[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Hi Anne, Can you help me with the Context Handler part of your solution. Do you mean something like the attached class and request and policy files ? (Note: I am using Sun's XACML 1.1 implementation) Please ignore comments and println in the code.I am just getting accustomed myself with the flow. Thanks, Dhirendra Sharma --- Anne Anderson <Anne.Anderson@sun.com> wrote: > Dhirendra, > > This would be more elegant if we had defined a > "resource-descendant-or-self" AttributeId, or better > yet if we had > defined generic functions: "<type>-ancestor", > "<type>-descendant", > "<type>-parent", ... that took any hierarchical > AttributeId as their > parameter and returned the bag of satisfying values. > You could always > define such extensions yourself. > > Using Section 4.1 of the Hierarchical Resource > Profile > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf) > > the following should work: > > Let the Resource Attribute > "urn:oasis:names:tc:xacml:1.0:resource-id" in > the Request indicate the company to be read. Let > the Subject have a > "urn:namespace:subject-company" Attribute that > indicates that subject's > "company" Attribute (the top-level company to which > the subject > belongs). Assume the DataType of both Attributes is > "xs:anyURI". > > The Context Handler must be written to have > awareness of the company > hierarchy. In this case (here is the inelegant > part), the hierarchy is > going to be "upside-down", which works because > multiple "parents" are > allowed: > > 1) if asked for AttributeId > "urn:oasis:names:tc:xacml:2.0:resource-parent", the > Context Handler > needs to return a bag containing the company-id's of > all companies that > are direct subsidiaries of the requested resource > > 2) if asked for > "urn:oasis:names:tc:xacml:2.0:resource-ancestor", > the > Context Handler needs to return a bag containing the > company-id's of all > companies that are direct or indirect subsidiaries > of the requested > resource. > > 3) if asked for > "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", > the Context > Handler needs to return a bag containing the > company-id's of all > companies that are direct or indirect subsidiaries > of the requested > resource as well as the resource-id in the Request. > > To specify 1) in a Rule, > > <Rule RuleId="..." Effect="Permit"> > <Condition> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > <SubjectAttributeDesignator > AttributeId="urn:namespace:subject-company" > DataType="xs:anyURI" /> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="xs:anyURI" /> > </Apply> > </Condition> > </Rule> > > To specify 2) in a Rule, > > <Rule RuleId="..." Effect="Permit"> > <Condition> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > <SubjectAttributeDesignator > AttributeId="urn:namespace:subject-company" > DataType="xs:anyURI" /> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" > DataType="xs:anyURI" /> > </Apply> > </Condition> > > Regards, > Anne Anderson > > dhirendra sharma wrote: > > > Hi, > > > > We need to specify the policy for the below : > > 1). A user should be able to "read" a compnay > > (Example: ABC Inc) provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > as the company attribute value in his profile > > > > 2). A user should be able to "read" a company > > (Example: ABC ) and any its of subsidiaries > provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > or any of its subsidiaries as the > > company attribute value in his profile > > > > The request could be made giving company id which > > could fall anywhere in the subsidiary hierarchy > and we > > need to get a response > > whether user is authorized or not. > > > > Can someone suggest - policy file and request > XML > > for this ? > > > > > > > > > > Thanks, > > Dhirendra Sharma > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > > --------------------------------------------------------------------- > > This publicly archived list supports open > discussion on using the > > XACML OASIS Standard. To minimize spam in the > archives, you > > must subscribe before posting. > > > > [Un]Subscribe/change address: > http://www.oasis-open.org/mlmanage/ > > Alternately, using email: > list-[un]subscribe@lists.oasis-open.org > > List archives: > http://lists.oasis-open.org/archives/xacml-users/ > > Committee homepage: > http://www.oasis-open.org/committees/xacml/ > > List Guidelines: > http://www.oasis-open.org/maillists/guidelines.php > > Join OASIS: http://www.oasis-open.org/join/ > > > > -- > Anne H. Anderson Anne.Anderson@sun.com > Sun Microsystems Labs 1-781-442-0928 > Burlington, MA USA > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
import com.sun.xacml.EvaluationCtx; import com.sun.xacml.attr.AnyURIAttribute; import com.sun.xacml.attr.AttributeDesignator; import com.sun.xacml.attr.BagAttribute; import com.sun.xacml.attr.RFC822NameAttribute; import com.sun.xacml.attr.StringAttribute; import com.sun.xacml.cond.EvaluationResult; import com.sun.xacml.ctx.Status; import com.sun.xacml.finder.AttributeFinderModule; import java.net.URI; import java.net.URISyntaxException; import java.util.ArrayList; import java.util.HashSet; import java.util.Set; /** * * */ public class ResourceAttributeFinderModule extends AttributeFinderModule { // the one and only attribute identifier that this module supports private static final String SUPPORTED_ATTRIBUTE_ID = "urn:oasis:names:tc:xacml:1.0:resource:parent"; // the identifier and type of the user private static final String COMPANY = "company"; private static final String COMPANY_TYPE = AnyURIAttribute.identifier; // URI versions of the subject data private URI companyId; private URI companyType; /** * Default constructor. */ public ResourceAttributeFinderModule() throws URISyntaxException { // setup the subject identifier information companyId = new URI(COMPANY); companyType = new URI(COMPANY_TYPE); // this code doesn't do it, but this would be a good place to setup a // cache if you don't want to fetch the group information each time } /** * Sepcifies whether or not this module supports AttributeDesignator * queries. Since that's what this code does, this method always * returns true; * * @return true */ public boolean isDesignatorSupported() { return true; } /** * Specifies the types of designators this code supports. In this * case, the module supports only subject attributes. * * @return a <code>Set</code> containing the supported types */ public Set getSupportedDesignatorTypes() { Set types = new HashSet(); //types.add(new Integer(AttributeDesignator.SUBJECT_TARGET)); types.add(new Integer(AttributeDesignator.RESOURCE_TARGET)); return types; } /** * Specifies the identifiers that this code supports. This module has * been written to support exactly one attribute, but in general you * could write a module that supports any number of attributes. * * @return a <code>Set</code> specifying the supported attributes ids */ public Set getSupportedIds() { Set ids = new HashSet(); try { ids.add(new URI(SUPPORTED_ATTRIBUTE_ID)); } catch (URISyntaxException se) { // this won't actually happen in this case return null; } return ids; } /** * This is called when the PDP is trying to find a value that wasn't * included in a Request. The value that the PDP is looking for may or * may not be supported by this module, so you first have to check * that you can handle this request. */ public EvaluationResult findAttribute(URI attributeType, URI attributeId, URI issuer, URI subjectCategory, EvaluationCtx context, int designatorType) { System.out.println("<<ENTER>> ResourceAttributeFinderModule here1"); // check that this is a Subject attribute //if (designatorType != AttributeDesignator.SUBJECT_TARGET) if (designatorType != AttributeDesignator.RESOURCE_TARGET) return new EvaluationResult(BagAttribute. createEmptyBag(attributeType)); System.out.println(" ResourceAttributeFinderModule here2"); // check that this is the type and identifier that this module is // setup to handle if ((! attributeType.toString().equals(StringAttribute.identifier)) || (! attributeId.toString().equals(SUPPORTED_ATTRIBUTE_ID))) return new EvaluationResult(BagAttribute. createEmptyBag(attributeType)); System.out.println(" ResourceAttributeFinderModule here3"); // if we got here then we're looking for the one attribute that this // module knows how to handle, so get the user's identifier...note // that we don't consider the issuer here, since it pertains to the // issuer of the group values (ie, the values that this module is // supposed to return) //EvaluationResult result = context.getSubjectAttribute(userIdType, userId, subjectCategory); EvaluationResult result = context.getResourceAttribute(companyType, companyId, subjectCategory); System.out.println(" ResourceAttributeFinderModule here4"); // make sure there wasn't an error getting the identifier if (result.indeterminate()) { return result; } System.out.println(" ResourceAttributeFinderModule here5"); // make sure we found exactly one value for the user's identifier BagAttribute bag = (BagAttribute)(result.getAttributeValue()); System.out.println(" ResourceAttributeFinderModule here6"); if (bag.size() != 1) { ArrayList code = new ArrayList(); code.add(Status.STATUS_PROCESSING_ERROR); Status status = new Status(code, "couldn't find user's identifier"); return new EvaluationResult(status); } System.out.println(" ResourceAttributeFinderModule here7"); // get the identifier out of the bag and get the group memberships //RFC822NameAttribute user = (RFC822NameAttribute)(bag.iterator().next()); AnyURIAttribute company = (AnyURIAttribute)(bag.iterator().next()); System.out.println(" ResourceAttributeFinderModule here8"); //return getGroups(user); return getCompany(company); } /** * This is the app-specific part that you need to fill in to make this * module work correctly. This method should use the user's identity * to lookup the groups that the user is in. The groups will probably * be returned either as multiple items in a bag, or as a single String * listing all the groups (depending on what your system needs). */ private EvaluationResult getGroups(RFC822NameAttribute user) { // do the group lookup...note that regardless of the form of the // groups, you must return an EvaluationResult that contains a // Bag, since that's the form that must be returned from the // findAttribute method above BagAttribute groups = null; // if there is an error at any point in this routine, then return // an EvaluationResult with status to explain the error // finally, return the group information return new EvaluationResult(groups); } /** * This is the app-specific part that you need to fill in to make this * module work correctly. This method should use the user's identity * to lookup the groups that the user is in. The groups will probably * be returned either as multiple items in a bag, or as a single String * listing all the groups (depending on what your system needs). */ private EvaluationResult getCompany(AnyURIAttribute company) { System.out.println(" ResourceAttributeFinderModule getCompany here1"); // do the group lookup...note that regardless of the form of the // groups, you must return an EvaluationResult that contains a // Bag, since that's the form that must be returned from the // findAttribute method above BagAttribute companys = null; Set set = new HashSet(); System.out.println(" ResourceAttributeFinderModule getCompany here2"); try { System.out.println(" ResourceAttributeFinderModule getCompany here3"); AnyURIAttribute sa = new AnyURIAttribute(new URI("18021")); AnyURIAttribute sa1 = new AnyURIAttribute(new URI("18022")); set.add(sa); set.add(sa1); System.out.println(" ResourceAttributeFinderModule getCompany here4"); companys = new BagAttribute(sa.getType(), set); System.out.println(" ResourceAttributeFinderModule getCompany here5"); } catch (URISyntaxException e) { System.out.println(" ResourceAttributeFinderModule URISyntaxException " + e.toString()); // TODO Auto-generated catch block e.printStackTrace(); } // if there is an error at any point in this routine, then return // an EvaluationResult with status to explain the error // finally, return the group information return new EvaluationResult(companys); } }
<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="WCM-Release-Car_Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> TODO </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="WCMReleaseCarRule" Effect="Permit"> <Condition> FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> <SubjectAttributeDesignator AttributeId="urn:namespace:subject-company" DataType="xs:anyURI" /> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="xs:anyURI" /> </Apply> </Condition> </Rule> </Policy>
<?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context cs-xacml-schema-context-01.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>xmic001</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>WCM-Release-Car</AttributeValue> <!-- User group from LDAP --> </Attribute> <Attribute AttributeId="company" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>18021</AttributeValue> <!-- Top level company that this belongs to from LDAP --> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:parent" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>180822</AttributeValue> </Attribute> <!-- <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Descendants</AttributeValue> </Attribute> --> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>ReleaseCar</AttributeValue> </Attribute> </Action> </Request>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]