Example: Retrieving ADI from the request POST body

The following example authorization rule requires the name of the client's total purchase amount from a Web shopping cart as passed in the body of a POST request (as submitted in response to a form). The client request is set up to include the total purchase value in the "purchase-total" field of the request POST body.

The use of the AMWS_pb_ prefix in the rule alerts the authorization evaluation process the required ADI is available in the client request and that WebSEAL knows how to find, extract, and return this ADI.

<xsl:if test='AMWS_pb_purchase-total &lt; "1000.00"'>!TRUE!</xsl:if>

WebSEAL is designed to know how to handle the extraction of ADI information from the request:

[aznapi-configuration]
resource-manager-provided-adi = AMWS_pb_

WebSEAL looks for this information in the request POST body under the field name "purchase-total". WebSEAL extracts the value contained in the "purchase-total" field and returns it to the authorization evaluation process.

The example authorization rule is evaluated to be true if the value provided in the request's POST body "purchase-total" field is less than "1000.00". In a similar manner, information required to evaluate an authorization rule can come from the request header or the query string of the request.

Parent topic: ADI retrieval from the WebSEAL client request