OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML ipAddress-regexp-match and how to author a policy with dynamic


The mailing list isn't easy to search, so I thought I would pose my
question while commanding the list to e-mail me the last 150 posts.

I was trying to put together an XACML 2.0 policy set that captured 2
policies, which when combined, allowed for both a sort of global allow
and selective deny. Essentially a Firewall access policy where hosts
which have been identified as a threat would be denied access to the
target resource. (say a web server) The PIP information supplying the
list of threat IP Addresses could be sorted in a database.

My main query that I can't gather from the literature I've read so far
is how all attributes of a Subject, Action or Resource are identified.
(I'm sure it's an easy answer, I'll be happy with anything really) For
example, an external system identifies a point of information which the
policy would use to help determine if a deny rule should be applied. In
this case, how is the policy authored to reference attributes of said
piece of information?

For example, a SIM event (we'll just go with this for now) which
contains the threatening host IP and requested resource. (say a
protected portion of the corporate web site) How do I identify the PIP
information in a urn? I was assuming that when the PDP gathers
information from the PIP (and from the PEP's access request message?)
that the Subject, Action and Resource will have things like subject-id's
ipAddress attribute already populated, because the Subject in question
has an IP.

Maybe I'm just not there yet. So I'll leave my query here. If anyone has
a bit of practical advice to enlighten me, it would be very beneficial.


Sample policy with a hole (note the ...???) where the external PIP
information on threat host IPs would be referenced:

<Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat">
  <Description>This policy is intended to deny attacking hosts for
corporate web servers.</Description>
  <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny">
   <Description>All identified host threats shall not be permitted

Chris McKenzie

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]