[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: using the xacml obligation mechanism for service request or response rewrite
Hi all, as promised in the last tecon below some insights in a
way how to use xacml’s obligation mechanism in SOA: ·
the pep intercepts the
communication between the subject und the service – e.g an Web Service request
or response r in format x (ie. r.x) ·
the ctx handler
transforms the r.x and includes it a xacml decision request in format y (ie. r.y) ·
to enforce most of the
access rights based on the Web service request there is a need to rewrite the
request. additionally some rights need to be enforced through rewrite of the
response. in both cases the aim behind the rewrite is to allow the intersection
of the indented interaction and the permitted interactions ·
the rewrite can be done by
rewrite functions defined in obligations that refer to r.y ·
a ctx handler receiving
rewrite rules transforms r.y (i.e. the representation of the request in the
evaluation context) correspondingly. this will result in r.y’ ·
after the ac process the
ctx transforms r.y’ back to the original format x so you get r.x’ ·
the pep can choose between
different options how to proceed §
no rewrite --> forward
original request | response §
rewrite -> forward
rewritten Web Service request|response §
rewrite -> deny
request, send error msg to user (optinally show him r.x’ to show him the permitted
subset of his request) Example: request form user in string format: r.x := select * from Building where owner = ’state’ request form user in xml format as included under
<content> in xacml access decision request r.y := <select> <proj>*</proj> <from> <table>Building</table> </from> <where>owner = ’state’</where> </select> obligation in a rule that matches: - subject.name = - xpath-node-equal(content-selector, /select[ from/table/text()
= Building]) -obligation: - functionToCall = addToWhereClauseByAnd - argument1 = ‘price
< 1,000,000’ - optional:
functionDefInEgJava = public string addToWhereClauseByAnd(string s){….}
//this could allow for flexible obligation-function definition and will still
keep interop) result in ctx handler after ac process: r.y’ := <select> <proj>*</proj> <from> <table>Building</table> </from> <where>owner = ’state’ AND price < 1,000,000 </where> </select> rewritten request in original sql string format: r.x’ := select * from Building where owner = ’state’ AND price < 1,000,000 The rewritten request implies that the user can only
access building data with a price less than one million. According to this
solution it is very useful to allow obligation processing in the ctx handler
(which could run on a different machine than the pep). for those that know
oracles virtual private database tech. this approach is similar but more flexible,
external from the service/dbms implementation and could be standardised Looking forward to hear your thoughts on this solution.
best regards jan ________________________________________ Raum: |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]