Symantec Access Management

Experts,

Trust everyone is doing great.

We are currently using an active policy expression to enforce a custom authorization logic in the policy. The logic makes a call to the SQL DB query to fetch some values and make an authorization decision. Now we have to send few attributes/values (coming from SQL db) as response to the application. We can do this using active response, but that will be another db call on each page.

So my question is, can we set these SQL DB values (returned by SQL query) directly as response or a variable within the Active policy expression to avoid another db call in active response ? I know we can set these value in session store, but as a security practice - it's not recommended to set values in session store. 

Appreciate any other suggestions. 

Thanks,

Shivam

How about creating an Active Response and choose an option to cache response?

Other option is to store the data in session store encrypted.

Thanks, Ujwol for responding. 

So every time user accesses a page, there is a SQL DB call in active policy expression. We do not want to make another SQL DB call in active response. We want to avoid that another db call in active response. 

Do we have any other solution like setting up global variable or setting up response within the active policy expression (java code)?

Thanks,

Shivam

Also, does siteminder provides APIs to set a global variable or local variable using java ? If yes, we can use custom logic to set those values in a variable within siteminder and sent it to application via response. 

Team,

Any suggestions?

Thanks,

Shivam

Maybe you could user smwalker and it can set the response variable

https://www.ca.com/content/dam/ca/us/files/service-offering/smwalker-for-ca-single-sign-on-overview.pdf 

CA Global Delivery Packaged Work Product Download Index - CA Technologies 

Look at SmWalker for CA Single Sign-On

SmWalker is separate paid component

Contact your account team for details  

Shivam

Is the concern making an additional DB call on "every page". As I see there are two things here; firstly an additional DB call and secondly on every page.

Can we not make the solution a little smarter by sending the first request via an intermediate page which would authorize (first call) and set a Cookie Header Response by reading values (second call). After this all request for every page only has authorize call but no response. The app can be coded to read the Cookie Header. If you are concerned about security of identity info in a Cookie Header, then instead of using WebAgent-HTTP-Cookie-Variable which is clear text, use WebAgent-HTTP-Open-Format-Cookie. Since it is an Open Format Cookie, only the app which has the Shared Secret can decrypt the Cookie and also there is other features like TimetoLive, CookieScope, Path which could be associated for the Open Format Cookie.

Thanks HubertDennis Ujwol  for your response. What are your thoughts on the below solution ?

1. Creating a static hash map to store the the complete sql database view based on our requirement. 

2. Since this is a static hash map, the sql database view will be stored in the jvm.

3. logic to fetch the required data from the sql database view instead of firing SQL query every time.

4. Based on 3, the authorization decision is made.

5. Using the same class in the active response code to fetch the map and send the response to the application team.

The above solution works fine, but would require experts opinion on the performance and jvm cache memory from ca sso product perspective. Any suggestions on this solution ?

Thanks,

Shivam

Just to add: The sql query will only be executed when the map is null, which is when the ca sso is restarted.

On the performance question, I'd suggest running a Load and Performance test in your environment. There is no definitive number unless the test is executed, analysed and compared. This would also help you understand / identify memory leak OR crash under load / spike conditions.

Thanks HubertDennis.