Risk Condition Plug-ins

The DirX Access policy system works on top of rules and conditions that need to be evaluated for the delivery of an access decision. The first step of access management is authentication, which is controlled by authentication policies within DirX Access. These policies can contain risk conditions, which are conditions based on parameter(s) that indicate the potential threat that arises from failing to satisfy them.

Risk-condition parameters can be various elements of the system environment, such as IP address, browser specifics, HTTP headers or even user-related properties and device mobility. DirX Access provides solution for some of them. Risk condition plug-ins can extend this functionality by introducing custom conditions to the system.

About the Risk Condition Callout Handler

To use a risk condition handler with a policy, you need to implement a new risk condition (or handler, if you prefer) and then link this functionality with the risk condition object in policies management. The next sections describe these steps in more detail.

Developing a Risk Condition Callout Handler

This section describes the tasks necessary for developing a custom risk condition handler.

Externalizing Risk Conditions from the DirX Access Server

The DirX Access Server allows externalizing risk conditions through a plug-in interface. This method requires creating a risk condition callout handler that implements the RiskConditionCallout interface (net.atos.dirx.access.policy.api.callout.RiskConditionCallout). The implementing class has to be contained within an exported package of an OSGi bundle.

Employing a Risk Condition Callout Handler

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using a Risk Condition Callout Handler

This section describes the tasks that need to be performed to use a risk condition handler. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom risk condition callout handler, the OSGi bundle exporting the package containing the callout implementation must be installed on the DirX Access Server. To accomplish this task, make sure you have performed all of the steps described in the section Employing External Plug-in Modules.

Configuring the Custom Risk Condition Callout Handler at the DirX Access Server

To configure the custom risk condition callout handler at the DirX Access Server:

  • In DirX Access Manager, go to "`Configuration | Extension modules`".

  • Create the callout handler <CalloutIdentifier>:

    • Go to "`Callout handlers`" and click the add icon to create a new callout handler.

    • Identifier: <CalloutIdentifier>.

    • Description: arbitrary.

    • Type: select RiskConditionEvents.

    • Class name: enter the fully-qualified Java class name of the callout implementation.

    • Click Save.

  • In DirX Access Manager, go to "Policies | Authentication | Conditions".

    • Select a risk condition to which the custom handler should be assigned. The selected condition must be of type "Callout". If there is no such condition, create one according to the steps described in the Policy Authentication Conditions.

    • In the Callout section in the Callout handler drop-down box, select the desired <CalloutIdentifier>.

    • "Custom properties" can also be specified. These properties have the same meaning as the properties in the Extension modules section, but when specified, they are merged with those inserted at the Callout handlers page and override the ones with the same name.

    • Click Save.