[jboss-user] [Security] - Re: RBAC Profile of XACML

valeriu.nedelcu do-not-reply at jboss.com
Mon Nov 9 03:12:52 EST 2009 

"anil.saldhana at jboss.com" wrote : A decision of NA is as good as Deny. You don't permit the access.
  | 
  | The NA may be happening because an expected attribute is not passed as part of the request.

Actually all the expected attributes were present in the request (You can verify that by looking closely at my previous post). The policies were exactly the same as those described in the RBAC profile document.

I managed to fix the JUnit test by adding another rule inside the PPS for the employees:
<?xml version="1.0" encoding="UTF-8"?>
  | <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
  | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  | 	xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 
  |       http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
  | 	PolicySetId="PPS:employee:role"
  | 	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
  | 	<Target />
  | 	<Policy
  | 		RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
  | 		PolicyId="Permissions:specifically:for:the:employee:role">
  | 		<Description>
  | 		    Permissions specifically for the employee role.
  | 		</Description>
  | 		<Target />
  | 		<!-- Permission to create a purchase order -->
  | 		<Rule Effect="Permit" RuleId="Permission:to:create:a:purchase:order">
  | 			<Target>
  | 				<Resources>
  | 					<Resource>
  | 						<ResourceMatch
  | 							MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  | 							<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
  | 							</AttributeValue>
  | 							<ResourceAttributeDesignator
  | 								AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
  | 								DataType="http://www.w3.org/2001/XMLSchema#string" />
  | 						</ResourceMatch>
  | 					</Resource>
  | 				</Resources>
  | 				<Actions>
  | 					<Action>
  | 						<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  | 							<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create
  | 							</AttributeValue>
  | 							<ActionAttributeDesignator
  | 								DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  | 						</ActionMatch>
  | 					</Action>
  | 				</Actions>
  | 			</Target>
  | 		</Rule>
  | 		<Rule Effect="Deny" RuleId="DefaultDeny"></Rule>
  | 	</Policy>
  | 
  | </PolicySet>
  | 

That fixed the issues when run against jboss-xacml 2.0.4. 
On the trunk (rev 96011)  I still have two tests failing: the creation of a purchase order by a manager or an employee is denied (when it shoud be allowed).

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4264511#4264511

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4264511

More information about the jboss-user mailing list