • String
      • Number
      • true or false
      • null

      If the value of the selected node is not one of the types in this list, WebSEAL does not return it as authorization decision information.

      Object and Array types cannot be added to the authorization decision information.

    Usage

    This stanza entry is optional.

    Default value

    None.

    Example 1: Standard HTTP elements

    HTTP_REQUEST_METHOD = method
HTTP_HOST_HEADER= header:Host
    If these example configuration entries are set in the [azn-decision-info] stanza, WebSEAL adds the following attributes to the authorization decision information:

      HTTP_REQUEST_METHOD
      Contains the HTTP method.

      HTTP_HOST_HEADER
      Contains the data from the Host header.

    Example 2: JSON POST data

    For this example, consider the following JSON form data:
    { "userid": "jdoe", 
  "transactionValue": "146.67", 
  "accountBalances": {
        "chequing": "4345.45",
        "savings": "12432.23",
        "creditLine": "19999.12" 
    }}

    The following configuration entries in the [azn-decision-info] stanza extract information from this JSON form data. 

    USERID = post-data:/"userid"
SAVINGS = post-data:/"accountBalances"/"savings"

    The first entry prompts WebSEAL to search for the JSON node called "userid". In this example, the value associated with the "userid" node is jdoe. WebSEAL adds this value to the HTTP request in an attribute called USERID.

    When WebSEAL processes the second entry, it searches for a top-level JSON node called "accountBalances". Under the "accountBalances" hierarchy, WebSEAL locates the "savings" JSON node. In the example data, the value associated with this node is 12432.23. WebSEAL adds this value to the HTTP request in an attribute called SAVINGS. WebSEAL adds the following attributes to the authorization decision information:

      USERID
      Contains the value jdoe.

      SAVINGS
      Contains the value 12432.23.

    Example 3: JSON POST data with a JSON array value

    For this example, consider the following JSON form data:
    {
    "userid": "jdoe",
    "transactionValue": "146.67",
    "accounts": [
        {"name": "chequing":, "balance": "4350.45"},
        {"name": "savings":, "balance": "4350.46"}    ]
}

    The following configuration entry is included in the [azn-decision-info] stanza:

    SAVINGSBAL = post-data:/"accounts"/1/"balance"

    WebSEAL processes this entry as follows:

    1. Searches for a top-level node in the JSON data called "accounts".
    2. Locates the element in position 1 of the JSON array (base 0).
    3. Searches for the "balance" name-value pair in this array element.

    4. Adds the associated value to the authorization decision information.

    In this example, WebSEAL adds the following attribute to the authorization decision information:

      SAVINGSBAL
      Contains the value 4350.46.

    Parent topic: Custom attributes for the authorization service