Re: [xacml] Potential SAML issues

[Sekhar Vajjhala - Sun Microsystems <sekhar.vajjhala@sun.com>]

NISHIMURA Toshihiro wrote:
> 
> Hello,
> 
> Sekhar Vajjhala - Sun Microsystems wrote:
> > ISSUE: saml:Action is a "string"
> >
> >      saml:Action is currently specified as a "string". Making Action
> >      an abstract type  would allow it to be extended. This would allow
> >      the content model to be defined by a schema external to the SAML
> >      spec.
> >
> >      Thus what constitues an action could be determined by the J2SE
> > schema.
> 
> In SAML, saml:Action is used only in saml:Actions and saml:Actions
> have Namespace as an attribute.
> So it is possible to write action(s) such as:
>   <saml:Actions Namespace="urn:J2SEPermission:java.io.FilePermission">
>     <saml:Action>write</saml:Action>
>   </saml:Actions>
> or
>   <saml:Actions Namespace="urn:J2SEPermission">
>     <saml:Action>java.io.FilePermission:write</saml:Action>
>   </saml:Actions>
> 
> But it will be useful if we can write something like:
>   <saml:Action>
>     <J2SEPermission class="java.io.FilePermission">write</J2SEPermission>
>   </saml:Action>

That was the idea ( although the syntax may be different).

> 
> > ISSUE: saml:AuthorizationQuery requires actions.
> >
> >      If actions are optional for XACML, then why should <saml:Actions>
> >      be required in <saml:AuthorizationQuery> ? Both the wording in
> >      the SAML assertions draft as well as the SAML schema place
> >      such a requirement. saml:Actions should be optional in the
> >      AuthorizationQuery to accomodate queries without actions.
> >
> >      At least for now, I don't anticipate this as an issue for J2SE.
> 
> In the latest SAML spec (core-25), AuthorizationDecisionQuery element
> has Resource attribute and Actions element and both of them are
> "required". Does this cause much problems?
> (Resource attribute is "optional" for AuthorizationDecisionStatement
> element.)
> 
> As for J2SE case, I think there is an issue in terminology.
> Sekhar wrote::
> |     A J2SE permission consists of
> |
> |     a. target   ("resource" in XACML terminology )
> |     b. action   (optional)
> (http://lists.oasis-open.org/archives/xacml/200112/msg00045.html)
> 
> In the example of FilePermission, everyone will agreee on that
> "/tmp/*" indicates resources(targets) and "read,write" indicates
> action(s).
> 
> In regard to AWTPermission, the J2SE document says:
> | This is in the same spirit as the RuntimePermission; it's a
> | permission without actions. The targets for this class are:
> |
> | accessClipboard
> | accessEventQueue
> | listenToAllAWTEvents
> | showWindowWithoutWarningBanner
> (http://java.sun.com/j2se/1.4/docs/guide/security/spec/security-spec.doc3.html#20327)
> 
> It says that "accessClipboard" is a target, however, I think it is
> possible to say "accessClipboard" is an action (in XACML terminology).

It is possible but would not be correct.

> 
> > ISSUE: single subject in AuthorizationQuery
> >
> >      saml:AuthorizationQuery currently only contains a single
> >      Subject. While a saml:Subject can support multiple NameIdentifier
> >      or SubjectConfirmation or AssertionSpecifier elements, it
> >      is required that they all belong to the same principal. So
> >      a single subject cannot be used for unrelated principals.
> >
> >      In J2SE, there is a need to base access control on multiple
> >      principals which are not related and this therefore points to
> >      to a need for more than one Subject in the saml:AuthorizationQuery
> >
> >      NOTE: The way out of this appears to be extend
> > SubjectQueryAbstractType.
> 
> Is this the same issue with ISSUE:[DS-11-01:MultipleSubjectAssertions]
> in draft-sstc-saml-issues-06.pdf?

As I understand from the XACML Policy model sub committee meeting
yesterday,
there is already an open issue against what I described above. I did not
check the above issue that you mentioned above.

Sekhar

> 
> Regards,
> Toshi
> ---
> NISHIMURA Toshihiro (FAMILY Given)
> nishimura.toshi@jp.fujitsu.com
> XML Application Technology Dept., PROJECT-A XML, FUJITSU LIMITED

-- 
Sekhar