Hi everyone!
Our organization is trying to implement an authorization scheme based on JBoss'
XACML library (v2.0.4) and RBAC profile of XACML. (RBAC profile is a standard
specification available here:
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf).
I had several issues with implementing this profile, mostly related to
difficulties in finding policies and policy sets by reference.
Therefore I wrote a JUnit test case for the example given in the aforementioned
document and ran it inside the jboss-xacml project (latest revision on trunk).
The authorization scenario is the following: there are two roles ('employee'
and 'manager'), a resource ('purchase order') and two actions ('create' and
'sign'). The employee can only create purchase orders, while the manager has
also the ability to sign them.
The policies needed for this scenario are described in greater detail in the
RBAC profile document, pages 7-12.
For each role there are two policy sets, the role policy set (RPS) and the
permission policy set (PPS). The RPS is the primary policy set that has to be
checked firsthand by the PDP and must include a reference to the applicable PPS.
For example, RPS for employee looks like this (XacmlRolePolicySet-employee.xml):
| <?xml version="1.0" encoding="UTF-8"?>
| <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
| xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd";
| PolicySetId="RPS:employee:role"
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
| <Target>
| <Subjects>
| <Subject>
| <SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
| <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>urn:example:role-values:employee</AttributeValue>
| <SubjectAttributeDesignator
|
DataType="http://www.w3.org/2001/XMLSchema#anyURI";
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
| </SubjectMatch>
| </Subject>
| </Subjects>
| </Target>
|
| <!--Include permissions associated with employee role-->
| <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
|
| </PolicySet>
and the corresponding PPS is (XacmlPermissionPolicySet-employee.xml):
| <?xml version="1.0" encoding="UTF-8"?>
| <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
| xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd";
| PolicySetId="PPS:employee:role"
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
| <Target />
| <Policy
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
| PolicyId="Permissions:specifically:for:the:employee:role">
| <Description>
| Permissions specifically for the employee role.
| </Description>
| <Target />
| <!-- Permission to create a purchase order -->
| <Rule Effect="Permit"
RuleId="Permission:to:create:a:purchase:order">
| <Target>
| <Resources>
| <Resource>
| <ResourceMatch
|
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
| <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>purchase
order</AttributeValue>
|
<ResourceAttributeDesignator
|
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
DataType="http://www.w3.org/2001/XMLSchema#string"; />
| </ResourceMatch>
| </Resource>
| </Resources>
| <Actions>
| <Action>
| <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
| <AttributeValue
|
DataType="http://www.w3.org/2001/XMLSchema#string";>create</AttributeValue>
|
<ActionAttributeDesignator
|
DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
| </ActionMatch>
| </Action>
| </Actions>
| </Target>
| </Rule>
| </Policy>
|
| </PolicySet>
|
The JBoss XACML Configuration File used
(src/test/resouces/test/config/rbacPolicySetConfig.xml):
| <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
| <ns:Policies>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlRolePolicySet-employee.xml</ns:Location>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlPermissionPolicySet-employee.xml</ns:Location>
| </ns:PolicySet>
| </ns:PolicySet>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlRolePolicySet-manager.xml</ns:Location>
| <ns:PolicySet>
|
<ns:Location>test/policies/rbac/XacmlPermissionPolicySet-manager.xml</ns:Location>
| </ns:PolicySet>
|
| </ns:PolicySet>
| </ns:Policies>
| <ns:Locators>
| <ns:Locator
Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>
| </ns:Locators>
| </ns:jbosspdp>
|
The following request file asks for authorization for an employee that wants to
create a purchase order. According to the policy the request should be granted.
| <?xml version="1.0" encoding="UTF-8"?>
| <xacml-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
| xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
| xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd";>
| <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
| DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="xacml20.rbac.example">
| <AttributeValue>500</AttributeValue>
| </Attribute>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
| DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="xacml20.rbac.example">
| <AttributeValue>Nick the Employee</AttributeValue>
| </Attribute>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
| DataType="http://www.w3.org/2001/XMLSchema#anyURI";
Issuer="xacml20.rbac.example">
|
<AttributeValue>urn:example:role-values:employee</AttributeValue>
| </Attribute>
| </Subject>
| <Resource>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string";>
| <AttributeValue>purchase order</AttributeValue>
| </Attribute>
| </Resource>
| <Action>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
| DataType="http://www.w3.org/2001/XMLSchema#string";>
| <AttributeValue>create</AttributeValue>
| </Attribute>
| </Action>
| <Environment />
| </xacml-context:Request>
This one is for an employee who want to sign a purchase order
(src/test/resources/test/policies/rbac/sign-purchase-order-by-employee-request.xml):
<?xml version="1.0" encoding="UTF-8"?>
| <xacml-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
| xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
| xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
|
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd";>
| <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
| DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="xacml20.rbac.example">
| <AttributeValue>500</AttributeValue>
| </Attribute>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
| DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="xacml20.rbac.example">
| <AttributeValue>Nick the Employee</AttributeValue>
| </Attribute>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
| DataType="http://www.w3.org/2001/XMLSchema#anyURI";
Issuer="xacml20.rbac.example">
|
<AttributeValue>urn:example:role-values:employee</AttributeValue>
| </Attribute>
| </Subject>
| <Resource>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
| DataType="http://www.w3.org/2001/XMLSchema#string";>
| <AttributeValue>purchase order</AttributeValue>
| </Attribute>
| </Resource>
| <Action>
| <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
| DataType="http://www.w3.org/2001/XMLSchema#string";>
| <AttributeValue>sign</AttributeValue>
| </Attribute>
| </Action>
| <Environment />
| </xacml-context:Request>
This request should be denied but surprisingly, I got a
DECISION_NOT_APPLICABLE. Here is the method:
public void testRBACSignPurchaseOrderByEmployee() throws Exception
| {
| String fileName = "test/config/rbacPolicySetConfig.xml";
| ClassLoader tcl = Thread.currentThread().getContextClassLoader();
| URL configFile = tcl.getResource(fileName);
| JAXBContext jc =
JAXBContext.newInstance("org.jboss.security.xacml.jaxb");
| assertNotNull("JAXBContext is !null", jc);
| Unmarshaller u = jc.createUnmarshaller();
| JAXBElement<?> j = (JAXBElement<?>) u.unmarshal(configFile);
| assertNotNull("JAXBElement is !null", j);
|
| assertNotNull("configFile != null", configFile);
| PolicyDecisionPoint pdp = new JBossPDP(j);
| TestCase.assertEquals("Sign purchase order by employee should be
denied",
| XACMLConstants.DECISION_DENY, XACMLTestUtil.getDecision(pdp,
|
"test/policies/rbac/sign-purchase-order-by-employee-request.xml"));
| }
|
The JUnit test case is a slight adaptation of JBossXACMLConfigUnitTestCase.
I ran the test from inside Eclipse SDK and as part of Maven build process, and
the results were the same.
So my questions are:
How this result can be explained? Have I done anything wrong on the
configuration level?
| Can I configure/implement a policy (module) finder that would discover the
policies referenced by PolicySetIdReference or PolicyIdReference elements?
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262470#4262470
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4262470
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
