[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] <ContextPrincipal>/<AttributeDesignator> proposal
since i expect that these documents will take on something of a life of their own, i would like to suggest a section that lists the version and name of any external standard relied upon. for example: EXTERNAL REFERENCE the descriptions herein are based upon the defintions listed below: J2SE v1.40 http://java.sun.com/j2se/1.4/index.html XPATH v1.0 http://www.w3.org/TR/1999/REC-xpath-19991116 [...] or some such. thoughts? b Anne Anderson wrote: > Michiharu suggested the following outline for such proposals. > I think it is excellent, so I will follow it and encourage others > to do the same. > > - Access request description in English > - XACML Context specification of the above > - Sample J2SE policy in English > - XACML policy specification of the above > (not exact one, simplified description is enough) > - How XACML policy specification refers to each attribute in XACML Context > - Desirable final decision > - ... > > NOTE: I have specified a complete context and policy below, > although my current proposal is addressed to the ContextPrincipal > syntax. > > EXAMPLE ACCESS REQUEST DESCRIPTION IN ENGLISH > > Read access has been requested for the file > "/net/saguaro/home/zoe/status.txt". > > The user executing the thread from which the access request was > generated was authenticated as both > o "cn=Anne,ou=SunLabs,o=Sun,c=US", and as > o "Anne.Anderson@Sun.COM" > > The executing code for the thread that generated the access > request was downloaded from "http://java.sun.com/jdk1.4/classes". > > The code was signed by two certificates with subject names > o "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US", and > o "cn=SunSigner,o=Sun,c=US". > > PROPOSED XACML CONTEXT SPECIFICATION OF THE ABOVE > > <xacml:RequestContext> > <xacml:ContextPrincipals> > <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser"> > <xacml:NameIdentifier Format="itu:X500DistinguishedName"> > "cn=Anne,ou=SunLabs,o=Sun,c=US" > </xacml:NameIdentifier> > </xacml:SimplePrincipal> > <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser"> > <xacml:NameIdentifier Format="ietf:RFC822Name"> > "Anne.Anderson@Sun.COM" > </xacml:NameIdentifier> > </xacml:SimplePrincipal> > <xacml:SimplePrincipal PrincipalType="j2se:CodeSource"> > <xacml:NameIdentifier Format="ietf:URL"> > "http://java.sun.com/jdk1.4/classes" > </xacml:NameIdentifier> > <xacml:Attribute AttributeName="SignedBy" > AttributeFamily="j2se:Policy" > Issuer="j2se:com.sun.labs.isrg.ClassLoader" > IssueInstant="2002-05-28T00:00:00Z"> > <xacml:AttributeValue> > "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US" > </xacml:AttributeValue> > <xacml:AttributeValue> > "cn=SunSigner,o=Sun,c=US" > </xacml:AttributeValue> > </xacml:Attribute> > </xacml:SimplePrincipal> > </xacml:ContextPrincipals> > <xacml:ContextResource> > <xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/> > </xacml:ContextResource> > <xacml:ContextAction> > <xacml:Action> > "read" > </xacml:Action> > </xacml:ContextAction> > </xacml:RequestContext> > > SAMPLE POLICY IN ENGLISH > > Grant read access to resource "file:/net/saguaro/home/zoe/*" if > the requesting user is "Zoe@Sun.COM" or if the executing code > was signed by "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US". > > XACML POLICY SPECIFICATION OF THE ABOVE > > The following two rules are included in an xacml:policyStatement > where the ruleCombiningAlgId allows access if any rule allows > access. > > <xacml:rule ruleId="sunlabs:rule9" effect="Permit"> > <xacml:target> > <xacml:subjects> > <xacml:Attribute AttributeName= > "RequestContext/ContextPrincipals > /SimplePrincipal[@PrincipalType="j2se:RequestingUser"] > /NameIdentifier[@Format="ietf:RFC822Name"]"> > <xacml:AttributeValue> > "Zoe@Sun.COM" > </xacml:AttributeValue> > </xacml:Attribute> > </xacml:subjects> > <xacml:resources> > <xacml:Attribute AttributeName= > "RequestContext/ContextResource > /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]" > </xacml:Attribute> > </xacml:resources> > <xacml:actions> > <xacml:Attribute AttributeName= > "RequestContext/contextAction/Action"> > <xacml:AttributeValue> > "read" > </xacml:AttributeValue> > </xacml:Attribute> > </xacml:actions> > </xacml:target> > </xacml:rule> > > <xacml:rule ruleId="sunlabs:rule10" effect="Permit"> > <xacml:target> > <xacml:subjects> > <xacml:Attribute AttributeName= > "RequestContext/ContextPrincipals > /SimplePrincipal[@PrincipalType="j2se:CodeBase"] > /Attribute[@AttributeName="SignedBy" and > @AttributeFamily="j2se:Policy"]"> > <xacml:AttributeValue> > "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US" > </xacml:AttributeValue> > </xacml:Attribute> > </xacml:subjects> > <xacml:resources> > <xacml:Attribute AttributeName= > "RequestContext/ContextResource > /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]" > </xacml:Attribute> > </xacml:resources> > <xacml:actions> > <xacml:Attribute AttributeName= > "RequestContext/contextAction/Action"> > <xacml:AttributeValue> > "read" > </xacml:AttributeValue> > </xacml:Attribute> > </xacml:actions> > </xacml:target> > </xacml:rule> > > HOW XACML POLICY SPECIFICATION REFERS TO EACH ATTRIBUTE IN XACML CONTEXT > > In the example above, I have used full XPATH expressions (to the > best of my ability) starting from RequestContext to refer to > attributes in the request context. > > Under the xacml:rule/target/subjects section of a rule, it should be > possible to assume the root is RequestContext/ContextPrincipals, > and then use an XPATH expression to navigate from there.http://java.sun.com/j2se/1.4/index.html > Similarly, it should be possible to assume under > xacml:target/resources that the root of the XPATH is > RequestContext/ContextResource. > > In the xacml:rule/conditions sections of a rule, it would be > necessary to specify the root explicitly (as I did in my > examples), since there is no context to narrow it. > > DESIRABLE FINAL DECISION > > 1. Support multiple SimplePrincipal (or ComplexPrincipal? Not > sure we need multiple elements here) elements under > ResourceContext. > 2. Each SimplePrincipal has an associated xml attribute named > "PrincipalType" that is a URI. This is used to indicate the > role the SimplePrincipal plays in this particular request > (requesting user, delegating user, requesting machine, > requesting process ID, requesting code source location, etc.). > Communities of users, such as J2SE, would specify the > PrincipalTypes that apply to them. Standards groups could > specify PrincipalTypes that apply to multiple communities of > users. > 3. An xacml:Attribute that applies to a particular > SimplePrincipal is included as a subelement under the > SimplePrincipal to which it applies. This means the Attribute > does not need to include Holder, since the Holder will be the > xacml:NameIdentifier of the SimplePrincipal. > > QUESTION > > 1. Why can't AttributeName be a URL, and use the namespace > identifier to indicate the AttributeFamily? E.g., instead of > <xacml:Attribute AttributeName="SignedBy" > AttributeFamily="j2se:Policy" > Issuer="j2se:com.sun.labs.isrg.ClassLoader" > IssueInstant="2002-05-28T00:00:00Z"> > use > <xacml:Attribute AttributeName="j2sePolicy:SignedBy" > Issuer="j2se:com.sun.labs.isrg.ClassLoader" > IssueInstant="2002-05-28T00:00:00Z">
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC