xacml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml-dev] XACML Target question
- From: David Brossard <david.brossard@axiomatics.com>
- To: Security Developer <security.developer22@gmail.com>
- Date: Sun, 13 Mar 2011 16:40:40 +0100
Hi,
Do you mean to ask whether there are realtime scenarios where there would be a series of targets which would refine one another?
The PolicySet target would be fairly abstract and by the time you got to the rule, it would be more specific? Yes of course.
One such example is when you protect a web-app. You will have a top-level target which may restrict common things across the entire web-app. For instance you may want to restrict access to the web-app based on the HTTP method (e.g. GET) and the authentication method used (e.g. FORM). This would be expressed as a target inside a top-level policy set PS1.
Then PS1 would contain several policies (or policy sets) that would focus on sub-parts of the web-app. You may have a policy Px per webpage of the web-app. The target of each policy might then contain a resource id set to '/URL/to/my/webapp/pagex.html'.
Each one of those policies Px might then contain rules with their own targets. For instance for the web-app page 'management.html' protected by P1, you may want to restrict the access to those users with an administrator role.
Example in XACML 3.0:
<?xml version="1.0" encoding="UTF-8"?><xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="ps1" Version="1">
<xacml3:Description>scenario where there may be multiple restricted Target elements</xacml3:Description>
<xacml3:PolicySetDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">GET</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:axiomatics:servlet:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">basic-user</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:org:apache:tomcat:user-role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">FORM</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:axiomatics:servlet:subject:authentication-method" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy PolicyId="p1-management" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<xacml3:Description>restrict access to user mgmt page to administrators</xacml3:Description>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">management.jspx</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:axiomatics:servlet:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit" RuleId="r1-administrator-access">
<xacml3:Description>let administrators control the page</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:org:apache:tomcat:user-role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">edit</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
Cheers,
David.
On Sun, Mar 13, 2011 at 1:29 PM, Security Developer
<security.developer22@gmail.com> wrote:
Hi.
Is there a real time scenario where there may be multiple restricted Target elements? e,g,
<PolicySet>
<Target>
.....................
</Target>
<Policy>
<Target>
.....................
</Target>
<Rule>
<Target>
.....................
</Target>
</Rule>
</Policy>
</PolicySet> and so on
Thanks.
--
David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]