[jboss-cvs] JBossAS SVN: r64186 - in projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en: modules and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Sun Jul 22 08:48:29 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-07-22 08:48:27 -0400 (Sun, 22 Jul 2007)
New Revision: 64186
Added:
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/configuration.xml
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/dependencies.xml
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/examples.xml
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pdp.xml
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pep.xml
Modified:
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/master.xml
projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/introduction.xml
Log:
docbook changes for JBossXACML
Modified: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/master.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/master.xml 2007-07-22 10:48:25 UTC (rev 64185)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/master.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -4,10 +4,15 @@
<book lang="en">
<bookinfo>
<title>User Guide for JBoss XACML</title>
-
<subtitle>A Guide for Developers</subtitle>
-
- <releaseinfo>2.0.0</releaseinfo>
+ <releaseinfo>2.0.1</releaseinfo>
+ <authorgroup>
+ <author>
+ <firstname>Anil</firstname>
+ <othername>J.</othername>
+ <surname>Saldhana</surname>
+ </author>
+ </authorgroup>
</bookinfo>
<toc></toc>
@@ -40,6 +45,21 @@
<xi:include href="modules/introduction.xml"
xml:base="./"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="modules/configuration.xml"
+ xml:base="./"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="modules/pdp.xml"
+ xml:base="./"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="modules/examples.xml"
+ xml:base="./"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="modules/pep.xml"
+ xml:base="./"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="modules/dependencies.xml"
+ xml:base="./"
+ xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="modules/acknowledgments.xml"
xml:base="./"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
Added: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/configuration.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/configuration.xml (rev 0)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/configuration.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<chapter id="configuration">
+ <title>JBoss XACML Configuration</title>
+
+ <para>An configuration file can be used to define the various policies and policy sets that the PDP can use for evaluation. The schema file driving the configuration is shown below.
+ </para>
+
+ <programlisting>
+
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:ns="urn:jboss:xacml:2.0"
+ targetNamespace="urn:jboss:xacml:2.0"
+ elementFormDefault="qualified"
+ attributeFormDefault="unqualified">
+ <xs:element name="jbosspdp" type="ns:PDP">
+ <xs:annotation>
+ <xs:documentation>Root Element for JBoss XACML</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:complexType name="PDP">
+ <xs:sequence>
+ <xs:element ref="ns:Policies"/>
+ <xs:element ref="ns:Locators"/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:element name="Policies" type="ns:PoliciesType"/>
+ <xs:complexType name="PoliciesType">
+ <xs:sequence>
+ <xs:element name="PolicySet"
+ type="ns:PolicySetType"
+ minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="Policy"
+ type="ns:PolicyType"
+ minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:complexType name="PolicySetType">
+ <xs:sequence>
+ <xs:element name="Location"
+ type="xs:anyURI" minOccurs="0"/>
+ <xs:element name="Policy"
+ type="ns:PolicyType"
+ minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:complexType name="PolicyType">
+ <xs:sequence>
+ <xs:element name="Location" type="xs:anyURI"/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:element name="Locators" type="ns:LocatorsType"/>
+ <xs:complexType name="LocatorsType">
+ <xs:sequence>
+ <xs:element name="Locator"
+ type="ns:LocatorType" minOccurs="0"
+ maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:element name="Option">
+ <xs:complexType mixed="true">
+ <xs:sequence>
+ <xs:any namespace="##other" minOccurs="0"/>
+ </xs:sequence>
+ <xs:attribute name="Name" type="xs:string"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:complexType name="LocatorType">
+ <xs:sequence>
+ <xs:element ref="ns:Option"
+ minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="Name" type="xs:string"/>
+ </xs:complexType>
+</xs:schema>
+
+ </programlisting>
+
+ <para>The following is an example of a configuration file.</para>
+
+ <programlisting>
+
+ <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:PolicySet>
+ <ns:Location>test/policies/interop/xacml-policySet.xml</ns:Location>
+ <ns:Policy>
+ <ns:Location>test/policies/interop/xacml-policy2.xml</ns:Location>
+ </ns:Policy>
+
+ <ns:Policy>
+ <ns:Location>test/policies/interop/xacml-policy3.xml</ns:Location>
+ </ns:Policy>
+ <ns:Policy>
+ <ns:Location>test/policies/interop/xacml-policy4.xml</ns:Location>
+ </ns:Policy>
+
+ <ns:Policy>
+ <ns:Location>test/policies/interop/xacml-policy5.xml</ns:Location>
+ </ns:Policy>
+
+ </ns:PolicySet>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
+
+ </programlisting>
+
+ <para>As shown in the configuration file, you can define a policy set with enclosing policies. If you do not need any policy sets, but want to define 1 or more policies, you can do so. The location of a policy/policy set has to confrom to the java.net.URL format (or you can provide a relative location as shown in the above configuration file).
+ </para>
+
+ <para>The PDP makes use of PolicyLocator(s) for policies. Each of these policy locators are asked for a policy when a request is being evaluated. The default locator that is provided with JBossXACML is the <command>org.jboss.security.xacml.locators.JBossPolicySetLocator</command>
+ </para>
+
+ <para>You will need to provide at least 1 locator.</para>
+</chapter>
Added: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/dependencies.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/dependencies.xml (rev 0)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/dependencies.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<chapter id="dependencies">
+ <title>Dependencies forJBoss XACML</title>
+
+ <para>JBoss XACML needs the following as dependencies.</para>
+
+ <para>
+ <orderedlist numeration="arabic">
+ <listitem><para>JDK 5.0 or above</para></listitem>
+ <listitem><para>JBoss-JavaEE 5.0 (This basically provides javax.xml.stream support which exists in JDK6)</para></listitem>
+ <listitem><para>JAXB2 libraries (JAXB-API, JAXB-IMPL)</para></listitem>
+ <listitem><para>SunXACML 2.0</para></listitem>
+ </orderedlist>
+ </para>
+</chapter>
Added: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/examples.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/examples.xml (rev 0)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/examples.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<chapter id="examples">
+ <title>Examples</title>
+
+ <para>The following sections display usage of JBossXACML in various bindings.
+ </para>
+
+ <sect1 id="web-binding">
+ <title>Web Binding</title>
+ <para>The Policy File that we will use as an example for the Web Binding Layer is shown below.</para>
+ <programlisting>
+<![CDATA[
+
+<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ RuleCombiningAlgId=
+ "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
+ Version="2.0" PolicyId="ExamplePolicy">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+ <AttributeValue
+ DataType=
+"http://www.w3.org/2001/XMLSchema#anyURI">http://test/developer-guide.html</AttributeValue>
+ <ResourceAttributeDesignator
+ DataType=
+"http://www.w3.org/2001/XMLSchema#anyURI"
+AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule Effect="Permit" RuleId="ReadRule">
+ <Target>
+ <Actions>
+ <Action>
+ <ActionMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+ DataType=
+"http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
+ <ActionAttributeDesignator
+ DataType="http://www.w3.org/2001/XMLSchema#string"
+ AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
+ </ActionMatch>
+ </Action>
+ </Actions>
+ </Target>
+ <Condition>
+ <Apply
+ FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+ <AttributeValue
+ DataType=
+"http://www.w3.org/2001/XMLSchema#string">developer</AttributeValue>
+ <SubjectAttributeDesignator
+ DataType="http://www.w3.org/2001/XMLSchema#string"
+ AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
+ </Apply>
+ </Condition>
+ </Rule>
+ <!-- If none of the rules apply, deny the request -->
+ <Rule Effect="Deny" RuleId="DenyRule"/>
+</Policy>
+
+]]>
+ </programlisting>
+
+<para>This policy file basically provides access to the url when the subject has a role of "developer". All other requests are denied because of the explicit rule at the bottom of the policy file, without which the PDP would have returned a decision of NotAPPLICABLE.</para>
+
+ <para>If we would like to construct the policy dynamically, then we will need to use the Object Model provided with JBoss XACML that is based on JAXB v2.0 and above. The code listing is shown below:</para>
+ <programlisting>
+<![CDATA[
+import java.net.URI;
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.JAXBElement;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.xacml.core.JBossPDP;
+import org.jboss.security.xacml.core.model.policy.ActionMatchType;
+import org.jboss.security.xacml.core.model.policy.ActionType;
+import org.jboss.security.xacml.core.model.policy.ActionsType;
+import org.jboss.security.xacml.core.model.policy.ApplyType;
+import org.jboss.security.xacml.core.model.policy.AttributeValueType;
+import org.jboss.security.xacml.core.model.policy.ConditionType;
+import org.jboss.security.xacml.core.model.policy.EffectType;
+import org.jboss.security.xacml.core.model.policy.ExpressionType;
+import org.jboss.security.xacml.core.model.policy.FunctionType;
+import org.jboss.security.xacml.core.model.policy.ObjectFactory;
+import org.jboss.security.xacml.core.model.policy.PolicyType;
+import org.jboss.security.xacml.core.model.policy.ResourceMatchType;
+import org.jboss.security.xacml.core.model.policy.ResourceType;
+import org.jboss.security.xacml.core.model.policy.ResourcesType;
+import org.jboss.security.xacml.core.model.policy.RuleType;
+import org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType;
+import org.jboss.security.xacml.core.model.policy.TargetType;
+import org.jboss.security.xacml.factories.PolicyAttributeFactory;
+import org.jboss.security.xacml.factories.PolicyFactory;
+import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+import org.jboss.security.xacml.interfaces.PolicyLocator;
+import org.jboss.security.xacml.interfaces.RequestContext;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.security.xacml.interfaces.XACMLPolicy;
+import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
+import org.jboss.security.xacml.locators.JBossPolicyLocator;
+import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
+
+ public void testWebBinding() throws Exception
+ {
+ PolicyType policyType = constructPolicy();
+ PolicyDecisionPoint pdp = new JBossPDP();
+
+ XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
+ Set<XACMLPolicy> policies = new HashSet<XACMLPolicy>();
+ policies.add(policy);
+
+ pdp.setPolicies(policies);
+
+ //Add the basic locators also
+ PolicyLocator policyLocator = new JBossPolicyLocator();
+ policyLocator.setPolicies(policies);
+//Locators need to be given the policies
+
+ Set<PolicyLocator> locators = new HashSet<PolicyLocator>();
+ locators.add(policyLocator);
+ pdp.setLocators(locators);
+ assertNotNull("JBossPDP is != null", pdp);
+
+ Principal p = new Principal()
+ {
+ public String getName()
+ {
+ return "testuser";
+ }
+ };
+
+ //Create Role Group
+ Group grp = XACMLTestUtil.getRoleGroup("developer");
+
+ String requestURI = "http://test/developer-guide.html";
+ HttpRequestUtil util = new HttpRequestUtil();
+ HttpServletRequest req = util.createRequest(p, requestURI);
+
+ //Check PERMIT condition
+ WebPEP pep = new WebPEP();
+ RequestContext request = pep.createXACMLRequest(req, p, grp);
+ if(debug)
+ request.marshall(System.out);
+
+ assertEquals("Access Allowed?",
+XACMLConstants.DECISION_PERMIT,
+ XACMLTestUtil.getDecision(pdp,request));
+ }
+
+public void testNegativeAccessWebBinding() throws Exception
+ {
+ PolicyType policyType = constructPolicy();
+ PolicyDecisionPoint pdp = new JBossPDP();
+
+ XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
+ Set<XACMLPolicy> policies = new HashSet<XACMLPolicy>();
+ policies.add(policy);
+
+ pdp.setPolicies(policies);
+
+ //Add the basic locators also
+ PolicyLocator policyLocator = new JBossPolicyLocator();
+//Locators need to be given the policies
+ policyLocator.setPolicies(policies);
+
+ Set<PolicyLocator> locators = new HashSet<PolicyLocator>();
+ locators.add(policyLocator);
+ pdp.setLocators(locators);
+ assertNotNull("JBossPDP is != null", pdp);
+
+
+ Principal p = new Principal()
+ {
+ public String getName()
+ {
+ return "testuser";
+ }
+ };
+
+ //Create Role Group
+ Group grp = XACMLTestUtil.getRoleGroup("imposter");
+ String requestURI = "http://test/developer-guide.html";
+ HttpRequestUtil util = new HttpRequestUtil();
+ HttpServletRequest req = util.createRequest(p, requestURI);
+
+ //Check DENY condition
+ WebPEP pep = new WebPEP();
+ RequestContext request = pep.createXACMLRequest(req, p, grp);
+ if(debug)
+ request.marshall(System.out);
+
+ assertEquals("Access Disallowed?", XACMLConstants.DECISION_DENY,
+ XACMLTestUtil.getDecision(pdp,request));
+ }
+
+private PolicyType constructPolicy() throws Exception
+ {
+ ObjectFactory objectFactory = new ObjectFactory();
+
+ String PERMIT_OVERRIDES=
+"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides";
+ PolicyType policyType = new PolicyType();
+ policyType.setPolicyId("ExamplePolicy");
+ policyType.setVersion("2.0");
+ policyType.setRuleCombiningAlgId(PERMIT_OVERRIDES);
+
+ //Create a target
+ TargetType targetType = new TargetType();
+
+ ResourcesType resourcesType = new ResourcesType();
+ ResourceType resourceType = new ResourceType();
+ ResourceMatchType rmt = new ResourceMatchType();
+ rmt.setMatchId(XACMLConstants.FUNCTION_ANYURI_EQUALS);
+ rmt.setResourceAttributeDesignator(
+ PolicyAttributeFactory.createAttributeDesignatorType(
+ XACMLConstants.RESOURCE_IDENTIFIER,
+ XMLSchemaConstants.DATATYPE_ANYURI));
+ rmt.setAttributeValue(PolicyAttributeFactory.createAnyURIAttributeType(
+ new URI("http://test/developer-guide.html")));
+ resourceType.getResourceMatch().add(rmt);
+ resourcesType.getResource().add(resourceType);
+
+ targetType.setResources(resourcesType);
+
+ policyType.setTarget(targetType);
+
+
+ //Create a Rule
+ RuleType permitRule = new RuleType();
+ permitRule.setRuleId("ReadRule");
+ permitRule.setEffect(EffectType.PERMIT);
+
+ ActionsType permitRuleActionsType = new ActionsType();
+ ActionType permitRuleActionType = new ActionType();
+
+ ActionMatchType amct = new ActionMatchType();
+ amct.setMatchId("urn:oasis:names:tc:xacml:1.0:function:string-equal");
+ amct.setAttributeValue(
+ PolicyAttributeFactory.createStringAttributeType("read"));
+ amct.setActionAttributeDesignator(
+PolicyAttributeFactory.createAttributeDesignatorType(
+ XACMLConstants.ACTION_IDENTIFIER,
+ XMLSchemaConstants.DATATYPE_STRING));
+ permitRuleActionType.getActionMatch().add(amct);
+ TargetType permitRuleTargetType = new TargetType();
+ permitRuleActionsType.getAction().add(permitRuleActionType);
+ permitRuleTargetType.setActions(permitRuleActionsType);
+ permitRule.setTarget(permitRuleTargetType);
+
+ ConditionType permitRuleConditionType = new ConditionType();
+ FunctionType functionType = new FunctionType();
+ functionType.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ JAXBElement<ExpressionType> jaxbElementFunctionType =
+ objectFactory.createExpression(functionType);
+ permitRuleConditionType.setExpression(jaxbElementFunctionType);
+
+ ApplyType permitRuleApplyType = new ApplyType();
+ permitRuleApplyType.setFunctionId(XACMLConstants.FUNCTION_STRING_IS_IN);
+
+ SubjectAttributeDesignatorType sadt =
+PolicyAttributeFactory.createSubjectAttributeDesignatorType(
+ XACMLConstants.SUBJECT_ROLE_IDENTIFIER,
+ XMLSchemaConstants.DATATYPE_STRING);
+ JAXBElement<SubjectAttributeDesignatorType> sadtElement =
+objectFactory.createSubjectAttributeDesignator(sadt);
+ AttributeValueType avt =
+PolicyAttributeFactory.createStringAttributeType("developer");
+ JAXBElement<AttributeValueType> jaxbAVT =
+objectFactory.createAttributeValue(avt);
+ permitRuleApplyType.getExpression().add(jaxbAVT);
+ permitRuleApplyType.getExpression().add(sadtElement);
+
+
+ permitRuleConditionType.setExpression(
+ objectFactory.createApply(permitRuleApplyType));
+
+ permitRule.setCondition(permitRuleConditionType);
+
+ policyType.
+getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().
+add(permitRule);
+ //Create a Deny Rule
+ RuleType denyRule = new RuleType();
+ denyRule.setRuleId("DenyRule");
+ denyRule.setEffect(EffectType.DENY);
+ policyType.
+getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().
+add(denyRule);
+
+ return policyType;
+ }
+ ]]>
+ </programlisting>
+
+ </sect1>
+</chapter>
Modified: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/introduction.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/introduction.xml 2007-07-22 10:48:25 UTC (rev 64185)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/introduction.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -4,12 +4,17 @@
<chapter id="introduction">
<title>Introduction to JBoss XACML</title>
- <para>The JBoss XACML provides standards based, robust Policy Infrastruture library .
+ <para>The JBoss XACML provides a standards based, robust Policy Infrastruture library .
</para>
- <para>JBossXACML is based on Oasis XACML v2.0. It defines an API to read one or more PolicySets (and/or Policy files) via a simple configuration file.
+ <para>JBossXACML is based on Oasis XACML v2.0. It defines an API to read one or more PolicySets (and/or Policy files) via a simple configuration file. It also provides a JAXB v2.0 compatible object model that can be used to construct policies and requests in XACML.
</para>
<para>At its core, JBossXACML makes use of the standards compliant, BSD style licensed SunXACML library available at http://sunxacml.sourceforge.net/
</para>
+
+ <sect1 id="pre-requisites">
+ <title>Pre-requisites</title>
+ <para>To make full use of JBoss XACML, you will need a basic understanding of XACML v2.0, their policies etc</para>
+ </sect1>
</chapter>
Added: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pdp.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pdp.xml (rev 0)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pdp.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<chapter id="pdp">
+ <title>Introduction to JBoss XACML PDP</title>
+
+ <para>There is an implementation of the <command>org.jboss.security.xacml.interfaces.PolicyDecisionPoint</command> in JBoss called as <command>org.jboss.security.xacml.core.JBossPDP</command>. There are few variants of the construction of the JBossPDP as shown below.
+ </para>
+
+ <programlisting>
+ public JBossPDP(InputStream configFile);
+ public JBossPDP(InputSource configFile);
+ public JBossPDP(Node configFile);
+ public JBossPDP(XMLStreamReader configFile);
+ public JBossPDP(URL configFileURL);
+ </programlisting>
+
+ <sect1 id="PDPViaConfig">
+ <title>PDP Construction with a Configuration File</title>
+
+ <para>A PDP can be provided with policies via a configuration file or one can make use of the JAXB2 object model in JBoss XACML to construct the Policy/POlicySet instances and then provide them to the PDP. An example usage of the PDP with a configuration file is shown below:</para>
+
+ <programlisting>
+ import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+ import org.jboss.security.xacml.core.JBossPDP;
+
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+ InputStream is =
+ tcl.getResourceAsStream("test/config/interopPolicySetConfig.xml");
+ PolicyDecisionPoint pdp = new JBossPDP(is);
+ </programlisting>
+ </sect1>
+
+ <sect1 id="PDPViaObjects">
+ <title>PDP Construction with Object Model</title>
+
+ <para>
+ There is an object model provided with JBoss XACML in the package <command>org.jboss.security.xacml.core.model.policy</command>. This is the package that one will work with in the construction of elements associated with a Policy or PolicySet. There is a utility factory class that is provided in <command>org.jboss.security.xacml.factories.PolicyAttributeFactory</command> which can be used to create the AttributeValueTypes used in a Policy.
+ </para>
+ <para>
+ The interface <command>org.jboss.security.xacml.interfaces.XACMLPolicy</command> represents either a Policy or a PolicySet and is represented in the method in the PDP when you want to pass a set of pre-constructed instances, as shown below:
+ </para>
+
+ <programlisting>
+<![CDATA[
+ PolicyType policyType = constructPolicy();
+ PolicyDecisionPoint pdp = new JBossPDP();
+
+ XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
+ Set<XACMLPolicy> policies = new HashSet<XACMLPolicy>();
+ policies.add(policy);
+
+ //Pass a set of policies (and/or policy sets) to the PDP
+ pdp.setPolicies(policies);
+]]>
+ </programlisting>
+ </sect1>
+</chapter>
Added: projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pep.xml
===================================================================
--- projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pep.xml (rev 0)
+++ projects/security/security-xacml/trunk/docs/userguide/src/docbkx/en/modules/pep.xml 2007-07-22 12:48:27 UTC (rev 64186)
@@ -0,0 +1,200 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<chapter id="pep">
+ <title>Policy Enforcement Points (PEPs)</title>
+
+ <para>PEPs are an important component of any Policy based infrastructure. PEPs are needed to construct the policy requests to be passed to the PDPs for evaluation.
+ </para>
+
+ <para>JBossXACML provides an object model that is based on JAXB v2.0 and later, to construct XACML Policy requests. The package <command>org.jboss.security.xacml.core.model.context</command> contains the object classes. Please make a note of this package used for building request and responses. This is different from the package used for policy construction. There may be types that have the same name in the two different packages.
+ </para>
+
+ <para>There is a utility factory class that can be used to construct the various attributes of the Request. The class is <command>org.jboss.security.xacml.factories.RequestAttributeFactory</command>.</para>
+
+ <para>An example of construction of XACML Request is shown below:</para>
+
+ <programlisting>
+<![CDATA[
+import java.io.InputStream;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.xacml.core.JBossPDP;
+import org.jboss.security.xacml.core.model.context.ActionType;
+import org.jboss.security.xacml.core.model.context.AttributeType;
+import org.jboss.security.xacml.core.model.context.EnvironmentType;
+import org.jboss.security.xacml.core.model.context.RequestType;
+import org.jboss.security.xacml.core.model.context.ResourceType;
+import org.jboss.security.xacml.core.model.context.SubjectType;
+import org.jboss.security.xacml.factories.RequestAttributeFactory;
+import org.jboss.security.xacml.factories.RequestResponseContextFactory;
+import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+import org.jboss.security.xacml.interfaces.RequestContext;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
+
+public void testInteropTestWithObjects() throws Exception
+ {
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+ InputStream is =
+tcl.getResourceAsStream("test/config/interopPolicySetConfig.xml");
+ assertNotNull("InputStream != null", is);
+ PolicyDecisionPoint pdp = new JBossPDP(is);
+ assertNotNull("JBossPDP is != null", pdp);
+
+ assertEquals("Case 1 should be deny", XACMLConstants.DECISION_DENY,
+ XACMLTestUtil.getDecision(pdp,
+ getRequestContext("false","false",10)));
+ assertEquals("Case 2 should be deny", XACMLConstants.DECISION_PERMIT,
+ XACMLTestUtil.getDecision(pdp,
+getRequestContext("false","false",1)));
+ assertEquals("Case 3 should be deny", XACMLConstants.DECISION_PERMIT,
+ XACMLTestUtil.getDecision(pdp,
+getRequestContext("true","false",5)));
+ assertEquals("Case 4 should be deny", XACMLConstants.DECISION_DENY,
+ XACMLTestUtil.getDecision(pdp,
+getRequestContext("false","false",9)));
+ assertEquals("Case 5 should be deny", XACMLConstants.DECISION_DENY,
+ XACMLTestUtil.getDecision(pdp,
+getRequestContext("true","false",10)));
+ assertEquals("Case 6 should be deny", XACMLConstants.DECISION_DENY,
+ XACMLTestUtil.getDecision(pdp,
+getRequestContext("true","false",15)));
+ assertEquals("Case 7 should be deny", XACMLConstants.DECISION_PERMIT,
+ XACMLTestUtil.getDecision(pdp,
+getRequestContext("true","true",10)));
+ }
+
+private RequestContext getRequestContext(String reqTradeAppr, String reqCreditAppr,
+ int buyPrice) throws Exception
+ {
+ RequestType request = new RequestType();
+ request.getSubject().add(
+createSubject(reqTradeAppr,reqCreditAppr,buyPrice));
+ request.getResource().add(createResource());
+ request.setAction(createAction());
+ request.setEnvironment( new EnvironmentType());
+
+ RequestContext requestCtx =
+RequestResponseContextFactory.createRequestCtx();
+ requestCtx.setRequest(request);
+ if(debug)
+ requestCtx.marshall(System.out);
+
+ return requestCtx;
+ }
+
+
+ private SubjectType createSubject(String reqTradeAppr,
+String reqCreditAppr,
+ int buyPrice)
+ {
+ //Create a subject type
+ SubjectType subject = new SubjectType();
+ subject.setSubjectCategory(
+"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject");
+ //create the subject attributes
+ AttributeType attSubjectID =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
+ "xacml20.interop.com", "123456");
+ subject.getAttribute().add(attSubjectID);
+
+ AttributeType attUserName =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:xacml:2.0:interop:example:subject:user-name",
+ "xacml20.interop.com", "John Smith");
+ subject.getAttribute().add(attUserName);
+
+ AttributeType attBuyNumShares =
+RequestAttributeFactory.createIntegerAttributeType(
+ "urn:xacml:2.0:interop:example:subject:buy-num-shares",
+ "xacml20.interop.com", 1000);
+ subject.getAttribute().add(attBuyNumShares);
+
+ AttributeType attBuyOfferShare =
+RequestAttributeFactory.createIntegerAttributeType(
+ "urn:xacml:2.0:interop:example:subject:buy-offer-price",
+ "xacml20.interop.com", buyPrice);
+ subject.getAttribute().add(attBuyOfferShare);
+
+
+ AttributeType attRequestExtCred =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:xacml:2.0:interop:example:subject:req-credit-ext-approval",
+ "xacml20.interop.com", reqCreditAppr);
+ subject.getAttribute().add(attRequestExtCred);
+
+ AttributeType attRequestTradeApproval =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:xacml:2.0:interop:example:subject:req-trade-approval",
+ "xacml20.interop.com", reqTradeAppr);
+ subject.getAttribute().add(attRequestTradeApproval);
+
+ return subject;
+ }
+
+ public ResourceType createResource()
+ {
+ ResourceType resourceType = new ResourceType();
+
+ AttributeType attResourceID =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
+ "xacml20.interop.com", "CustomerAccount");
+ resourceType.getAttribute().add(attResourceID);
+
+
+ AttributeType attOwnerID =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:xacml:2.0:interop:example:resource:owner-id",
+ "xacml20.interop.com", "123456");
+ resourceType.getAttribute().add(attOwnerID);
+
+ AttributeType attOwnerName =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:xacml:2.0:interop:example:resource:owner-name",
+ "xacml20.interop.com", "John Smith");
+ resourceType.getAttribute().add(attOwnerName);
+
+ AttributeType attAccountStatus =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:xacml:2.0:interop:example:resource:account-status",
+ "xacml20.interop.com", "Active");
+ resourceType.getAttribute().add(attAccountStatus);
+
+ AttributeType attCreditLine =
+ReuestAttributeFactory.createIntegerAttributeType(
+ "urn:xacml:2.0:interop:example:resource:credit-line",
+ "xacml20.interop.com", 15000);
+ resourceType.getAttribute().add(attCreditLine);
+
+ AttributeType attCurrentCredit =
+RequestAttributeFactory.createIntegerAttributeType(
+ "urn:xacml:2.0:interop:example:resource:current-credit",
+ "xacml20.interop.com", 10000);
+ resourceType.getAttribute().add(attCurrentCredit);
+
+ AttributeType attTradeLimit =
+RequestAttributeFactory.createIntegerAttributeType(
+ "urn:xacml:2.0:interop:example:resource:trade-limit",
+ "xacml20.interop.com", 10000);
+ resourceType.getAttribute().add(attTradeLimit);
+ return resourceType;
+ }
+
+ private ActionType createAction()
+ {
+ ActionType actionType = new ActionType();
+ AttributeType attActionID =
+RequestAttributeFactory.createStringAttributeType(
+ "urn:oasis:names:tc:xacml:1.0:action:action-id",
+ "xacml20.interop.com", "Buy");
+ actionType.getAttribute().add(attActionID);
+ return actionType;
+ }
+
+ ]]>
+ </programlisting>
+</chapter>
More information about the jboss-cvs-commits
mailing list