Continuous security
When a user requests a resource through AM, excluding proxies and load balancers, the Java Agent is usually the first point of contact. Because Java Agent is closer to the user than AM, and outside the firewalls that separate the user and AM, the Java Agent can sometimes gather information about the request, which AM cannot access.
When the Java Agent requests a policy decision from AM, it can include this information in an environment map, a set of name/value pairs that describe the request IP and DNS name, along with other, optional, information.
In Java Agent, use continuous security to configure an environment map. In AM, use server-side authorization scripts to access the environment map, and write scripted conditions based on cookies and headers in the request.
For information about agent configuration properties, refer to Continuous security. For information about server-side authorization scripts, refer to Scripting a policy condition in AM’s Authorization guide.
Environment maps with customizable keys
In Java Agent, use the continuous security properties Client Hostname Header and Client IP Address Header to configure an environment map with custom keys.
The environment map has the following parts:
- requestIp
-
The IP address of the inbound request, determined as follows:
-
If Client IP Address Header is configured, the Java Agent extracts the IP address from the header.
-
Otherwise, it uses the Java function
HttpServletRequest.getRemoteAddr
to determine the IP address.
This entry is always created in the map.
-
- requestDNSName
-
The host name address of the inbound request, determined as follows:
-
If Client Hostname Header is configured, the Java Agent extracts the host name from the header.
-
Otherwise, it uses the Java function
HttpServletRequest.getRemoteHost
to determine the host name address.
This entry is always created in the map.
-
- Other variable names
-
An array of cookie or header values, configured by the continuous security properties Client Hostname Header and Client IP Address Header.
An entry is created for each value specified in the continuous security properties.
In the following example, the continuous security properties are configured to map values for the ssid
cookie and User-Agent
header to fields in an environment map:
org.forgerock.agents.continuous.security.cookies.map[ssid]=mySsid org.forgerock.agents.continuous.security.headers.map[User-Agent]=myUser-Agent
If the incoming request contains an ssid
cookie and a User-Agent
header, the environment map takes the value of the cookie and header, as shown in this example:
requestIp=192.16.8.0.1 requestDnsName=client.example.com mySsid=77xe99f4zqi1l99z myUser-Agent=Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko