-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 12.0.0
-
Component/s: entitlements
-
Labels:
As of OpenAM 12.0.x, users no longer need to have referral policies under default realm . This is because OpenAM 12.0.0 now enables you to specify the realm and application in the policy agent profile. When PA is configured with specific realm and application type, OpenAM directs requests from the policy agent to the specified realm and application.
http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index/chap-realms.html#agent-realm-application-for-policy-decisions
However, this feature is slowing down the speed to get PolicyEvaluator within PolicyRequestHandler. OpenAM 12 takes 37 ms till it printed out "Policy Manager constructed with..." message where as OpenAM 9.5.5 takes ~10 ms:
amPolicy:05/20/2015 08:04:47:962 AM PDT: Thread[http-8443-1,5,main] PolicyRequestHandler.convertEnvParams(): requestIp is 127.0.0.1 amPolicy:05/20/2015 08:04:47:962 AM PDT: Thread[http-8443-1,5,main] PolicyRequestHandler.convertEnvParams(): requestTime is null amPolicy:05/20/2015 08:04:47:962 AM PDT: Thread[http-8443-1,5,main] PolicyRequestHandler.convertEnvParams(): requestTimeZone is null : amPolicy:05/20/2015 08:04:47:999 AM PDT: Thread[http-8443-1,5,main] Policy Manager constructed with SSO token for organization: dc=jpl,dc=nasa,dc=gov
This is because PolicyRequestHandler is retrieving PA's profile (this involves checkPermission etc), then tries to get all related application types PA admin can evaluate.
One option is to turn off this feature if "Activate Referrals:" is on or introduce a new flag.
- relates to
-
OPENAM-4944 PolicyEvaluation issues additional search to o=sunamhiddenrealmdelegationservicepermissions
-
- Closed
-