[jboss-user] [Security & JAAS/JBoss] - JBoss XACML: target based on attribute existence or absence

ffaure32 do-not-reply at jboss.com
Wed Jun 17 09:50:03 EDT 2009

Hi all,

I've got a question concerning XACML policies (I've made some tests on JBoss XACML with unattended results, that's why I post this message here).

I have not found any way to add a target (on a rule or a policy) that is activated on the presence of an attribute and another one activated on the missing of the attribute.

I've found some workarounds on my policy but I'm not really satisfied with them:
I want to activated one rule A if the attribute MY_ATTRIBUTE_TO_TESTis present and one exclusive rule B if the attribute MY_ATTRIBUTE_TO_TESTis missing

- to test the presence of the attribute, as I know it's value, I just put a SubjectMatch in the target corresponding to this rule

  | <Target>
  | 	<Subjects>
  | 		<Subject>
  | 			<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  | 				<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">true</AttributeValue>
  | 				<SubjectAttributeDesignator AttributeId="MY_ATTRIBUTE_TO_TEST" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string" />
  | 			</SubjectMatch>
  | 		</Subject>
  | 	</Subjects>
  | </Target>

It works well if the attribute is present but it seems that the "MustBePresent" flag is not used as I get an error message in the logs (perharps due to the other part of my policy, cf. later):
15:25:21,382 ERROR [STDERR] 17 juin 2009 15:25:21 org.jboss.security.xacml.sunxacml.finder.AttributeFinder findAttribute
INFO: Failed to resolve any values for MY_ATTRIBUTE_TO_TEST

I'm borrowed by this error message but I can deal with it.

- to test the absence of this attribute in another rule, I did not manage to handle it with a target:
The only solution I found is to define a boolean variable that is valuated from the following test:

  | <VariableDefinition VariableId="TESTVARIABLE">
  | 	<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
  | 		<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
  | 			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
  | 				<SubjectAttributeDesignator AttributeId="MY_ATTRIBUTE_TO_TEST" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string" />
  | 			</Apply>
  | 			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
  | 		</Apply>
  | 	</Apply>
  | </VariableDefinition>

If the MY_ATTRIVUTE_TO_TEST is missing, as the "MustBePresent" flag is to false, it is valuated to an empty bag and the string-bag-size is 0. Then, TESTVARIABLE is put to false.

Unfortunately, I can use it in a condition but not in a target! Then, I can't replace the first solution I had for the target if the attribute is present.

Then my policy is a little bit messy:
- one variable definition used in a condition to activate the rule if the attribute is missing
- one test on an attribute value in a target to activate the rule if the attribute is there

I'm sure I'm not clear but hope you'll get the point and will be able to help me... 
To sum up:
- is there a simple way to test the presence of an attribute in XACML (or is it not in XACML principles)
- is there a simple way to implement an "else" condition or exclusive targets without writing the tests twice? 
- is there a way to remove the error log messages if a missing attribute is possible

Thanks in advance,


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4238234#4238234

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4238234

More information about the jboss-user mailing list