Skip to main content

The most recent patch for this version is 26.1.6.  Learn more  

Version: 26.1

Create the attribute connectors

Attribute connectors link the Policy Decision Point (PDP) to external Policy Information Points (PIPs). They enable the PDP to dynamically retrieve external information, such as a user's role based on their identity, by calling your business services at runtime. Retrieved attribute values can also be cached for improved performance.

An attribute connector consists of one file:

  • a deployment descriptor

Follow the steps below to create and configure an attribute connector for retrieving external data in your authorization domain:

  1. In the src/authorizationDomain/attributeConnectors directory, delete the existing example attribute connector and create a new attribute connector deployment descriptor file.

    myConnector.yaml
    className: <classname>
    providedAttributes:
      - attributeName: user.role
      - attributeName: user.location
    configuration:
    # Connector specific configuration goes here

    The table below lists the available built-in attribute connectors. If you have developed a custom connector, use its class name instead.

    Attribute connectorClass name
    LDAPcom.axiomatics.acs.plugin.pips.ldap.LdapPipModule
    SQLcom.axiomatics.acs.plugin.pips.sql.SqlPipModule
    Tablecom.axiomatics.acs.plugin.pips.table.TablePipModule
    HTTPcom.axiomatics.attributeconnector.http.ConnectorModule
    JSON Parsercom.axiomatics.attributeconnector.parser.json.ConnectorModule
    JWT Parsercom.axiomatics.attributeconnector.parser.jwt.ConnectorModule
    XML Parsercom.axiomatics.attributeconnector.parser.xml.ConnectorModule
    tip

    A common scenario is retrieving attribute values from a remote REST/JSON API. In this case, you will need an HTTP attribute connector chained to a JSON parser attribute connector as described below.

    Example: HTTP attribute connector chained to a JSON parser attribute connector

    The HTTP attribute connector calls the REST API and exposes the raw response body as an intermediate attribute. Then, the JSON parser attribute connector reads that response body and extracts the specific value you need.

    src/authorizationDomain/attributeConnectors/userHttpService.yaml
    className: com.axiomatics.attributeconnector.http.ConnectorModule
    providedAttributes:
      - attributeName: user.service.http.body
    configuration:
      # See Attribute connectors documentation for full HTTP connector config reference
      url: ${USER_SERVICE_URL}/users
      method: GET
    src/authorizationDomain/attributeConnectors/userHttpServiceParser.yaml
    className: com.axiomatics.attributeconnector.parser.json.ConnectorModule
    providedAttributes:
      - attributeName: user.clearance
    configuration:
      # See Attribute connectors documentation for full JSON parser connector config reference
      jsonPath: "$.clearance"

    The relationship between them is that user.service.http.body (provided by the HTTP attribute connector) serves as the key attribute for the JSON parser attribute connector. Because ADS automatically resolves this chain, you do not need to explicitly configure the dependency. For the corresponding integration test, see Chained attribute connectors.

    note

    The exact configuration keys for the HTTP and JSON parser attribute connectors are documented in the Attribute connectors documentationOpens in a new tab. The examples above show the structure. See the documentation for all supported settings.

  2. Create the configuration section following the specific format for your connector, see Attribute connectors documentationOpens in a new tab.

    Provided attributes are the values you intend to resolve from your PIP. The key attributes (the data used to look up those provided attributes) are defined within the connector-specific configuration section.

    note

    Configuring custom attribute connectors may require the use of configurationString: instead of configuration:.

tip

You can use environment variables in all attribute connector configurations. See Variable substitution for details. This is useful for password and other secrets as well as for URLs that differs between environments.

Attribute connector tests

Attribute connectors can also be unit tested. While these tests may not be suitable as acceptance tests for your domain, they are highly useful during development to verify that everything functions correctly. The reason they are less valuable as acceptance tests is that Policy Information Points (PIPs) represent external state outside of your control. However, you can use tools like WireMock to mock these external services.

See Attribute Connector tests for details.

Attribute cache

To improve performance, attribute values retrieved from attribute connectors can be stored in a cache. The configuration is stored in src/authorizationDomain/attributeCache.yaml. For more information, see the Attribute cachingOpens in a new tab section of the Access Decision Service (ADS) documentation.