[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Expressing XACML policy
Finally I managed to implement it via custom function (function FN_isPolicyHolder(subjectId, policyId)). Custom function approach in Condition part of rule looks like better alternative to the Attribute Designators. But now I have problem with registering custom function: I have tried: FunctionFactory.getConditionInstance().addFunction(new IsPolicyHolder()) and I get exception: java.lang.UnsupportedOperationException: a standard factory cannot support new functions at com.sun.xacml.cond.StandardFunctionFactory.addFunction( StandardFunctionFactory.java:412) at com.dnb.xacml.XACMLTestCase.setUp(XACMLTestCase.java:38) at com.dnb.xacml.IsLicencedPolicyTest.setUp(IsLicencedPolicyTest.java :42) at junit.framework.TestCase.runBare(TestCase.java:125) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:118) at junit.framework.TestSuite.runTest(TestSuite.java:208) at junit.framework.TestSuite.run(TestSuite.java:203) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run( JUnit3TestReference.java:128) at org.eclipse.jdt.internal.junit.runner.TestExecution.run( TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests( RemoteTestRunner.java:460) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests( RemoteTestRunner.java:673) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run( RemoteTestRunner.java:386) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main( RemoteTestRunner.java:196) I used http://sunxacml.sourceforge.net/guide.html#extending-function as a guide but it looks like this guide is not up-to-date. See request and policy: <?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd "> <Subject> <!-- Subject is identified via email address --> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue>bs@simpsons.com</AttributeValue> </Attribute> </Subject> <Resource> <!-- Resource is policy identifier --> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>100000</AttributeValue> </Attribute> </Resource> <Action> <!-- Action on resource is isLicenced --> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>isLicenced</AttributeValue> </Attribute> </Action> <Environment /> </Request> Actual policy: <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd " PolicyId="urn:oasis:names:tc:example:SimplePolicy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml: 1.0:rule-combining-algorithm:deny-overrides"> <Target/> <Rule RuleId="PolicyHolderOnly" Effect="Permit"> <Target> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml: 1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string">isLicensed</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType=" http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <!-- Check if a given subject is policy holder --> <Apply FunctionId="urn:foo:isPolicyHolder"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml: 1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml: 1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Condition> </Rule> </Policy> On 6/18/07, Blair Bethwaite <blair.bethwaite@gmail.com> wrote: > > On 6/19/07, Giedrius Trumpickas <trumpyla@gmail.com> wrote: > > Is there is any way how to reffer to the subject or resource attributes > > stored in the database in the XACML policy definition? > > Implement your own *AttributeFinderModules appropriate for the > environment your PDP should know about. You probably want to define > your own AttributeDesignators. > > -Blair > > -- > In science one tries to tell people, in such a way > as to be understood by everyone, something that > no one ever knew before. But in poetry, it's the > exact opposite. > - Paul Dirac >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]