Release 2.x‎ > ‎Install - Reference‎ > ‎Config Ref Guide‎ > ‎Security‎ > ‎Policies‎ > ‎


A Policy is used by the BasicDecider class.  A Policy defines whether  to "allow" or "deny" a Request.  The results of a Policy are returned as an "effect".  The Policy can leverage information about the "environment", the End-User (Subject), the Resource being referenced and what Operation is being requested.


<Policy id="NotEnforcedURIs" environment="SERVLET" mode="inbound" effect="allow">
      <Property name="policy.description" value="Not Enforced URIs"/>


 Name Required Description Example
 id yes A unique identifier for a Policy id="AnonAccess" 
 environment yes Must be one of the environment types: SERVLET or ENGINE environment="ENGINE"
 mode yes During the Request / Response process, should the Policy be evaluated either on the Request-side (inbound) or on the Response-side (outbound).  NOTE: Currently only the "inbound" mode is used. mode="inbound"
 effect yes If the Policy evaluates to TRUE, what should the returned effect be.  The current options are:
  • allow
  • deny


 Name Required Description Example 
 policy.description no  Description of the Policy"Support anon access"

XML Sub-Elements