Access Management 7.3.1

Policy set application types over REST

Application types define how to compare resources and index policies. The default application type, iPlanetAMWebAgentService, represents web resources. The policy set for web and Java agents (also called iPlanetAMWebAgentService) is based on this default application type.

The applicationtypes REST endpoint lets you do the following:

Applications types are configured per server, not per realm. Therefore, the URI for the application types API does not include a realm component, and is simply /json/applicationtypes.

Application types are represented in JSON format, for example:

{
    "name": "iPlanetAMWebAgentService",
    "actions": {
        "POST": true,
        "PATCH": true,
        "GET": true,
        "DELETE": true,
        "OPTIONS": true,
        "PUT": true,
        "HEAD": true
    },
    "resourceComparator": "com.sun.identity.entitlement.URLResourceName",
    "saveIndex": "org.forgerock.openam.entitlement.indextree.TreeSaveIndex",
    "searchIndex": "org.forgerock.openam.entitlement.indextree.TreeSearchIndex",
    "applicationClassName": "com.sun.identity.entitlement.Application"
}

An application type object includes the following information:

name

Name of the application type.

actions

Set of actions for that application type, each with a boolean value indicating whether the action is allowed.

resourceComparator

The class name of the resource comparator implementation used in the context of this application type.

The following implementations are available:

"com.sun.identity.entitlement.ExactMatchResourceName"
"com.sun.identity.entitlement.PrefixResourceName"
"com.sun.identity.entitlement.RegExResourceName"
"com.sun.identity.entitlement.URLResourceName"

saveIndex

Class name of the implementation for creating indexes for resource names, such as "com.sun.identity.entitlement.util.ResourceNameIndexGenerator", for URL resource names.

searchIndex

Class name of the implementation for searching indexes for resource names, such as "com.sun.identity.entitlement.util.ResourceNameSplitter", for URL resource names.

applicationClassName

Class name of the application type implementation, such as "com.sun.identity.entitlement.Application".

Query application types

To list all application types, send an HTTP GET request to the /json/applicationtypes endpoint, with a _queryFilter parameter set to true.

The iPlanetDirectoryPro header is required and should contain the SSO token of an administrative user, such as amAdmin, who has access to perform the operation.

$ curl \
--header "iPlanetDirectoryPro: AQIC5…​" \
--header "Accept-API-Version: resource=1.0" \
"https://openam.example.com:8443/openam/json/applicationtypes?_queryFilter=true"
{
  "result": [
    {
      "_id": "umaApplicationType",
      "applicationClassName": "com.sun.identity.entitlement.Application",
      "saveIndex": "org.forgerock.openam.uma.UmaPolicySaveIndex",
      "searchIndex": "org.forgerock.openam.uma.UmaPolicySearchIndex",
      "resourceComparator": "org.forgerock.openam.uma.UmaPolicyResourceMatcher",
      "name": "umaApplicationType",
      "actions": {}
    },
    {
      "_id": "sunAMDelegationService",
      "applicationClassName": "com.sun.identity.entitlement.Application",
      "saveIndex": "com.sun.identity.entitlement.opensso.DelegationResourceNameIndexGenerator",
      "searchIndex": "com.sun.identity.entitlement.opensso.DelegationResourceNameSplitter",
      "resourceComparator": "com.sun.identity.entitlement.RegExResourceName",
      "name": "sunAMDelegationService",
      "actions": {
        "READ": true,
        "MODIFY": true,
        "DELEGATE": true
      }
    },
    {
      "_id": "iPlanetAMWebAgentService",
      "applicationClassName": "com.sun.identity.entitlement.Application",
      "saveIndex": "org.forgerock.openam.entitlement.indextree.TreeSaveIndex",
      "searchIndex": "org.forgerock.openam.entitlement.indextree.TreeSearchIndex",
      "resourceComparator": "com.sun.identity.entitlement.URLResourceName",
      "name": "iPlanetAMWebAgentService",
      "actions": {
        "HEAD": true,
        "DELETE": true,
        "POST": true,
        "GET": true,
        "OPTIONS": true,
        "PUT": true,
        "PATCH": true
      }
    }
  ],
  "resultCount": 3,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": 0
}

Use additional query strings to narrow down the results. For details, refer to Query.

Read a specific application type

To read an specific application type, send an HTTP GET request to the /json/applicationtypes endpoint, specifying the application type name in the URL.

The iPlanetDirectoryPro header is required and should contain the SSO token of an administrative user, such as amAdmin, who has access to perform the operation.

$ curl \
--header "iPlanetDirectoryPro: AQIC5…​" \
--header "Accept-API-Version: resource=1.0" \
"https://openam.example.com:8443/openam/json/applicationtypes/iPlanetAMWebAgentService"
{
  "_id": "iPlanetAMWebAgentService",
  "_rev": "1664877005610",
  "applicationClassName": "com.sun.identity.entitlement.Application",
  "saveIndex": "org.forgerock.openam.entitlement.indextree.TreeSaveIndex",
  "searchIndex": "org.forgerock.openam.entitlement.indextree.TreeSearchIndex",
  "resourceComparator": "com.sun.identity.entitlement.URLResourceName",
  "name": "iPlanetAMWebAgentService",
  "actions": {
    "HEAD": true,
    "DELETE": true,
    "POST": true,
    "GET": true,
    "OPTIONS": true,
    "PUT": true,
    "PATCH": true
  }
}