Continuous security
When a user requests a resource through AM, excluding proxies and load balancers, the Web Agents Documentation is usually the first point of contact. Because Web Agents Documentation is closer to the user than AM, and outside the firewalls that separate the user and AM, the Web Agents Documentation can sometimes gather information about the request, which AM cannot access.
When Web Agents Documentation requests a policy decision from AM, it can include
the additional information in an environment map, a set of name/value
pairs that describe the request IP and DNS name, along with other, optional,
information. The additional information can then be included in the policy, for
example, to allow only incoming requests that contain the InternalNetwork
.
In AM, use server-side authorization scripts to access the environment map, and write scripted conditions based on cookies and headers in the request. For information about server-side authorization scripts, refer to Scripting a policy condition in AM’s Authorization guide.
Environment maps with customizable keys
In Web Agents Documentation, use the continuous security properties Continuous Security Cookie Map and Continuous Security Header Map to configure an environment map with the following parts:
- requestIp
-
The IP address of the inbound request, determined as follows:
-
If Client IP Address Header is configured, Web Agents Documentation extracts the IP address from the header.
-
Otherwise, Web Agents Documentation uses the web server connection information to determine the client IP address.
This entry is always created in the map.
-
- requestDNSName
-
The host name address of the inbound request, determined as follows:
-
If Client Hostname Header is configured, Web Agents Documentation extracts the host name from the header.
-
Otherwise, Web Agents Documentation uses the web server connection information to determine the client’s host name.
This entry is always created in the map.
-
- Other variable names
-
An array of cookie or header values. An entry is created for each value specified in the continuous security properties.
In the following example, the continuous security properties are configured to map values for the
ssid
cookie andUser-Agent
header to fields in an environment map:org.forgerock.openam.agents.config.continuous.security.cookies[ssid]=mySsid org.forgerock.openam.agents.config.continuous.security.headers[User-Agent]=myUser-Agent
If the incoming request contains an
ssid
cookie and aUser-Agent
header, the environment map takes the value of the cookie and header, as shown in this example:requestIp=192.16.8.0.1 requestDnsName=client.example.com mySsid=77xe99f4zqi1l99z myUser-Agent=Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko