What I mean by attributes for a subject is the following.
At the moment, this is a typical policy subject block from a request:
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Developer</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
When a request is made against this policy, it would be in the form of a user id (Bob) and his roles (Manager), this is supporting role-based authorization. However for attribute-based authorization, the policy would look more like:
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:my-org:manager:attribute"
DataType="http://www.w3.org/2001/XMLSchema#boolean" />
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:my-org:developer:attribute"
DataType="http://www.w3.org/2001/XMLSchema#boolean" />
</SubjectMatch>
</Subject>
When a request is made against the attribute-based policy the requestor would pass in a list of values as such:
urn:my-org:manager:attribute = true
urn:my-org:developer:attribute = false
In a review of the existing code (EJBXACMLUtil,java for example), it does not allow for such attribute-based values. Instead, it loops over the provided roles and creates the attributes based on the ATTRIBUTEID_ROLE constant.
List<Role> rolesList = callerRoles.getRoles();
if(rolesList != null)
{
for(Role role:rolesList)
{
String roleName = role.getRoleName();
AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
XACMLConstants.ATTRIBUTEID_ROLE, "jboss.org", roleName);
subject.getAttribute().add(attSubjectID);
}
}
An other issue is that the construction of the request is dependent upon the Principal for setting of the subject-id value. We are working on a model where there will never be a Princial object to extract a subject-id. In our case, we will instead pass in a set of attributes for evaluation.
Upon further review, it might just be the helper methods (EJBXAMLUtil and WebXACMLUtil) that will require much modification. The addition of a second method in the util objects for creating of these attribute based request objects might just work. I have not fully reviewed the policy application code in detail yet, but from a cursory glance it appears to be attribute-id agnostic and will just create a Set of attribute/value pairs and then upon validation, apply the proper attribute function.
Brian
Message was edited by: Brian Krisler -- Tried to fix XML formatting.