Our requirement was to manage the relevant policy mapping in App Manager side and pick policies based on that mapping to increase the re-usability of the policies.
As per the offline chat with Asela, we implemented it by having a custom id attribute in the target element. This is what Farasath suggested too. Thank you guys for your help ! Rushmin On Mon, Mar 23, 2015 at 10:24 AM, Asela Pathberiya <[email protected]> wrote: > On Sun, Mar 22, 2015 at 2:27 PM, Farasath Ahamed <[email protected]> > wrote: > > Hi Rushmin, > > > > I suppose you are planning to map the 'conditions' to policyIDs and reuse > > them. > > Yes.. Policy target can be used to pick policies and rules.. But i > do not think, it is good idea to model to send the policy id in the > XACML request.. Can't we use some other.. ? > > Thanks, > Asela. > > > > > AFAIK you can send the policyID as an attribute with the XACML request > and > > add the policyID as in the target within the XACML Policy Target to > achieve > > this. You can easily write an AttributeFinder module to get the policyID > > from wherever you plan to get it from(PolicyID mapped to 'conditions'). > This > > works if you are planning to have a mapping of PolicyID for 'conditions' > as > > you mentioned above. > > > > Alternatively you can also use <PolicyIDReference> element to refer to a > > policy by its ID [1] > > > > [1] > > > http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047116 > > Adding @Asela for further opinion > > > > On Sun, Mar 22, 2015 at 7:47 AM, Rushmin Fernando <[email protected]> > wrote: > >> > >> Thanks Farasath for your response. > >> > >> Yes, both would solve my problem. > >> > >> So you are saying that we can pass a policy id in the XACML request, so > >> that the XACML engine will only consider that policy when it comes to > >> evaluating ? > >> > >> Thanks > >> Rushmin > >> > >> On Sat, Mar 21, 2015 at 10:21 PM, Farasath Ahamed <[email protected]> > >> wrote: > >>> > >>> Hi Rushmin, > >>> > >>> So what you basically want is a XACML policy which becomes applicable > >>> based on a policy ID? > >>> or do you want to reuse 'conditions' generated by the user by say > giving > >>> them a referenceID or something? > >>> > >>> I think both of which is possible in XACML 3.0. Can you elaborate more > on > >>> the condition 'part' you have mentioned above? > >>> > >>> On Sat, Mar 21, 2015 at 1:16 PM, Rushmin Fernando <[email protected]> > >>> wrote: > >>>> > >>>> Hi IS Team, > >>>> > >>>> In App Manager we have the following requirement. > >>>> > >>>> 1) App creator need to associate authorization rules for URL pattern + > >>>> HTTP verb combinations > >>>> > >>>> 2) They are given a UI to add a URL pattern, select an HTTP verb and > >>>> then apply an authorization rule. > >>>> > >>>> 3) App Manager uses XACML for these authorization rules. > >>>> > >>>> 4) Since the 'resource' and 'action' parts of the XACML policy is > >>>> determined the aforementioned UI inputs, user is only allowed to > write the > >>>> 'condition' part. And the actual XACML policy is generated using these > >>>> parts. > >>>> > >>>> 5) But the thing is, we need to re-use these 'conditions'. We do it in > >>>> App Manager level. But we end up with generating XACML policies for > >>>> 'resource' + 'action' combinations. > >>>> > >>>> Is there a way that we can have a single XACML policy which only has > the > >>>> condition 'part' and evaluate the XACML request using that specific > policy > >>>> (by giving the policy ID ) ? > >>>> > >>>> -- > >>>> Rushmin Fernando > >>>> Technical Lead > >>>> > >>>> WSO2 Inc. - Lean . Enterprise . Middleware > >>>> > >>>> email : [email protected] > >>>> mobile : +94772310855 > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Dev mailing list > >>>> [email protected] > >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev > >>>> > >>> > >>> > >>> > >>> -- > >>> Farasath Ahamed > >>> Software Engineering Intern > >>> WSO2 Inc.; http://wso2.com > >>> > >>> Mobile: +94 777 603 866 > >>> E-Mail: [email protected] > >>> Blog: http://thepseudocode.blogspot.com/ > >> > >> > >> > >> > >> -- > >> Rushmin Fernando > >> Technical Lead > >> > >> WSO2 Inc. - Lean . Enterprise . Middleware > >> > >> email : [email protected] > >> mobile : +94772310855 > >> > >> > > > > > > > > -- > > Farasath Ahamed > > Software Engineering Intern > > WSO2 Inc.; http://wso2.com > > > > Mobile: +94 777 603 866 > > E-Mail: [email protected] > > Blog: http://thepseudocode.blogspot.com/ > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 > +358 449 228 979 > -- *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware email : [email protected] mobile : +94772310855
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
