Obtain entitlements for a specified user
The authorization API supports a service plug-in model that enables developers to add modules that extend the capabilities ISAM. The entitlements service plug-in is the only type of plug-in that we can call from a Java application at this time.
An entitlements service plug-in enables authorization API applications for a specific Security Verify Access secure domain to retrieve the entitlements for a user from the policy repository for that secure domain. An entitlement service allows a third-party application running in the secure domain to call a specific entitlements service based on its service ID. If no service ID is provided, the default entitlements service plug-in is called. An entitlements service plug-in, like other authorization service plug-ins, must be installed and configured before use. ISAM provides a default entitlement service called the ISAM protected objects entitlements service that is specific to the ISAM environment. The entitlement service plug-in accepts a single, multivalued string attribute that specifies one or more root nodes for searching the ISAM protected object space along with an indicator of what access permissions are required. The plug-in returns a multi-valued attribute list of protected objects meeting the search criteria. This entitlement service can be called from a Java application using the PDPrincipal.getEntitlements method, which is equivalent to using the azn_entitlements_get_entitlements() function from a C application.
Call the protected objects entitlements service requesting a list of objects in the /AppData/AccountData and /AppData/EmployeeData object trees to which the principal has view and modify permission...
PDAttrs attrsIn= new PDAttrs(myctxt, true); PDAttrs attrsOut = new PDAttrs(myctxt, true); // Does user have view and modify access to desired resources? attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_PATH, "/AppData/AccountData"); attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_PATH, "/AppData/EmployeeData"); attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_REQD_OPS, "vm"); attrsOut = principal.jazn.getEntitlements(myctxt, PDStatics.AZN_ENT_SVC_PD_POBJ, attrsIn); // Is user entitled to anything? PDAttrValues results = attrsOut.getValues(PDStatics.AZN_ENT_SVC_PD_POBJ_MATCHES); if ((results == null) || (results.isEmpty())) { System.out.println("Nothing found."); break major; }// Process String or byte array results...The protected objects entitlements service returns a multivalued attribute list of the protected objects to which the principal has the specified access permission. The protected objects returned to the attribute list are either byte array or String entries. The sample code in Figure 2 demonstrates printing the results.
// Print output attributes if any returned Set s = attrsOut.keySet(); if(!s.isEmpty()) { System.out.println("Attributes returned: "); System.out.println(attrs); } else System.out.println("No attributes returned.");Parent topic: Java application development