[jboss-user] [Security] - RBAC Profile of XACML
valeriu.nedelcu
do-not-reply at jboss.com
Tue Oct 27 12:42:09 EDT 2009
Hi everyone!
Our organization is trying to implement an authorization scheme based on JBoss' XACML library (v2.0.4) and RBAC profile of XACML. (RBAC profile is a standard specification available here: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf).
I had several issues with implementing this profile, mostly related to difficulties in finding policies and policy sets by reference.
Therefore I wrote a JUnit test case for the example given in the aforementioned document and ran it inside the jboss-xacml project (latest revision on trunk).
The authorization scenario is the following: there are two roles ('employee' and 'manager'), a resource ('purchase order') and two actions ('create' and 'sign'). The employee can only create purchase orders, while the manager has also the ability to sign them.
The policies needed for this scenario are described in greater detail in the RBAC profile document, pages 7-12.
For each role there are two policy sets, the role policy set (RPS) and the permission policy set (PPS). The RPS is the primary policy set that has to be checked firsthand by the PDP and must include a reference to the applicable PPS.
For example, RPS for employee looks like this (XacmlRolePolicySet-employee.xml):
| <?xml version="1.0" encoding="UTF-8"?>
| <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
| http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
| PolicySetId="RPS:employee:role"
| PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
| <Target>
| <Subjects>
| <Subject>
| <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
| <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:example:role-values:employee</AttributeValue>
| <SubjectAttributeDesignator
| DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
| </SubjectMatch>
| </Subject>
| </Subjects>
| </Target>
|
| <!--Include permissions associated with employee role-->
| <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
|
| </PolicySet>
and the corresponding PPS is (XacmlPermissionPolicySet-employee.xml):
| <?xml version="1.0" encoding="UTF-8"?>
| <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
| http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
| PolicySetId="PPS:employee:role"
| PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
| <Target />
| <Policy
| RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
| PolicyId="Permissions:specifically:for:the:employee:role">
| <Description>
| Permissions specifically for the employee role.
| </Description>
| <Target />
| <!-- Permission to create a purchase order -->
| <Rule Effect="Permit" RuleId="Permission:to:create:a:purchase:order">
| <Target>
| <Resources>
| <Resource>
| <ResourceMatch
| MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
| <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order</AttributeValue>
| <ResourceAttributeDesignator
| AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string" />
| </ResourceMatch>
| </Resource>
| </Resources>
| <Actions>
| <Action>
| <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
| <AttributeValue
| DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
| <ActionAttributeDesignator
| DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
| </ActionMatch>
| </Action>
| </Actions>
| </Target>
| </Rule>
| </Policy>
|
| </PolicySet>
|
The JBoss XACML Configuration File used (src/test/resouces/test/config/rbacPolicySetConfig.xml):
| <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
| <ns:Policies>
| <ns:PolicySet>
| <ns:Location>test/policies/rbac/XacmlRolePolicySet-employee.xml</ns:Location>
| <ns:PolicySet>
| <ns:Location>test/policies/rbac/XacmlPermissionPolicySet-employee.xml</ns:Location>
| </ns:PolicySet>
| </ns:PolicySet>
| <ns:PolicySet>
| <ns:Location>test/policies/rbac/XacmlRolePolicySet-manager.xml</ns:Location>
| <ns:PolicySet>
| <ns:Location>test/policies/rbac/XacmlPermissionPolicySet-manager.xml</ns:Location>
| </ns:PolicySet>
|
| </ns:PolicySet>
| </ns:Policies>
| <ns:Locators>
| <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>
| </ns:Locators>
| </ns:jbosspdp>
|
The following request file asks for authorization for an employee that wants to create a purchase order. According to the policy the request should be granted.
| <?xml version="1.0" encoding="UTF-8"?>
| <xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
| xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
| http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
| <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
| DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
| <AttributeValue>500</AttributeValue>
| </Attribute>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
| DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
| <AttributeValue>Nick the Employee</AttributeValue>
| </Attribute>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
| DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="xacml20.rbac.example">
| <AttributeValue>urn:example:role-values:employee</AttributeValue>
| </Attribute>
| </Subject>
| <Resource>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>purchase order</AttributeValue>
| </Attribute>
| </Resource>
| <Action>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>create</AttributeValue>
| </Attribute>
| </Action>
| <Environment />
| </xacml-context:Request>
This one is for an employee who want to sign a purchase order (src/test/resources/test/policies/rbac/sign-purchase-order-by-employee-request.xml):
<?xml version="1.0" encoding="UTF-8"?>
| <xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
| xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
| http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
| <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
| DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
| <AttributeValue>500</AttributeValue>
| </Attribute>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
| DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
| <AttributeValue>Nick the Employee</AttributeValue>
| </Attribute>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
| DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="xacml20.rbac.example">
| <AttributeValue>urn:example:role-values:employee</AttributeValue>
| </Attribute>
| </Subject>
| <Resource>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>purchase order</AttributeValue>
| </Attribute>
| </Resource>
| <Action>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>sign</AttributeValue>
| </Attribute>
| </Action>
| <Environment />
| </xacml-context:Request>
This request should be denied but surprisingly, I got a DECISION_NOT_APPLICABLE. Here is the method:
public void testRBACSignPurchaseOrderByEmployee() throws Exception
| {
| String fileName = "test/config/rbacPolicySetConfig.xml";
| ClassLoader tcl = Thread.currentThread().getContextClassLoader();
| URL configFile = tcl.getResource(fileName);
| JAXBContext jc = JAXBContext.newInstance("org.jboss.security.xacml.jaxb");
| assertNotNull("JAXBContext is !null", jc);
| Unmarshaller u = jc.createUnmarshaller();
| JAXBElement<?> j = (JAXBElement<?>) u.unmarshal(configFile);
| assertNotNull("JAXBElement is !null", j);
|
| assertNotNull("configFile != null", configFile);
| PolicyDecisionPoint pdp = new JBossPDP(j);
| TestCase.assertEquals("Sign purchase order by employee should be denied",
| XACMLConstants.DECISION_DENY, XACMLTestUtil.getDecision(pdp,
| "test/policies/rbac/sign-purchase-order-by-employee-request.xml"));
| }
|
The JUnit test case is a slight adaptation of JBossXACMLConfigUnitTestCase.
I ran the test from inside Eclipse SDK and as part of Maven build process, and the results were the same.
So my questions are:
How this result can be explained? Have I done anything wrong on the configuration level?
| Can I configure/implement a policy (module) finder that would discover the policies referenced by PolicySetIdReference or PolicyIdReference elements?
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262470#4262470
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4262470
More information about the jboss-user
mailing list