[jboss-cvs] JBossAS SVN: r111084 - in projects/security/security-xacml/trunk/jboss-xacml/src: main/java/org/jboss/security/xacml/locators and 9 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Mar 31 13:53:26 EDT 2011
Author: anil.saldhana at jboss.com
Date: 2011-03-31 13:53:25 -0400 (Thu, 31 Mar 2011)
New Revision: 111084
Added:
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml
Modified:
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties
Log:
SECURITY-575: xacml core rbac profile
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.bridge;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.Policy;
+import org.jboss.security.xacml.sunxacml.PolicyMetaData;
+import org.jboss.security.xacml.sunxacml.PolicySet;
+import org.jboss.security.xacml.sunxacml.VersionConstraints;
+import org.jboss.security.xacml.sunxacml.finder.PolicyFinderResult;
+
+/**
+ * A Policy Set Finder Module that holds the RBAC Permission Policy Sets
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 30, 2011
+ */
+public class PPSPolicySetFinderModule extends PolicySetFinderModule
+{
+ protected List<PolicySet> policySets = new ArrayList<PolicySet>();
+ protected List<Policy> policies = new ArrayList<Policy>();
+
+ public void add(PolicySet ps)
+ {
+ policySets.add(ps);
+ }
+
+ public void add(Policy p)
+ {
+ policies.add(p);
+ }
+
+ @Override
+ public PolicyFinderResult findPolicy(EvaluationCtx context)
+ {
+ return new PolicyFinderResult();
+ }
+
+ @Override
+ public PolicyFinderResult findPolicy(URI idReference, int type, VersionConstraints constraints,
+ PolicyMetaData parentMetaData)
+ {
+ if( idReference != null )
+ {
+ for(PolicySet policySet: policySets)
+ {
+ if( policySet.getId().toString().equals(idReference.toString()))
+ {
+ return new PolicyFinderResult(policySet);
+ }
+ }
+ for(Policy policy: policies)
+ {
+ if( policy.getId().toString().equals(idReference.toString()))
+ {
+ return new PolicyFinderResult(policy);
+ }
+ }
+ }
+ return new PolicyFinderResult();
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.bridge;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.jboss.security.xacml.sunxacml.AbstractPolicy;
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.MatchResult;
+import org.jboss.security.xacml.sunxacml.PolicySet;
+import org.jboss.security.xacml.sunxacml.ctx.Status;
+import org.jboss.security.xacml.sunxacml.finder.PolicyFinderResult;
+
+/**
+ * A Policy Set Finder Module that holds the RBAC Role Policy Sets
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 30, 2011
+ */
+public class RPSPolicySetFinderModule extends PolicySetFinderModule
+{
+ protected List<PolicySet> policySets = new ArrayList<PolicySet>();
+
+ public void add(PolicySet ps)
+ {
+ policySets.add(ps);
+ }
+
+ @Override
+ public PolicyFinderResult findPolicy(EvaluationCtx context)
+ {
+ AbstractPolicy selectedPolicy = null;
+
+ for( PolicySet policySet: policySets)
+ {
+ MatchResult match = policySet.match(context);
+ int result = match.getResult();
+
+ // if target matching was indeterminate, then return the error
+ if (result == MatchResult.INDETERMINATE)
+ return new PolicyFinderResult(match.getStatus());
+ // see if the target matched
+ if (result == MatchResult.MATCH)
+ {
+ // see if we previously found another match
+ if (selectedPolicy != null)
+ {
+ // we found a match before, so this is an error
+ ArrayList<String> code = new ArrayList<String>();
+ code.add(Status.STATUS_PROCESSING_ERROR);
+ Status status = new Status(code, "RPSPolicySetFinderModule::too many applicable " + "top-level policies");
+ return new PolicyFinderResult(status);
+ }
+
+ // this is the first match we've found, so remember it
+ selectedPolicy = policySet;
+ }
+ }
+ // return the single applicable policy (if there was one)
+ return new PolicyFinderResult(selectedPolicy);
+ }
+}
\ No newline at end of file
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java 2011-03-31 17:50:39 UTC (rev 111083)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java 2011-03-31 17:53:25 UTC (rev 111084)
@@ -58,7 +58,11 @@
{
if (xp.getType() == XACMLPolicy.POLICYSET)
{
- pfml.add(getPopulatedPolicySetFinderModule(xp));
+ PolicySetFinderModule psfm = getPopulatedPolicySetFinderModule(xp);
+ if( psfm != null )
+ {
+ pfml.add(psfm);
+ }
}
else if (xp.getType() == XACMLPolicy.POLICY)
{
@@ -70,7 +74,7 @@
this.map.put(XACMLConstants.POLICY_FINDER_MODULE, pfml);
}
- private PolicySetFinderModule getPopulatedPolicySetFinderModule(XACMLPolicy xpolicy)
+ protected PolicySetFinderModule getPopulatedPolicySetFinderModule(XACMLPolicy xpolicy)
{
PolicySetFinderModule psfm = new PolicySetFinderModule();
//Check for enclosed policies
@@ -84,7 +88,7 @@
return psfm;
}
- private void recursivePopulate(XACMLPolicy policy, List<AbstractPolicy> policies, PolicySetFinderModule psfm)
+ protected void recursivePopulate(XACMLPolicy policy, List<AbstractPolicy> policies, PolicySetFinderModule psfm)
{
List<XACMLPolicy> policyList = policy.getEnclosingPolicies();
for (XACMLPolicy xp : policyList)
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,100 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators;
+
+import java.util.List;
+import java.util.Set;
+
+import org.jboss.security.xacml.bridge.PPSPolicySetFinderModule;
+import org.jboss.security.xacml.bridge.RPSPolicySetFinderModule;
+import org.jboss.security.xacml.bridge.WrapperPolicyFinderModule;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.security.xacml.interfaces.XACMLPolicy;
+import org.jboss.security.xacml.sunxacml.AbstractPolicy;
+import org.jboss.security.xacml.sunxacml.Policy;
+import org.jboss.security.xacml.sunxacml.PolicySet;
+
+/**
+ * A Policy Set Locator that follows the XACML RBAC Profile
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 29, 2011
+ */
+public class JBossRBACPolicySetLocator extends JBossPolicySetLocator
+{
+ public static final String ROLE_NS = "urn:oasis:names:tc:xacml:2.0:subject:role";
+ public static final String RPS = "RPS";
+ public static final String PPS = "PPS";
+
+ protected RPSPolicySetFinderModule rpsFinderModule = new RPSPolicySetFinderModule();
+ protected PPSPolicySetFinderModule ppsFinderModule = new PPSPolicySetFinderModule();
+
+ @Override
+ public void setPolicies(Set<XACMLPolicy> policies)
+ {
+ this.policies = policies;
+ pfml.add(rpsFinderModule);
+ pfml.add(ppsFinderModule);
+
+ for (XACMLPolicy xp : policies)
+ {
+ if (xp.getType() == XACMLPolicy.POLICYSET)
+ {
+ handlePolicy(xp);
+ }
+ else if (xp.getType() == XACMLPolicy.POLICY)
+ {
+ Policy p = xp.get(XACMLConstants.UNDERLYING_POLICY);
+ WrapperPolicyFinderModule wpfm = new WrapperPolicyFinderModule(p);
+ pfml.add(wpfm);
+ }
+ }
+ this.map.put(XACMLConstants.POLICY_FINDER_MODULE, pfml);
+ }
+
+ protected void handlePolicy(XACMLPolicy xacmlPolicy)
+ {
+ List<XACMLPolicy> policyList = xacmlPolicy.getEnclosingPolicies();
+ for (XACMLPolicy xp : policyList)
+ {
+ handlePolicy(xp);
+ }
+ if(policyList.size() == 0)
+ {
+ AbstractPolicy aPolicy = xacmlPolicy.get(XACMLConstants.UNDERLYING_POLICY);
+ if( aPolicy instanceof PolicySet)
+ {
+ PolicySet policySet = (PolicySet) aPolicy;
+ if( policySet.getId().toASCIIString().contains(RPS))
+ {
+ //This is RPS
+ rpsFinderModule.add(policySet);
+ }
+ else if( policySet.getId().toASCIIString().contains(PPS))
+ {
+ //This is PPS
+ ppsFinderModule.add(policySet);
+ }
+ }
+ }
+
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,90 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.test.xacml.rbac;
+
+import java.io.InputStream;
+
+import org.jboss.security.xacml.core.JBossPDP;
+import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+import org.jboss.security.xacml.interfaces.ResponseContext;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
+import org.junit.Test;
+import static org.junit.Assert.assertNotNull;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 29, 2011
+ */
+public class RbacUnitTestCase
+{
+ @Test
+ public void testRbac() throws Exception
+ {
+ validateCase(getResponse("rbac-request.xml"),
+ XACMLConstants.DECISION_PERMIT);
+ }
+
+ @Test
+ public void testDenyRbac() throws Exception
+ {
+ validateCase(getResponse("rbac-request-nopriv.xml"),
+ XACMLConstants.DECISION_NOT_APPLICABLE);
+ }
+
+
+ private PolicyDecisionPoint getPDP()
+ {
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+ InputStream is = tcl.getResourceAsStream("locators/rbac/rbac-config.xml");
+ assertNotNull("InputStream != null", is);
+
+ return new JBossPDP(is);
+ }
+
+ private ResponseContext getResponse(String loc) throws Exception
+ {
+ loc = "test/requests/rbac/" + loc;
+ return XACMLTestUtil.getResponse(getPDP(), loc);
+ }
+
+ private void validateCase(ResponseContext response, int decisionval) throws Exception
+ {
+ int decision = response.getDecision();
+
+ switch(decisionval)
+ {
+ case XACMLConstants.DECISION_PERMIT:
+ assertEquals("PERMIT?", XACMLConstants.DECISION_PERMIT,decision);
+ break;
+ case XACMLConstants.DECISION_DENY:
+ assertEquals("DENY?", XACMLConstants.DECISION_DENY,decision);
+ break;
+ case XACMLConstants.DECISION_NOT_APPLICABLE:
+ assertEquals("Not Applicable?", XACMLConstants.DECISION_NOT_APPLICABLE,decision);
+ break;
+ default: throw new RuntimeException("wrong value");
+ }
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,23 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:PolicySet>
+ <ns:Location>test/policies/rbac/</ns:Location>
+ </ns:PolicySet>
+ <!--
+ <ns:PolicySet>
+ <ns:Location>test/policies/rbac/employee-PPS-policyset.xml</ns:Location>
+ </ns:PolicySet>
+ <ns:PolicySet>
+ <ns:Location>test/policies/rbac/manager-PPS-policyset.xml</ns:Location>
+ </ns:PolicySet>
+ <ns:PolicySet>
+ <ns:Location>test/policies/rbac/employee-RPS-policyset.xml</ns:Location>
+ </ns:PolicySet>
+ <ns:PolicySet>
+ <ns:Location>test/policies/rbac/manager-RPS-policyset.xml</ns:Location>
+ </ns:PolicySet> -->
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>
+ </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file
Property changes on: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml
___________________________________________________________________
Added: svn:executable
+ *
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties 2011-03-31 17:50:39 UTC (rev 111083)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties 2011-03-31 17:53:25 UTC (rev 111084)
@@ -17,6 +17,7 @@
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
# Set the default logging level for the logger named org.jboss
+org.jboss.security.xacml.level = FINEST
org.jboss.security.xacml.sunxacml.level = FINEST
org.opends = FINEST
com.sun.xml.bind.level = OFF
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,58 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ PolicySetId="PPS:employee:role"
+ PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+ <Target />
+ <!-- Permissions specifically for the employee role -->
+ <Policy PolicyId="Permissions:specifically:for:the:employee:role"
+ RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target />
+ <!-- Permission to create a purchase order -->
+ <Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
+ </AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ <Actions>
+ <Action>
+ <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
+ <ActionAttributeDesignator AttributeId="urn:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ActionMatch>
+ </Action>
+ </Actions>
+ </Target>
+ </Rule>
+ </Policy>
+ <!-- HasPrivilegesOfRole Policy for employee role -->
+<Policy PolicyId="Permission:to:have:employee:role:permissions"
+ RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target />
+ <!-- Permission to have employee role permissions -->
+ <Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
+ </AttributeValue>
+ <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+</Policy>
+</PolicySet>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,19 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+PolicySetId="RPS:employee:role"
+PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+<Target>
+<Subjects>
+<Subject>
+<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+<AttributeValue
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
+<SubjectAttributeDesignator
+AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+</SubjectMatch>
+</Subject>
+</Subjects>
+</Target>
+<!-- Use permissions associated with the employee role -->
+<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,60 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ PolicySetId="PPS:manager:role"
+ PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+ <Target />
+ <!-- Permissions specifically for the manager role -->
+ <Policy PolicyId="Permissions:specifically:for:the:manager:role"
+ RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target />
+ <!-- Permission to sign a purchase order -->
+ <Rule RuleId="Permission:to:sign:a:purchase:order" Effect="Permit">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
+ </AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ <Actions>
+ <Action>
+ <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>
+ <ActionAttributeDesignator AttributeId="urn:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ActionMatch>
+ </Action>
+ </Actions>
+ </Target>
+ </Rule>
+ </Policy>
+ <!-- HasPrivilegesOfRole Policy for manager role -->
+<Policy PolicyId="Permission:to:have:manager:role:permissions"
+ RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target />
+ <!-- Permission to have manager role permissions -->
+ <Rule RuleId="Permission:to:have:manager:permissions" Effect="Permit">
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
+ </AttributeValue>
+ <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+</Policy>
+ <!-- Include permissions associated with employee role -->
+ <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,19 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+PolicySetId="RPS:manager:role"
+PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+<Target>
+<Subjects>
+<Subject>
+<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+<AttributeValue
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>
+<SubjectAttributeDesignator
+AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+</SubjectMatch>
+</Subject>
+</Subjects>
+</Target>
+<!-- Use permissions associated with the manager role -->
+<PolicySetIdReference>PPS:manager:role</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,31 @@
+<Request
+ xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
+ access_control-xacml-2.0-context-schema-os.xsd">
+<Subject>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+<AttributeValue>Anne</AttributeValue>
+</Attribute>
+
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Subject>
+
+<Resource>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Resource>
+
+<Action>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>urn:nobody</AttributeValue>
+</Attribute>
+</Action>
+</Request>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml 2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,31 @@
+<Request
+ xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
+ access_control-xacml-2.0-context-schema-os.xsd">
+<Subject>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+<AttributeValue>Anne</AttributeValue>
+</Attribute>
+
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Subject>
+
+<Resource>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Resource>
+
+<Action>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole</AttributeValue>
+</Attribute>
+</Action>
+</Request>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list