Our need is to mediate access to application sub folders based on the login id, without the need to prepare a policy for each user of the set of sub folders by id.
Example: lets login as rob; rob has access to resource https://reportApp.example.com/reports/rob/* but jim does not.
I'd prepare a policy for the subjects to access https://reportApp.example.com/reports/* and then conditionaly allow access to login id rob to his reports.
I've examined document http://docs.sun.com/app/docs/doc/820-3748/giaww?l=en&a=view and built some test examples. While the principal name is available in SSOToken token, the Map env holds the url defined in the policy - In the example; https://reportApp.example.com/reports/* - therefore not able to be examined for the requested sub folder /rob/
I've not been able to find away to express at the policy decision point the actual url presented to the agent. In the example above something like https://reportApp.example.com/reports/rob/myreport.pdf
Some feedback on the resource requested by the user as presented to the agent would be most helpful.