xacml-dev message

Subject: Re: [xacml-dev] Confused about usage of XPath and resource content in XACML

From: David Brossard <david.brossard@axiomatics.com>
To: Security Developer <security.developer22@gmail.com>
Date: Thu, 25 Aug 2011 17:58:07 +0200

Hi,

There are a couple ways XPath can be used in conjunction with XML content in a XACML request. Generally speaking XPath is used in attribute selectors. These are a different way to identify attributes and their values (the 'usual' way being attribute designators).

The use of XPath and attribute selectors can be used for:

a single XACML request
a multiple decision request

In the first case, it is possible to send attributes (e.g. user role, id...) and XML content (e.g. an XML medical record) inside a XACML request to a PDP. In that case, the XACML policies need to use attribute selectors containing XPath expressions to extract information from the XML content element(s) of the incoming XACML request. The decision making can therefore make use of values contained in the XML content. This is useful when the XML content represents one item e.g. one medical record in its XML format.

In the example below, I use a book record which contains a title, an ISBN and a publisher. Note that the policy target can mix attribute designators and attribute selectors indifferently. The XPath expression can match several nodes in the XML document. This means that if the incoming XML contained a series of <book> elements all of which with a title, then the attribute selector evaluation would lead to a bag of N titles.

Policy:

<?xml version="1.0" encoding="UTF-8"?><xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1">
<xacml3:Description/>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
<xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Gulliver's travels</xacml3:AttributeValue>
          <xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/book/title/text()"/>
        </xacml3:Match>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit" RuleId="allow-read">
    <xacml3:Description/>
    <xacml3:Target/>
</xacml3:Rule>
</xacml3:Policy>

XACML Request:

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Joe</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="age" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">14</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Content><book>
<title>Gulliver's travels</title>
<isbn>xx-yy-zz</isbn>
<publisher>Axiomatics</publisher>
</book>      </xacml-ctx:Content>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

In the latter case, the multiple decision profile (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-en.html) defines 1 XPath-based approach (2.2 Nodes identified by XPath) to expressing multiple access control requests in one go.

I have written up a post that summarizes the two uses of XPath: http://www.webfarmr.eu/2011/08/xacml-102-xpath-and-xacml/

Let me know if you have any questions,
David.

On Sat, Aug 13, 2011 at 3:30 PM, Security Developer <security.developer22@gmail.com> wrote:

Hi All,

Could any body please share some presentation or tutorial that explains usage of XPath and resource content in XACML. The reason of asking is, it is difficult for me to understand example XACML policies in XACML 3.0 core standard that uses XPath and XML resource content.

Thanks for you time.

Best Regards.

--
David Brossard, M.Eng, SCEA, CSTP
VP Product Marketing & Customer Relations
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics

References:
- Confused about usage of XPath and resource content in XACML
  - From: Security Developer <security.developer22@gmail.com>