11:42 a.m.
Hi everyone!
Our organization is trying to implement an authorization scheme based on JBoss' XACML
library (v2.0.4) and RBAC profile of XACML. (RBAC profile is a standard specification
available here:
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profil...).
I had several issues with implementing this profile, mostly related to difficulties in
finding policies and policy sets by reference.
Therefore I wrote a JUnit test case for the example given in the aforementioned document
and ran it inside the jboss-xacml project (latest revision on trunk).
The authorization scenario is the following: there are two roles ('employee' and
'manager'), a resource ('purchase order') and two actions
('create' and 'sign'). The employee can only create purchase orders, while
the manager has also the ability to sign them.
The policies needed for this scenario are described in greater detail in the RBAC profile
document, pages 7-12.
For each role there are two policy sets, the role policy set (RPS) and the permission
policy set (PPS). The RPS is the primary policy set that has to be checked firsthand by
the PDP and must include a reference to the applicable PPS.
For example, RPS for employee looks like this (XacmlRolePolicySet-employee.xml):
| <?xml version="1.0" encoding="UTF-8"?>
| <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
| PolicySetId="RPS:employee:role"
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
| <Target>
| <Subjects>
| <Subject>
| <SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
| <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:examp...
| <SubjectAttributeDesignator
| DataType="http://www.w3.org/2001/XMLSchema#anyURI"
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
| </SubjectMatch>
| </Subject>
| </Subjects>
| </Target>
|
| <!--Include permissions associated with employee role-->
| <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
|
| </PolicySet>
and the corresponding PPS is (XacmlPermissionPolicySet-employee.xml):
| <?xml version="1.0" encoding="UTF-8"?>
| <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
| PolicySetId="PPS:employee:role"
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
| <Target />
| <Policy
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
| PolicyId="Permissions:specifically:for:the:employee:role">
| <Description>
| Permissions specifically for the employee role.
| </Description>
| <Target />
| <!-- Permission to create a purchase order -->
| <Rule Effect="Permit"
RuleId="Permission:to:create:a:purchase:order">
| <Target>
| <Resources>
| <Resource>
| <ResourceMatch
| MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
| <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">purchase
order</AttributeValue>
| <ResourceAttributeDesignator
| AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string" />
| </ResourceMatch>
| </Resource>
| </Resources>
| <Actions>
| <Action>
| <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
| <AttributeValue
|
DataType="http://www.w3.org/2001/XMLSchema#string">create<...
| <ActionAttributeDesignator
| DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
| </ActionMatch>
| </Action>
| </Actions>
| </Target>
| </Rule>
| </Policy>
|
| </PolicySet>
|
The JBoss XACML Configuration File used
(src/test/resouces/test/config/rbacPolicySetConfig.xml):
| <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
| <ns:Policies>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlRolePolicySet-employee.xml</ns:Location>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlPermissionPolicySet-employee.xml</ns:Location>
| </ns:PolicySet>
| </ns:PolicySet>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlRolePolicySet-manager.xml</ns:Location>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlPermissionPolicySet-manager.xml</ns:Location>
| </ns:PolicySet>
|
| </ns:PolicySet>
| </ns:Policies>
| <ns:Locators>
| <ns:Locator
Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>
| </ns:Locators>
| </ns:jbosspdp>
|
The following request file asks for authorization for an employee that wants to create a
purchase order. According to the policy the request should be granted.
| <?xml version="1.0" encoding="UTF-8"?>
| <xacml-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
| xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-...
| <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
| DataType="http://www.w3.org/2001/XMLSchema#string"
Issuer="xacml20.rbac.example">
| <AttributeValue>500</AttributeValue>
| </Attribute>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
| DataType="http://www.w3.org/2001/XMLSchema#string"
Issuer="xacml20.rbac.example">
| <AttributeValue>Nick the Employee</AttributeValue>
| </Attribute>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
| DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Issuer="xacml20.rbac.example">
| <AttributeValue>urn:example:role-values:employee</AttributeValue>
| </Attribute>
| </Subject>
| <Resource>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>purchase order</AttributeValue>
| </Attribute>
| </Resource>
| <Action>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>create</AttributeValue>
| </Attribute>
| </Action>
| <Environment />
| </xacml-context:Request>
This one is for an employee who want to sign a purchase order
(src/test/resources/test/policies/rbac/sign-purchase-order-by-employee-request.xml):
<?xml version="1.0" encoding="UTF-8"?>
| <xacml-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
| xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-...
| <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
| DataType="http://www.w3.org/2001/XMLSchema#string"
Issuer="xacml20.rbac.example">
| <AttributeValue>500</AttributeValue>
| </Attribute>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
| DataType="http://www.w3.org/2001/XMLSchema#string"
Issuer="xacml20.rbac.example">
| <AttributeValue>Nick the Employee</AttributeValue>
| </Attribute>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
| DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Issuer="xacml20.rbac.example">
| <AttributeValue>urn:example:role-values:employee</AttributeValue>
| </Attribute>
| </Subject>
| <Resource>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>purchase order</AttributeValue>
| </Attribute>
| </Resource>
| <Action>
| <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
| DataType="http://www.w3.org/2001/XMLSchema#string">
| <AttributeValue>sign</AttributeValue>
| </Attribute>
| </Action>
| <Environment />
| </xacml-context:Request>
This request should be denied but surprisingly, I got a DECISION_NOT_APPLICABLE. Here is
the method:
public void testRBACSignPurchaseOrderByEmployee() throws Exception
| {
| String fileName = "test/config/rbacPolicySetConfig.xml";
| ClassLoader tcl = Thread.currentThread().getContextClassLoader();
| URL configFile = tcl.getResource(fileName);
| JAXBContext jc =
JAXBContext.newInstance("org.jboss.security.xacml.jaxb");
| assertNotNull("JAXBContext is !null", jc);
| Unmarshaller u = jc.createUnmarshaller();
| JAXBElement<?> j = (JAXBElement<?>) u.unmarshal(configFile);
| assertNotNull("JAXBElement is !null", j);
|
| assertNotNull("configFile != null", configFile);
| PolicyDecisionPoint pdp = new JBossPDP(j);
| TestCase.assertEquals("Sign purchase order by employee should be
denied",
| XACMLConstants.DECISION_DENY, XACMLTestUtil.getDecision(pdp,
|
"test/policies/rbac/sign-purchase-order-by-employee-request.xml"));
| }
|
The JUnit test case is a slight adaptation of JBossXACMLConfigUnitTestCase.
I ran the test from inside Eclipse SDK and as part of Maven build process, and the results
were the same.
So my questions are:
How this result can be explained? Have I done anything wrong on the configuration level?
| Can I configure/implement a policy (module) finder that would discover the policies
referenced by PolicySetIdReference or PolicyIdReference elements?
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262470#...
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...
6023
days inactive
6023
days old
0 comments
1 participants
participants (1)
-
valeriu.nedelcu