ClearBox Server™ v1.2 Developer's Guide

ITACACSProxyPolicy::GetAutorejectAttributes

Called by server before forwarding authorization packet (via FOLLOW action) to remote server to obtain from extension AutoReject Attribute-Value (AV) pairs. If any of pairs in target packet matches any of this reject pairs, whole packet will be rejected without forwarding.

HRESULT GetAutorejectAttributes(
	[in] long tag,
	[in] TAC_AUTHORPARAMS * authorParams,
	[out] unsigned long * outpSize,
	[out] AVPAIR * * outpPairs);

Parameters

tag: [in] Unique value identifying TACACS+ packet in whose context this method is called.
authorParams: [in] Authorization packet data.
outpSize: [out] If extension returns AutoReject pairs, this parameter must be set to the number of pairs pointed by outpPairs.
outpPairs: [out] If extension returns AutoReject pairs, this parameter must be set to array of AV pairs allocated by CoTaskMemAlloc. mandType and access fields of AV pairs are ignored by server.

Return Values

If extension returns error code, it is assumed that packet will be forwarded normally.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for authorParams fields is allocated and freed by server, so extension must not change them.

Memory for outpPairs may be allocated by extension and is freed by server.

Example Code

This code will deny forwarding all authorization requests for shell service, and will reject a user. Packets with other services are forwarded normally.