[jboss-dev-forums] [PicketBox Development] - Re: Make JBossPDP an interface to allow easier insertion of custom PDP.

Brian Krisler do-not-reply at jboss.com
Thu Sep 9 06:58:56 EDT 2010 

Brian Krisler [http://community.jboss.org/people/bkrisler] created the discussion

"Re: Make JBossPDP an interface to allow easier insertion of custom PDP."

To view the discussion, visit: http://community.jboss.org/message/560787#560787

--------------------------------------------------------------
What I mean by attributes for a subject is the following.

At the moment, this is a typical policy subject block from a request:

<Subject>
  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
    <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                                DataType="http://www.w3.org/2001/XMLSchema#string" />
   </SubjectMatch>
   <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Developer</AttributeValue>
     <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                                 DataType="http://www.w3.org/2001/XMLSchema#string" />
   </SubjectMatch>
</Subject>



When a request is made against this policy, it would be in the form of a user id (Bob) and his roles (Manager), this is supporting role-based authorization.  However for attribute-based authorization, the policy would look more like:

<Subject>
  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
    <SubjectAttributeDesignator AttributeId="urn:my-org:manager:attribute"
                                                DataType="http://www.w3.org/2001/XMLSchema#boolean" />
   </SubjectMatch>
   <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
     <SubjectAttributeDesignator AttributeId="urn:my-org:developer:attribute"
                                                 DataType="http://www.w3.org/2001/XMLSchema#boolean" />
   </SubjectMatch>
</Subject>

When a request is made against the attribute-based policy the requestor would pass in a list of values as such:

urn:my-org:manager:attribute = true
urn:my-org:developer:attribute = false

In a review of the existing code (EJBXACMLUtil,java for example), it does not allow for such attribute-based values. Instead, it loops over the provided roles and creates the attributes based on the ATTRIBUTEID_ROLE constant.

List<Role> rolesList = callerRoles.getRoles();
if(rolesList != null)
{
   for(Role role:rolesList)
   {
      String roleName = role.getRoleName(); 
      AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
            XACMLConstants.ATTRIBUTEID_ROLE, "jboss.org", roleName);
      subject.getAttribute().add(attSubjectID);
   }
}



An other issue is that the construction of the request is dependent upon the Principal for setting of the subject-id value. We are working on a model where there will never be a Princial object to extract a subject-id. In our case, we will instead pass in a set of attributes for evaluation.

Upon further review, it might just be the helper methods (EJBXAMLUtil and WebXACMLUtil) that will require much modification. The addition of a second method in the util objects for creating of these attribute based request objects might just work.  I have not fully reviewed the policy application code in detail yet, but from a cursory glance it appears to be attribute-id agnostic and will just create a Set of attribute/value pairs and then upon validation, apply the proper attribute function.

Brian

Message was edited by: Brian Krisler  -- Tried to fix XML formatting.
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/560787#560787]

Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20100909/a8f65f03/attachment.html

More information about the jboss-dev-forums mailing list