OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Expressing XACML policy


Finally I managed to implement it via custom function (function
FN_isPolicyHolder(subjectId, policyId)). Custom function approach in
Condition part of rule looks like better alternative to the Attribute
Designators. But now I have problem with registering custom function:

I have tried: FunctionFactory.getConditionInstance().addFunction(new
IsPolicyHolder()) and I get exception:

java.lang.UnsupportedOperationException: a standard factory cannot support
new functions
    at com.sun.xacml.cond.StandardFunctionFactory.addFunction(
StandardFunctionFactory.java:412)
    at com.dnb.xacml.XACMLTestCase.setUp(XACMLTestCase.java:38)
    at com.dnb.xacml.IsLicencedPolicyTest.setUp(IsLicencedPolicyTest.java
:42)
    at junit.framework.TestCase.runBare(TestCase.java:125)
    at junit.framework.TestResult$1.protect(TestResult.java:106)
    at junit.framework.TestResult.runProtected(TestResult.java:124)
    at junit.framework.TestResult.run(TestResult.java:109)
    at junit.framework.TestCase.run(TestCase.java:118)
    at junit.framework.TestSuite.runTest(TestSuite.java:208)
    at junit.framework.TestSuite.run(TestSuite.java:203)
    at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(
JUnit3TestReference.java:128)
    at org.eclipse.jdt.internal.junit.runner.TestExecution.run(
TestExecution.java:38)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(
RemoteTestRunner.java:460)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(
RemoteTestRunner.java:673)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(
RemoteTestRunner.java:386)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(
RemoteTestRunner.java:196)

I used http://sunxacml.sourceforge.net/guide.html#extending-function as a
guide but it looks like this guide is not up-to-date.


See request and policy:

<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd
">
    <Subject>
        <!-- Subject is identified via email address -->
        <Attribute
            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
            DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
            <AttributeValue>bs@simpsons.com</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
        <!-- Resource is policy identifier -->
        <Attribute
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
            DataType="http://www.w3.org/2001/XMLSchema#string";>
            <AttributeValue>100000</AttributeValue>
        </Attribute>
    </Resource>
    <Action>
        <!-- Action on resource is isLicenced -->
        <Attribute
            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
            DataType="http://www.w3.org/2001/XMLSchema#string";>
            <AttributeValue>isLicenced</AttributeValue>
        </Attribute>
    </Action>
    <Environment />
</Request>

Actual policy:

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd
"
    PolicyId="urn:oasis:names:tc:example:SimplePolicy1"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:
1.0:rule-combining-algorithm:deny-overrides">
    <Target/>
    <Rule RuleId="PolicyHolderOnly" Effect="Permit">
        <Target>
            <Actions>
                <Action>
                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:
1.0:function:string-equal">
                        <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>isLicensed</AttributeValue>
                        <ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="
http://www.w3.org/2001/XMLSchema#string"/>
                    </ActionMatch>
                </Action>
            </Actions>
        </Target>
        <Condition>
           <!--  Check if a given subject is policy holder -->
           <Apply FunctionId="urn:foo:isPolicyHolder">
                  <SubjectAttributeDesignator
                    AttributeId="urn:oasis:names:tc:xacml:
1.0:subject:subject-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
               <ResourceAttributeDesignator
                    AttributeId="urn:oasis:names:tc:xacml:
1.0:resource:resource-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </Apply>
        </Condition>
    </Rule>
</Policy>

On 6/18/07, Blair Bethwaite <blair.bethwaite@gmail.com> wrote:
>
> On 6/19/07, Giedrius Trumpickas <trumpyla@gmail.com> wrote:
> > Is there is any way how to reffer to the subject or resource attributes
> > stored in the database in the XACML policy definition?
>
> Implement your own *AttributeFinderModules appropriate for the
> environment your PDP should know about.  You probably want to define
> your own AttributeDesignators.
>
> -Blair
>
> --
> In science one tries to tell people, in such a way
> as to be understood by everyone, something that
> no one ever knew before. But in poetry, it's the
> exact opposite.
> - Paul Dirac
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]