LDSTechForumProjects

Policy Exposee Export

An Exposee App File is an XML file generated by the exposee export tool and consumed by the exposee import tool (it also serves as a configuration file for the Wamulator). To access Policy Exposee go to https://exposee.ldschurch.org. Its root element as shown below is a deployment element with an optional at attribute indicating at what time the information contained was captured from the WAM environment represented. It contains two nested elements.

Sample Config File

<deployment at='2013-01-31_16:25:12.205-0700' >
  <environment id='dev' host='dev.lds.org (exposee)' />
  <application id='ldschurch.org/documentation' authHost='ldschurch.org' cctx='/documentation' >
    <authentication scheme='anonymous' name='Anonymous Authentication' >    </authentication>
    <authorization failure-redirect-url='/denied.html'>
      <default format='exposee' value='Allow Authenticated Users'>
        <headers>
          <failure>
            <redirect value='/denied.html' />
          </failure>
        </headers>
      </default>
      <rule name='Allow All Members' enabled='true' allow-takes-precedence='true' >
        <allow>
          <condition  type='ldap' >ldap:///ou=People,o=lds??sub?(ldsmrn=*)</condition>
        </allow>
      </rule>
      <rule name='Allow Authenticated Users' enabled='true' allow-takes-precedence='false' >
        <allow>
          <condition  type='role' value='Anyone' />
        </allow>
      </rule>
      <rule name='~~default-headers~~' enabled='false' allow-takes-precedence='false' >
      </rule>
    </authorization>
    <policy name='secure{/.../*,*}'>
      <url>secure{/.../*,*}</url>
      <operations>GET,HEAD,POST</operations>
      <authentication scheme='login' name='WAM-DEV LDS Login Form' >
      </authentication>
      <authorization format='exposee' value='Allow Authenticated Users'>
        <headers>
          <success>
            <profile-att name='policy-cn' attribute='cn' type='HeaderVar' />
            <profile-att name='policy-preferredname' attribute='preferredname' type='HeaderVar' />
          </success>
          <failure>
            <redirect value='/denied.html' />
          </failure>
        </headers>
      </authorization>
    </policy>
    <policy name='members{/.../*,*}'>
      <url>members{/.../*,*}</url>
      <operations>DELETE,GET,HEAD,POST,PUT</operations>
      <authentication scheme='login' name='WAM-DEV LDS Login Form' >
      </authentication>
      <authorization format='exposee' value='Allow All Members'>
        <headers>
          <success>
            <fixed-value name='policy-signin' value='signmein' type='HeaderVar' />
            <fixed-value name='policy-signout' value='signmeout' type='HeaderVar' />
            <profile-att name='policy-cn' attribute='cn' type='HeaderVar' />
            <profile-att name='policy-gender' attribute='ldsgender' type='HeaderVar' />
            <profile-att name='policy-preferredlanguage' attribute='preferredlanguage' type='HeaderVar' />
          </success>
          <failure>
            <redirect value='/denied.html' />
          </failure>
        </headers>
      </authorization>
    </policy>
  </application>
</deployment>


Contents



<deployment>


This is the root element of the export file. It has one attribute, at, which specifies the timestamp at which the file was exported. This value is informational only and is not used during imports nor consumed by the WAMulator.

<environment>


Specifies the environment from which the file was exported as well as the environment specific Host Identifier to which the application is attached.

Attribute Name Description
id Specifies the moniker representing the WAM environment from which the file was exported.
host Indicates the targeted Host Identifier to which the application is attached. To be precise, this value is the first DNS hostname of the Host Identifier to which the application is attached and is not the name of the Host Identifier. Being an alias of the Host Identifier means that this is the host where the application can be accessed by a browser for the given environment.

<application>


The main element that defines the application root context and its ultimate DNS domain where it will be accessed in a production environment. The child elements of <application> hold all of the main configuration for the application.

Attribute Name Description
id A concatenation of the authHost and cctx attributes and is the key to associating policies for an application in one environment with policies for the same application in another environment. This should be the final resting place of the application once deployed to whatever is considered its production environment.
authHost Represents the authoritative host where the application will reside once deployed to its production environment.
cctx Represents the canonical context of the application. This is the path beneath which all resources are considered to part of that application and all related policies are jointly administered as a unit. The value of this attribute is used for the corresponding cctx header that gets prefixed to application resource URLs.

<authentication>


This element can be a child of <application> or a child of <policy>. When it is a child of <application> it defines the authentication method for the default policy of the application. When it is a child of <policy> it defines the authentication method for that particular policy. In either case the scheme attribute either can be "login", meaning that the user will be prompted with the standard login form, or "anonymous" meaning that the user will not be required to login and that all users are able to access the resource(s) matching the url pattern.


<authorization>


This element can be a child of <application> or a child of <policy>. When it is a child of <application> it holds the authorization rules for the application and the configuration of the default policy including what headers will be injected for it. When it is a child of <policy> it defines the authorization rule that applies to that policy and the headers for that policy. The following attributes are only applicable when it is a child of <policy>.

Attribute Name Description
value The name of the rule that should be applied for authorizing a user to access the resource(s). This rule must have already be defined by a <rule>. If it is not a defined <rule> then the WAMulator fail to startup.

<default>


Defines the authorization rule for the default policy which is the policy that applies for a URL that does not match the URL of any declared policy. It also defines the headers to be injected for the default policy.

Attribute Name Description
value The name of the rule that should be applied for authorizing a user to access the resource(s). This rule must be defined by a <rule>. If the named <rule> element is not found then the WAMulator will emit an error indicating that problem and terminate its startup.

<headers>


The container element for the headers to be injected for the given policy. This can be a descendant of either application>authorization or policy>authorization. When it is a child of application it can have <success> or <failure> as child elements. When it is a child or policy it can have <success>, <failure>, or <inconclusive> as child elements.


<success>


Defines the headers and/or redirect that will be applied when the authorization rule results in a success outcome.


<failure>


Defines the headers and/or redirect that will be applied when the authorization rule results in a failure outcome.


<inconclusive>


Defines the headers and/or redirect that will be applied when the authorization rule results in a inconclusive outcome.


<fixed-value>


Defines a HTTP header to be injected into the response. The value is static and will be the same value for all users.

Attribute Name Description
name The name that will be used for the HTTP header name.
value The static value for the HTTP header defined by the name attribute. This value will be the same for all users.
type Not used by the WAMulator. This is an artifact of the WAM environment's backing product and is not used by the WAMulator. It may be needed when importing your policy configuration file into the real WAM environment. If specified, it should have a value of HeaderVar. The Oracle product backing the WAM environment supports two values; HeaderVar and Cookie as the means for values to be injected into http requests as they pass to protected servers. We do not use the Cookie approach for injecting information into http request in the WAM environment.

<profile-att>


Defines a HTTP header to be injected into the response. The value of the header will be specific to the user as it refers to the LDAP or user store attribute.

Attribute Name Description
name The name that will be used for the HTTP header name.
attribute The name of an attribute on the user's profile whose value should be used as the value of this header. The lookup for a the user's attribute is independent of the type of user store being used. You can see the attributes and values that the wamulator knows about for a given user by selecting that user in the Users & Sessions tab of the wamulator's http console.
type Not used by the WAMulator. See the description above for the attribute by the same name in the <fixed-value> element.

<redirect>


Defines a redirect action that will be taken based on the outcome of the authorization rule evaluation. For <failure> and <inconclusive> the default value is /denied.html which will present the user with the generic WAM denied page. If the application owner desires, they can change this value to go to a more specific denied page.

Attribute Name Description
value The URL to which the user should be redirected.


<rule>


Defines an authorization rule that is used to evaluate if the given user should have access to the resource(s). This element is used to define rules that will be referenced by <authorization>. Not all rules that are defined have to be used, however, all rules that are referenced must be defined.

Attribute Name Description
name The name of the rule. This is also the token that is used in an <authorization> to reference the rule.
enabled Defines whether the rule is enabled or not - 'true' or 'false'.
allow-takes-precedence Defines whether the allow clause should take precedence over the deny clause - 'true' or 'false'.


<allow>


Grouping of authorization rule condition(s) that are used to grant the user access to the resource(s).


<deny>


Grouping of authorization rule condition(s) that are used to deny the user access to the resource(s).


<condition>


The definition of the condition a user needs to qualify for to be either allowed or denied. Failure to meet either the allow condition or the deny condition will result in an inconclusive. If the 'type' attribute is set to 'ldap' then the inner value of this element is the ldap query to be used for evaluation. If the 'type' is set to role then there is no inner value to the element and the 'value' attribute needs to be defined.

Attribute Name Description
type The type of condition. It is either 'ldap' which specifies that an ldap query should be used to evaluate condition or 'role' which specifies the role that user needs to meet.
value Only valid if the 'type' attribute is set to role. Currently, the only valid value is 'Anyone' which allows anyone that can authenticate to be authorized to access the resource(s).


<policy>


Defines a resource or group of resources that grouped based on URL path, query string, or query string parameter key value pairs. These resources rely on the same authentication scheme, authorization rule, and injected headers.

Attribute Name Description
name The name of the policy. This is typically based on the URL path/querystring combo but is only a name and has no impact on the url of resources.

<url>


URL pattern matcher for the path portion of URL. Used to see if the incoming URL matches this policy's pattern. Uses a regular expression like pattern.


<query-string>


Pattern matcher for the query-string portion of the URL. Used to see if the incoming URL matches this policy's pattern. Uses a trimmed down version of the same pattern that the <url> uses.


<parms>


Grouping of one or many <parm> elements.

<parm>


Key value pair matcher for the query-string portion of the URL. Used to see if the incoming URL matches this policy's pattern.

Attribute Name Description
name The query-string parameter name.
value The query-string parameter value.


<operations>


A comma separated list of the HTTP methods that are accepted for this policy's pattern matching. Valid operations are HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT.

This page was last modified on 22 April 2014, at 11:20.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.