[jboss-cvs] JBossAS SVN: r111084 - in projects/security/security-xacml/trunk/jboss-xacml/src: main/java/org/jboss/security/xacml/locators and 9 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Thu Mar 31 13:53:26 EDT 2011


Author: anil.saldhana at jboss.com
Date: 2011-03-31 13:53:25 -0400 (Thu, 31 Mar 2011)
New Revision: 111084

Added:
   projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java
   projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java
   projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java
   projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/
   projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml
Modified:
   projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java
   projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties
Log:
SECURITY-575: xacml core rbac profile

Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/PPSPolicySetFinderModule.java	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.bridge;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.Policy;
+import org.jboss.security.xacml.sunxacml.PolicyMetaData;
+import org.jboss.security.xacml.sunxacml.PolicySet;
+import org.jboss.security.xacml.sunxacml.VersionConstraints;
+import org.jboss.security.xacml.sunxacml.finder.PolicyFinderResult;
+
+/**
+ * A Policy Set Finder Module that holds the RBAC Permission Policy Sets
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 30, 2011
+ */
+public class PPSPolicySetFinderModule extends PolicySetFinderModule
+{
+   protected List<PolicySet> policySets = new ArrayList<PolicySet>();
+   protected List<Policy> policies = new ArrayList<Policy>();
+   
+   public void add(PolicySet ps)
+   {
+      policySets.add(ps);
+   }
+   
+   public void add(Policy p)
+   {
+      policies.add(p);
+   }
+
+   @Override
+   public PolicyFinderResult findPolicy(EvaluationCtx context)
+   { 
+      return new PolicyFinderResult();
+   }
+
+   @Override
+   public PolicyFinderResult findPolicy(URI idReference, int type, VersionConstraints constraints,
+         PolicyMetaData parentMetaData)
+   { 
+      if( idReference != null )
+      {
+         for(PolicySet policySet: policySets)
+         {
+            if( policySet.getId().toString().equals(idReference.toString()))
+            {
+               return new PolicyFinderResult(policySet);
+            }
+         }
+         for(Policy policy: policies)
+         {
+            if( policy.getId().toString().equals(idReference.toString()))
+            {
+               return new PolicyFinderResult(policy);
+            }
+         }
+      }
+      return new PolicyFinderResult();
+   }
+}
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/bridge/RPSPolicySetFinderModule.java	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.bridge;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.jboss.security.xacml.sunxacml.AbstractPolicy;
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.MatchResult;
+import org.jboss.security.xacml.sunxacml.PolicySet;
+import org.jboss.security.xacml.sunxacml.ctx.Status;
+import org.jboss.security.xacml.sunxacml.finder.PolicyFinderResult;
+
+/**
+ * A Policy Set Finder Module that holds the RBAC Role Policy Sets
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 30, 2011
+ */
+public class RPSPolicySetFinderModule extends PolicySetFinderModule
+{
+   protected List<PolicySet> policySets = new ArrayList<PolicySet>();
+   
+   public void add(PolicySet ps)
+   {
+      policySets.add(ps);
+   }
+
+   @Override
+   public PolicyFinderResult findPolicy(EvaluationCtx context)
+   { 
+      AbstractPolicy selectedPolicy = null;
+   
+      for( PolicySet policySet: policySets)
+      {
+         MatchResult match = policySet.match(context);
+         int result = match.getResult();
+
+         // if target matching was indeterminate, then return the error
+         if (result == MatchResult.INDETERMINATE)
+            return new PolicyFinderResult(match.getStatus());
+      // see if the target matched
+         if (result == MatchResult.MATCH)
+         {
+            // see if we previously found another match
+            if (selectedPolicy != null)
+            {
+               // we found a match before, so this is an error
+               ArrayList<String> code = new ArrayList<String>();
+               code.add(Status.STATUS_PROCESSING_ERROR);
+               Status status = new Status(code, "RPSPolicySetFinderModule::too many applicable " + "top-level policies");
+               return new PolicyFinderResult(status);
+            }
+
+            // this is the first match we've found, so remember it
+            selectedPolicy = policySet;
+         }
+      }
+      // return the single applicable policy (if there was one)
+      return new PolicyFinderResult(selectedPolicy);
+   }  
+}
\ No newline at end of file

Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java	2011-03-31 17:50:39 UTC (rev 111083)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossPolicySetLocator.java	2011-03-31 17:53:25 UTC (rev 111084)
@@ -58,7 +58,11 @@
       {
          if (xp.getType() == XACMLPolicy.POLICYSET)
          {
-            pfml.add(getPopulatedPolicySetFinderModule(xp));
+            PolicySetFinderModule psfm = getPopulatedPolicySetFinderModule(xp);
+            if( psfm != null )
+            {
+               pfml.add(psfm); 
+            }
          }
          else if (xp.getType() == XACMLPolicy.POLICY)
          {
@@ -70,7 +74,7 @@
       this.map.put(XACMLConstants.POLICY_FINDER_MODULE, pfml);
    }
 
-   private PolicySetFinderModule getPopulatedPolicySetFinderModule(XACMLPolicy xpolicy)
+   protected PolicySetFinderModule getPopulatedPolicySetFinderModule(XACMLPolicy xpolicy)
    {
       PolicySetFinderModule psfm = new PolicySetFinderModule();
       //Check for enclosed policies
@@ -84,7 +88,7 @@
       return psfm;
    }
 
-   private void recursivePopulate(XACMLPolicy policy, List<AbstractPolicy> policies, PolicySetFinderModule psfm)
+   protected void recursivePopulate(XACMLPolicy policy, List<AbstractPolicy> policies, PolicySetFinderModule psfm)
    {
       List<XACMLPolicy> policyList = policy.getEnclosingPolicies();
       for (XACMLPolicy xp : policyList)

Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/JBossRBACPolicySetLocator.java	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,100 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators;
+
+import java.util.List;
+import java.util.Set;
+
+import org.jboss.security.xacml.bridge.PPSPolicySetFinderModule;
+import org.jboss.security.xacml.bridge.RPSPolicySetFinderModule;
+import org.jboss.security.xacml.bridge.WrapperPolicyFinderModule;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.security.xacml.interfaces.XACMLPolicy;
+import org.jboss.security.xacml.sunxacml.AbstractPolicy;
+import org.jboss.security.xacml.sunxacml.Policy;
+import org.jboss.security.xacml.sunxacml.PolicySet;
+
+/**
+ * A Policy Set Locator that follows the XACML RBAC Profile
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 29, 2011
+ */
+public class JBossRBACPolicySetLocator extends JBossPolicySetLocator
+{
+   public static final String ROLE_NS = "urn:oasis:names:tc:xacml:2.0:subject:role";
+   public static final String RPS = "RPS";
+   public static final String PPS = "PPS";
+   
+   protected RPSPolicySetFinderModule rpsFinderModule = new RPSPolicySetFinderModule();
+   protected PPSPolicySetFinderModule ppsFinderModule = new PPSPolicySetFinderModule();
+
+   @Override
+   public void setPolicies(Set<XACMLPolicy> policies)
+   {
+      this.policies = policies;
+      pfml.add(rpsFinderModule);
+      pfml.add(ppsFinderModule);
+      
+      for (XACMLPolicy xp : policies)
+      {
+         if (xp.getType() == XACMLPolicy.POLICYSET)
+         {
+            handlePolicy(xp); 
+         }
+         else if (xp.getType() == XACMLPolicy.POLICY)
+         {
+            Policy p = xp.get(XACMLConstants.UNDERLYING_POLICY);
+            WrapperPolicyFinderModule wpfm = new WrapperPolicyFinderModule(p);
+            pfml.add(wpfm);
+         }
+      }
+      this.map.put(XACMLConstants.POLICY_FINDER_MODULE, pfml);
+   }
+   
+   protected void handlePolicy(XACMLPolicy xacmlPolicy)
+   {
+      List<XACMLPolicy> policyList = xacmlPolicy.getEnclosingPolicies();
+      for (XACMLPolicy xp : policyList)
+      {
+         handlePolicy(xp); 
+      }
+      if(policyList.size() == 0)
+      {
+         AbstractPolicy aPolicy = xacmlPolicy.get(XACMLConstants.UNDERLYING_POLICY);
+         if( aPolicy instanceof PolicySet)
+         { 
+            PolicySet policySet = (PolicySet) aPolicy;
+            if( policySet.getId().toASCIIString().contains(RPS))
+            {
+               //This is RPS 
+               rpsFinderModule.add(policySet);
+            }
+            else if( policySet.getId().toASCIIString().contains(PPS))
+            {
+               //This is PPS 
+               ppsFinderModule.add(policySet);
+            } 
+         }  
+      }
+      
+   }
+}
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/rbac/RbacUnitTestCase.java	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,90 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.test.xacml.rbac;
+
+import java.io.InputStream;
+
+import org.jboss.security.xacml.core.JBossPDP;
+import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+import org.jboss.security.xacml.interfaces.ResponseContext;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
+import org.junit.Test;
+import static org.junit.Assert.assertNotNull;
+
+import static org.junit.Assert.assertEquals; 
+
+/**
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 29, 2011
+ */
+public class RbacUnitTestCase
+{
+   @Test
+   public void testRbac() throws Exception
+   { 
+      validateCase(getResponse("rbac-request.xml"), 
+            XACMLConstants.DECISION_PERMIT);
+   }
+   
+   @Test
+   public void testDenyRbac() throws Exception
+   { 
+      validateCase(getResponse("rbac-request-nopriv.xml"), 
+            XACMLConstants.DECISION_NOT_APPLICABLE);
+   }
+   
+   
+   private PolicyDecisionPoint getPDP()
+   {
+      ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+      InputStream is = tcl.getResourceAsStream("locators/rbac/rbac-config.xml");
+      assertNotNull("InputStream != null", is);
+
+      return new JBossPDP(is);
+   }
+   
+   private ResponseContext getResponse(String loc) throws Exception
+   {
+      loc = "test/requests/rbac/" + loc;
+      return XACMLTestUtil.getResponse(getPDP(), loc);
+   }
+   
+   private void validateCase(ResponseContext response, int decisionval) throws Exception
+   {
+      int decision = response.getDecision();
+      
+      switch(decisionval)
+      {
+         case XACMLConstants.DECISION_PERMIT: 
+            assertEquals("PERMIT?", XACMLConstants.DECISION_PERMIT,decision);
+            break;
+         case XACMLConstants.DECISION_DENY:
+            assertEquals("DENY?", XACMLConstants.DECISION_DENY,decision);
+            break;
+         case XACMLConstants.DECISION_NOT_APPLICABLE:
+               assertEquals("Not Applicable?", XACMLConstants.DECISION_NOT_APPLICABLE,decision);
+               break;
+         default: throw new RuntimeException("wrong value");
+      }  
+   } 
+}
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,23 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+  <ns:Policies> 
+   <ns:PolicySet>
+      <ns:Location>test/policies/rbac/</ns:Location> 
+    </ns:PolicySet>
+    <!-- 
+    <ns:PolicySet>
+      <ns:Location>test/policies/rbac/employee-PPS-policyset.xml</ns:Location> 
+    </ns:PolicySet>
+    <ns:PolicySet>
+      <ns:Location>test/policies/rbac/manager-PPS-policyset.xml</ns:Location> 
+    </ns:PolicySet>
+    <ns:PolicySet>
+      <ns:Location>test/policies/rbac/employee-RPS-policyset.xml</ns:Location> 
+    </ns:PolicySet>
+    <ns:PolicySet>
+      <ns:Location>test/policies/rbac/manager-RPS-policyset.xml</ns:Location> 
+    </ns:PolicySet>  -->
+  </ns:Policies>
+  <ns:Locators>
+    <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>
+  </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file


Property changes on: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/rbac/rbac-config.xml
___________________________________________________________________
Added: svn:executable
   + *

Modified: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties	2011-03-31 17:50:39 UTC (rev 111083)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties	2011-03-31 17:53:25 UTC (rev 111084)
@@ -17,6 +17,7 @@
 java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
 
 # Set the default logging level for the logger named org.jboss
+org.jboss.security.xacml.level = FINEST
 org.jboss.security.xacml.sunxacml.level = FINEST
 org.opends = FINEST
 com.sun.xml.bind.level = OFF

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-PPS-policyset.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,58 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+	PolicySetId="PPS:employee:role"
+	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+	<Target />
+	<!-- Permissions specifically for the employee role -->
+	<Policy PolicyId="Permissions:specifically:for:the:employee:role"
+		RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+		<Target />
+		<!-- Permission to create a purchase order -->
+		<Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">
+			<Target>
+				<Resources>
+					<Resource>
+						<ResourceMatch
+							MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+							<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
+							</AttributeValue>
+							<ResourceAttributeDesignator
+								AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+						</ResourceMatch>
+					</Resource>
+				</Resources>
+				<Actions>
+					<Action>
+						<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+							<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
+							<ActionAttributeDesignator AttributeId="urn:action-id"
+								DataType="http://www.w3.org/2001/XMLSchema#string" />
+						</ActionMatch>
+					</Action>
+				</Actions>
+			</Target>
+		</Rule>
+	</Policy>
+	<!-- HasPrivilegesOfRole Policy for employee role -->
+<Policy PolicyId="Permission:to:have:employee:role:permissions"
+	RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+	<Target />
+	<!-- Permission to have employee role permissions -->
+	<Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">
+		<Condition>
+			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
+					<ResourceAttributeDesignator
+						AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+				</Apply>
+				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
+					</AttributeValue>
+					<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+						DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+				</Apply>
+			</Apply>
+		</Condition>
+	</Rule>
+</Policy>
+</PolicySet>
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/employee-RPS-policyset.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,19 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+PolicySetId="RPS:employee:role"
+PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+<Target>
+<Subjects>
+<Subject>
+<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+<AttributeValue
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
+<SubjectAttributeDesignator
+AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+</SubjectMatch>
+</Subject>
+</Subjects>
+</Target>
+<!-- Use permissions associated with the employee role -->
+<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-PPS-policyset.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,60 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+	PolicySetId="PPS:manager:role"
+	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+	<Target />
+	<!-- Permissions specifically for the manager role -->
+	<Policy PolicyId="Permissions:specifically:for:the:manager:role"
+		RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+		<Target />
+		<!-- Permission to sign a purchase order -->
+		<Rule RuleId="Permission:to:sign:a:purchase:order" Effect="Permit">
+			<Target>
+				<Resources>
+					<Resource>
+						<ResourceMatch
+							MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+							<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
+							</AttributeValue>
+							<ResourceAttributeDesignator
+								AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+						</ResourceMatch>
+					</Resource>
+				</Resources>
+				<Actions>
+					<Action>
+						<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+							<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>
+							<ActionAttributeDesignator AttributeId="urn:action-id"
+								DataType="http://www.w3.org/2001/XMLSchema#string" />
+						</ActionMatch>
+					</Action>
+				</Actions>
+			</Target>
+		</Rule>
+	</Policy>
+	<!-- HasPrivilegesOfRole Policy for manager role -->
+<Policy PolicyId="Permission:to:have:manager:role:permissions"
+	RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+	<Target />
+	<!-- Permission to have manager role permissions -->
+	<Rule RuleId="Permission:to:have:manager:permissions" Effect="Permit">
+		<Condition>
+			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>
+					<ResourceAttributeDesignator
+						AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+				</Apply>
+				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
+					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
+					</AttributeValue>
+					<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+						DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
+				</Apply>
+			</Apply>
+		</Condition>
+	</Rule>
+</Policy>
+	<!-- Include permissions associated with employee role -->
+	<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/rbac/manager-RPS-policyset.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,19 @@
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+PolicySetId="RPS:manager:role"
+PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+<Target>
+<Subjects>
+<Subject>
+<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+<AttributeValue
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>
+<SubjectAttributeDesignator
+AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+</SubjectMatch>
+</Subject>
+</Subjects>
+</Target>
+<!-- Use permissions associated with the manager role -->
+<PolicySetIdReference>PPS:manager:role</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request-nopriv.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,31 @@
+<Request 
+      xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
+         access_control-xacml-2.0-context-schema-os.xsd">
+<Subject>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+<AttributeValue>Anne</AttributeValue>
+</Attribute>
+
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Subject> 
+
+<Resource>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Resource>
+
+<Action>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>urn:nobody</AttributeValue>
+</Attribute>
+</Action>
+</Request>
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/rbac/rbac-request.xml	2011-03-31 17:53:25 UTC (rev 111084)
@@ -0,0 +1,31 @@
+<Request 
+      xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
+         access_control-xacml-2.0-context-schema-os.xsd">
+<Subject>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+<AttributeValue>Anne</AttributeValue>
+</Attribute>
+
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Subject> 
+
+<Resource>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+<AttributeValue>manager</AttributeValue>
+</Attribute>
+</Resource>
+
+<Action>
+<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole</AttributeValue>
+</Attribute>
+</Action>
+</Request>
\ No newline at end of file



More information about the jboss-cvs-commits mailing list