Table of Contents
The following sections display usage of JBossXACML in various bindings.
The Policy File that we will use as an example for the Web Binding Layer is shown below.
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
Version="2.0" PolicyId="ExamplePolicy">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue
DataType=
"http://www.w3.org/2001/XMLSchema#anyURI">http://test/developer-guide.html</AttributeValue>
<ResourceAttributeDesignator
DataType=
"http://www.w3.org/2001/XMLSchema#anyURI"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule Effect="Permit" RuleId="ReadRule">
<Target>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType=
"http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType=
"http://www.w3.org/2001/XMLSchema#string">developer</AttributeValue>
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
</Apply>
</Condition>
</Rule>
<!-- If none of the rules apply, deny the request -->
<Rule Effect="Deny" RuleId="DenyRule"/>
</Policy>
This policy file basically provides access to the url when the subject has a role of "developer". All other requests are denied because of the explicit rule at the bottom of the policy file, without which the PDP would have returned a decision of NotAPPLICABLE.
If we would like to construct the policy dynamically, then we will need to use the Object Model provided with JBoss XACML that is based on JAXB v2.0 and above. The code listing is shown below:
import java.net.URI;
import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.JAXBElement;
import junit.framework.TestCase;
import org.jboss.security.xacml.core.JBossPDP;
import org.jboss.security.xacml.core.model.policy.ActionMatchType;
import org.jboss.security.xacml.core.model.policy.ActionType;
import org.jboss.security.xacml.core.model.policy.ActionsType;
import org.jboss.security.xacml.core.model.policy.ApplyType;
import org.jboss.security.xacml.core.model.policy.AttributeValueType;
import org.jboss.security.xacml.core.model.policy.ConditionType;
import org.jboss.security.xacml.core.model.policy.EffectType;
import org.jboss.security.xacml.core.model.policy.ExpressionType;
import org.jboss.security.xacml.core.model.policy.FunctionType;
import org.jboss.security.xacml.core.model.policy.ObjectFactory;
import org.jboss.security.xacml.core.model.policy.PolicyType;
import org.jboss.security.xacml.core.model.policy.ResourceMatchType;
import org.jboss.security.xacml.core.model.policy.ResourceType;
import org.jboss.security.xacml.core.model.policy.ResourcesType;
import org.jboss.security.xacml.core.model.policy.RuleType;
import org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType;
import org.jboss.security.xacml.core.model.policy.TargetType;
import org.jboss.security.xacml.factories.PolicyAttributeFactory;
import org.jboss.security.xacml.factories.PolicyFactory;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.PolicyLocator;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.XACMLConstants;
import org.jboss.security.xacml.interfaces.XACMLPolicy;
import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
import org.jboss.security.xacml.locators.JBossPolicyLocator;
import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
public void testWebBinding() throws Exception
{
PolicyType policyType = constructPolicy();
PolicyDecisionPoint pdp = new JBossPDP();
XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
Set<XACMLPolicy> policies = new HashSet<XACMLPolicy>();
policies.add(policy);
pdp.setPolicies(policies);
//Add the basic locators also
PolicyLocator policyLocator = new JBossPolicyLocator();
policyLocator.setPolicies(policies);
//Locators need to be given the policies
Set<PolicyLocator> locators = new HashSet<PolicyLocator>();
locators.add(policyLocator);
pdp.setLocators(locators);
assertNotNull("JBossPDP is != null", pdp);
Principal p = new Principal()
{
public String getName()
{
return "testuser";
}
};
//Create Role Group
Group grp = XACMLTestUtil.getRoleGroup("developer");
String requestURI = "http://test/developer-guide.html";
HttpRequestUtil util = new HttpRequestUtil();
HttpServletRequest req = util.createRequest(p, requestURI);
//Check PERMIT condition
WebPEP pep = new WebPEP();
RequestContext request = pep.createXACMLRequest(req, p, grp);
if(debug)
request.marshall(System.out);
assertEquals("Access Allowed?",
XACMLConstants.DECISION_PERMIT,
XACMLTestUtil.getDecision(pdp,request));
}
public void testNegativeAccessWebBinding() throws Exception
{
PolicyType policyType = constructPolicy();
PolicyDecisionPoint pdp = new JBossPDP();
XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
Set<XACMLPolicy> policies = new HashSet<XACMLPolicy>();
policies.add(policy);
pdp.setPolicies(policies);
//Add the basic locators also
PolicyLocator policyLocator = new JBossPolicyLocator();
//Locators need to be given the policies
policyLocator.setPolicies(policies);
Set<PolicyLocator> locators = new HashSet<PolicyLocator>();
locators.add(policyLocator);
pdp.setLocators(locators);
assertNotNull("JBossPDP is != null", pdp);
Principal p = new Principal()
{
public String getName()
{
return "testuser";
}
};
//Create Role Group
Group grp = XACMLTestUtil.getRoleGroup("imposter");
String requestURI = "http://test/developer-guide.html";
HttpRequestUtil util = new HttpRequestUtil();
HttpServletRequest req = util.createRequest(p, requestURI);
//Check DENY condition
WebPEP pep = new WebPEP();
RequestContext request = pep.createXACMLRequest(req, p, grp);
if(debug)
request.marshall(System.out);
assertEquals("Access Disallowed?", XACMLConstants.DECISION_DENY,
XACMLTestUtil.getDecision(pdp,request));
}
private PolicyType constructPolicy() throws Exception
{
ObjectFactory objectFactory = new ObjectFactory();
String PERMIT_OVERRIDES=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides";
PolicyType policyType = new PolicyType();
policyType.setPolicyId("ExamplePolicy");
policyType.setVersion("2.0");
policyType.setRuleCombiningAlgId(PERMIT_OVERRIDES);
//Create a target
TargetType targetType = new TargetType();
ResourcesType resourcesType = new ResourcesType();
ResourceType resourceType = new ResourceType();
ResourceMatchType rmt = new ResourceMatchType();
rmt.setMatchId(XACMLConstants.FUNCTION_ANYURI_EQUALS);
rmt.setResourceAttributeDesignator(
PolicyAttributeFactory.createAttributeDesignatorType(
XACMLConstants.RESOURCE_IDENTIFIER,
XMLSchemaConstants.DATATYPE_ANYURI));
rmt.setAttributeValue(PolicyAttributeFactory.createAnyURIAttributeType(
new URI("http://test/developer-guide.html")));
resourceType.getResourceMatch().add(rmt);
resourcesType.getResource().add(resourceType);
targetType.setResources(resourcesType);
policyType.setTarget(targetType);
//Create a Rule
RuleType permitRule = new RuleType();
permitRule.setRuleId("ReadRule");
permitRule.setEffect(EffectType.PERMIT);
ActionsType permitRuleActionsType = new ActionsType();
ActionType permitRuleActionType = new ActionType();
ActionMatchType amct = new ActionMatchType();
amct.setMatchId("urn:oasis:names:tc:xacml:1.0:function:string-equal");
amct.setAttributeValue(
PolicyAttributeFactory.createStringAttributeType("read"));
amct.setActionAttributeDesignator(
PolicyAttributeFactory.createAttributeDesignatorType(
XACMLConstants.ACTION_IDENTIFIER,
XMLSchemaConstants.DATATYPE_STRING));
permitRuleActionType.getActionMatch().add(amct);
TargetType permitRuleTargetType = new TargetType();
permitRuleActionsType.getAction().add(permitRuleActionType);
permitRuleTargetType.setActions(permitRuleActionsType);
permitRule.setTarget(permitRuleTargetType);
ConditionType permitRuleConditionType = new ConditionType();
FunctionType functionType = new FunctionType();
functionType.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
JAXBElement<ExpressionType> jaxbElementFunctionType =
objectFactory.createExpression(functionType);
permitRuleConditionType.setExpression(jaxbElementFunctionType);
ApplyType permitRuleApplyType = new ApplyType();
permitRuleApplyType.setFunctionId(XACMLConstants.FUNCTION_STRING_IS_IN);
SubjectAttributeDesignatorType sadt =
PolicyAttributeFactory.createSubjectAttributeDesignatorType(
XACMLConstants.SUBJECT_ROLE_IDENTIFIER,
XMLSchemaConstants.DATATYPE_STRING);
JAXBElement<SubjectAttributeDesignatorType> sadtElement =
objectFactory.createSubjectAttributeDesignator(sadt);
AttributeValueType avt =
PolicyAttributeFactory.createStringAttributeType("developer");
JAXBElement<AttributeValueType> jaxbAVT =
objectFactory.createAttributeValue(avt);
permitRuleApplyType.getExpression().add(jaxbAVT);
permitRuleApplyType.getExpression().add(sadtElement);
permitRuleConditionType.setExpression(
objectFactory.createApply(permitRuleApplyType));
permitRule.setCondition(permitRuleConditionType);
policyType.
getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().
add(permitRule);
//Create a Deny Rule
RuleType denyRule = new RuleType();
denyRule.setRuleId("DenyRule");
denyRule.setEffect(EffectType.DENY);
policyType.
getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().
add(denyRule);
return policyType;
}