[PicketBox Development] - Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
by Brian Krisler
Brian Krisler [http://community.jboss.org/people/bkrisler] created the discussion
"Re: Make JBossPDP an interface to allow easier insertion of custom PDP."
To view the discussion, visit: http://community.jboss.org/message/560787#560787
--------------------------------------------------------------
What I mean by attributes for a subject is the following.
At the moment, this is a typical policy subject block from a request:
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Developer</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
When a request is made against this policy, it would be in the form of a user id (Bob) and his roles (Manager), this is supporting role-based authorization. However for attribute-based authorization, the policy would look more like:
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:my-org:manager:attribute"
DataType="http://www.w3.org/2001/XMLSchema#boolean" />
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:my-org:developer:attribute"
DataType="http://www.w3.org/2001/XMLSchema#boolean" />
</SubjectMatch>
</Subject>
When a request is made against the attribute-based policy the requestor would pass in a list of values as such:
urn:my-org:manager:attribute = true
urn:my-org:developer:attribute = false
In a review of the existing code (EJBXACMLUtil,java for example), it does not allow for such attribute-based values. Instead, it loops over the provided roles and creates the attributes based on the ATTRIBUTEID_ROLE constant.
List<Role> rolesList = callerRoles.getRoles();
if(rolesList != null)
{
for(Role role:rolesList)
{
String roleName = role.getRoleName();
AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
XACMLConstants.ATTRIBUTEID_ROLE, "jboss.org", roleName);
subject.getAttribute().add(attSubjectID);
}
}
An other issue is that the construction of the request is dependent upon the Principal for setting of the subject-id value. We are working on a model where there will never be a Princial object to extract a subject-id. In our case, we will instead pass in a set of attributes for evaluation.
Upon further review, it might just be the helper methods (EJBXAMLUtil and WebXACMLUtil) that will require much modification. The addition of a second method in the util objects for creating of these attribute based request objects might just work. I have not fully reviewed the policy application code in detail yet, but from a cursory glance it appears to be attribute-id agnostic and will just create a Set of attribute/value pairs and then upon validation, apply the proper attribute function.
Brian
Message was edited by: Brian Krisler -- Tried to fix XML formatting.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/560787#560787]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
13 years, 6 months
[JBoss Web Development] - List of all deployed web contexts
by Andre Ehrlich
Andre Ehrlich [http://community.jboss.org/people/j-n00b] created the discussion
"List of all deployed web contexts"
To view the discussion, visit: http://community.jboss.org/message/563744#563744
--------------------------------------------------------------
Hi everyone!
Is there any possibility to get a complete list of all web contexts deployed in JBoss?
In the log file, you always find entries like
org.jboss.web.tomcat.service.deployers.TomcatDeployment org.jboss.web.tomcat.service.deployers.TomcatDeployment (HDScanner) deploy, ctxPath=/app1
org.jboss.web.tomcat.service.deployers.TomcatDeployment org.jboss.web.tomcat.service.deployers.TomcatDeployment (HDScanner) deploy, ctxPath=/app2
org.jboss.web.tomcat.service.deployers.TomcatDeployment org.jboss.web.tomcat.service.deployers.TomcatDeployment (HDScanner) deploy, ctxPath=/otherApp
but I didn't find a convenient way to check if a particular web application is available. I don't want to add a servlet to each application which can be used for that purpose.
Thanks,
André
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/563744#563744]
Start a new discussion in JBoss Web Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
13 years, 6 months
[JBoss AS7 Development] - Lazy modules resolving / linking
by Ales Justin
Ales Justin [http://community.jboss.org/people/alesj] created the discussion
"Lazy modules resolving / linking"
To view the discussion, visit: http://community.jboss.org/message/563667#563667
--------------------------------------------------------------
A simple brain dump about lazy module resolution -- as I'm yet to fully understand the code.
Lets say you could immediately map resource to owning module.
e.g. based on the package -> *org.jboss.foo* is the module name, my class is *org.jboss.foo*.bar.Baz
Or any similar mechanism would do.
We could then lazy load the first level / near module dependencies,
only fully initialize it on demand -- when first resource lookup is hit,
and again have its first level / near dependencies lazy.
This could be done optional, by default, as we currently do, resolve the whole graph at start.
Perhaps pushing it a bit :-), we could even specify the depth / level of resolving.
A few observations:
* OSGi has this similar notion of lazy resolve - how do we do it now?
* if I'm not mistaken, and I think Flavia was thinking about the same issue, we can reduce visiting
--> simply (recursively) reuse paths from own children, no need to visit them
Wdyt? Or, how much work this would be?
I can try to hack something, but any input is appreciated.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/563667#563667]
Start a new discussion in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
13 years, 6 months