[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] J2SE use of XACML
The attachment represents my action item to provide an example for how J2SE would use XACML with the current schema. It is not yet brought up to schema 15, but should not be too far off. There may be typos: I was trying to do my final edits over a very slow dialup line. This has been quickly reviewed by my own research team, but not by any J2SE development engineers, so it is very much just my own idea for now. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692Title: Proposal: J2SE Use of XACML
_____________ __________ _________ | J2SE |-Access-->| J2SE | -J2SE-->| J2SE | | Application | Request | Security | Policy | Policy | |_____________| | Manager | API | Provider| |__________|<-true/--|_________| false J2SE Policy Provider internal structure: __________________ ____________________ | J2SE Policy |--XACML-->| XACML | J2SE | | to XACML Request | Request | PDP | Extensions | | Translator | Context | | Support | |__________________|<-XACML---|_______|____________| Response Context"J2SE Extensions Support" consists of one module designed to handle policy Function elements with FunctionName "j2se:implies".
This module accepts an Attribute with AttributeNamespace "j2se:Constructor" and an AttributeName corresponding to a class name. The value of the attribute is a sequence of values corresponding to argument values for a constructor for the class.
The module also accepts an AttributeSelector that points to a serialized Permission object.
The module functions by locating a constructor for the class that accepts arguments of the types specified in the AttributeValue. It then constructs an instance of the class object using the AttributeValues as arguments.
The module then de-serializes the serialized Permission passed in the Request, and passes the de-serialized Permission as an argument to the "implies" method of the constructed Permission.
The module returns the result of the "implies" invocation as the result of evaluating the Function.
RECOMMENDED ACTION: Return null. If an XACML Provider is used, getPermissions is not supported.
It would be possible to construct an XACML PDP that returned the equivalent of "getPermissions" as Advice. Providing this functionality, however, would not be simple, and would introduce the need to handle Issue 2 below.
getPermissions does not have a well-defined function currently, other than being available as an optimization technique for particular implementations. J2SE should probably move toward a simpler model in which all access control decisions are made through the Policy "implies" interface.
RECOMMENDED ACTION: Ignore any Permissions in the ProtectionDomain. If an XACML Provider is used, overlapping Permissions are not supported.
The semantics of overlapping permissions is very complex in the existing J2SE architecture. It is unlikely that any general policy system will support or require such complex semantics. J2SE should probably move toward a simpler model for the future, in order to co-exist with other centralized access control mechanisms, such as XACML.
The first rule specifies that only a requester authenticated as "Bart.Simpson@Simpsons.COM" is allowed to read the directory "/home/bs" on host machine "saguaro.simpsons.com".
The second rule specifies that only a requester having a "role" attribute value of "System Administrator" is granted access for all Permissions implied by an instance of the com.simpsons.FooPermission class constructed using arguments "String duh+" and "String buh".
The policy will allow access if either rule returns "Permit".
<PolicyStatement PolicyId="com.simpsons:policies:Policy1" RuleCombiningAlgId="xacml:RuleCombiningAlgIds:PermitOverrides"> <Description>"Simpsons Policy"</Description> <Target> <Subjects>"xacml:anySubject"</Subjects> <Resources>"xacml:anyResource"</Resources> <Actions>"xacml:anyAction"</Actions> </Target> <RuleSet> <Rule RuleId="com.simpsons:rules:Rule1" Effect="Permit"> <Target> <Subjects> <RequiredAttributeMatch RequestValue= '/Request/Subject[@SubjectCategory ="urn:oasis:names:tc:xacml:identifiers:AccessSubject"] /SubjectId[@Format ="urn:oasis:names:tc:xacml:identifiers:RFC822Name"]'> <RequiredMatchingValue> "Bart.Simpson@Simpsons.COM" </RequiredMatchingValue> </Subjects> <Resources> <RequiredAttributeMatch RequestValue= '/Request/Resource/ResourceSpecifier [@Scope="descendants" and @ResourceURI="file://saguaro.simpsons.com/home/bs"]'> </Resources> <Actions>"urn:oasis:names:tc:xacml:identifiers:Read"</Actions> </Target> </Rule> <Rule RuleId="com.simpsons:rules:Rule2" Effect="Permit"> <Target> <Subjects> <RequiredAttributeMatch RequestValue= "/Request/Subject/SubjectAttribute/AttributeMetaData [@Name="role" and @Namespace="urn:com:simpsons:attributes"] /AttributeValue"> <RequiredMatchingValue> "SystemAdministrator" </RequiredMatchingValue> </Subjects> <Resources> <RequiredAttributeMatch RequestValue= "/Request/Resource/ResourceSpecifier [@Format="j2se:SerializedObject" and @ResourceURI="j2se:com.simpsons.FooPermission"]/> </Resources> <Actions>"xacml:actions:implied</Actions> </Target> <Condition <Function FunctionName="j2se:implies"> <Attribute AttributeName="com.simpsons.FooPermission" AttributeNamespace="j2se:Constructor"> <AttributeValue> <xs:String>"duh+"</xs:String> <xs:String>"buh"</xs:String> </AttributeValue> </Attribute> <AttributeSelector> /Request/Resource/ResourceSpecifier [@Format="j2se:SerializedObject" and @ResourceURI="j2se:com.simpsons.FooPermission] /../ResourceContent/xs:base64Binary"/> </AttributeSelector> </Condition> </Rule> </RuleSet> </PolicyStatement>
ProtectionDomain CodeSource URL("http://www.simpsons.com/apps/com.simpsons.applet.y") Certificate[] [0]certificate with Subject "o=simpsons,c=us" [1]certificate with Subject "o=y,c=us" PermissionCollection "Gobbledegook" ClassLoader "Gobbledegook" Principal[] [0]X500Principal("cn=Bart Simpson,o=simpsons,c=us") [1]com.simpsons.EmailPrincipal("Bart.Simpson@simpsons.COM") Permission FilePermission("//saguaro.simpsons.com/home/bs/-", "read,write")The "J2SE Policy to XACML Request Translator" (JPXRT) notes that FilePermission is in its list of "non-J2SE Resources" and invokes its special FilePermission handler.
The FilePermission handler calls the FilePermission "getName" method, interprets the tail of the URI in order to determine that Scope should be "descendants", then returns "file://saguaro.simpsons.com/home/bs/" as what should go into the Resource element.
The FilePermission handler then calls the FilePermission "getActions" method and parses the resulting string into two comma-separated actions. It returns these as what should go into the Action element.
The JPXRT constructs two XACML Requests, one for each action. The JPXRT will return true as the result of the J2SE Policy API only if both XACML Requests receive an XACML Response of "Permit".
<Request> <Subject SubjectCategory="urn:oasis:names:tc:xacml:identifiers:AccessSubject"> <SubjectId Format="urn:oasis:names:tc:xacml:identifiers:X500DistinguishedName"> "cn=Bart Simpson, o=simpsons, c=us" </SubjectId> </Subject> <Subject SubjectCategory="urn:oasis:names:tc:xacml:identifiers:AccessSubject"> <SubjectId Format="urn:oasis:names:tc:xacml:identifiers:RFC822Name"> "Bart.Simpson@simpsons.com" </SubjectId> </Subject> <Subject SubjectCategory="urn:j2se:names:xacml:identifiers:CodeSource"> <SubjectId Format="URL"> "http://www.simpsons.com/apps/com.simpsons.applet.y" </SubjectId> <SubjectAttribute> <AttributeMetaData Name="SignedBy" Namespace="urn:j2se:names:xacml:identifiers"/> <AttributeValue> "o=simpsons,c=us" </AttributeValue> <AttributeValue> "o=y,c=us" </AttributeValue> </SubjectAttribute> </Subject> <Resource> <ResourceSpecifier Scope="descendants" ResourceURI="file://saguaro.simpsons.com/home/bs"/> </Resource> <Action> "urn:oasis:names:tc:xacml:identifiers:Read" </Action> </Request>
<Action> "urn:oasis:names:tc:xacml:identifiers:Write" </Action>
The PDP then evaluates the first request against the target of the first rule, and determines that the rule applies. Since there is no condition in the first rule, the rule has been satisfied and the rule returns the effect "Permit".
Since the RuleCombiningAlgId for the policy is "PermitOverrides", the policy can now return "Permit" as the result of evaluating the first request.
The XACML PDP evaluates the second request against the policy target, and again decides that the policy applies to the request.
The PDP then evaluates the second request against the target of the first rule. The rule does not apply, since the requested Action is now "Write", whiile the rule target specifies only "Read". The first rule returns "Inapplicable".
The PDP then evaluates the second request against the target of the second rule. It attempts to retrieve an attribute for the subject with attribute name "role" and attribute value "SystemAdministrator". While such an attribute is not in the Request, it triggers a call to an Attribute Authority, which returns such an Attribute.
The PDP now tries to evaluate the Resources section of the second rule target. This fails. The second rule also returns "Inapplicable".
According to the policy RuleCombiningAlgId, the result of evaluating the second request, since neither rule returned Permit, is "Deny".
The JPXRT returns "false" from the Policy API "implies" method, since both requests would need to evaluate to "Permit" for the request to be allowed.
<Response> <Decision> <Effect>Permit</Effect> </Decision> </Response>The response from the second request is:
<Response> <Decision> <Effect>Deny</Effect> </Decision> </Response>The response from the Policy API "implies" method is "false".
<Request> <Subject SubjectCategory="urn:oasis:names:tc:xacml:identifiers:AccessSubject"> <SubjectId Format="urn:oasis:names:tc:xacml:identifiers:X500DistinguishedName"> "cn=Bart Simpson, o=Simpsons, c=us" </SubjectId> </Subject> <Subject SubjectCategory="urn:oasis:names:tc:xacml:identifiers:AccessSubject"> <SubjectId Format="urn:oasis:names:tc:xacml:identifiers:RFC822Name"> "Bart.Simpson@Simpsons.com" </SubjectId> </Subject> <Subject SubjectCategory="urn:j2se:names:xacml:identifiers:CodeSource"> <SubjectId Format="URL"> "http://www.simpsons.com/apps/com.simpsons.applet.y" </SubjectId> <SubjectAttribute> <AttributeMetaData Name="SignedBy" Namespace="urn:j2se:names:xacml:identifiers"/> <AttributeValue> "o=simpsons,c=us" </AttributeValue> <AttributeValue> "o=y,c=us" </AttributeValue> </SubjectAttribute> </Subject> <Resource> <ResourceSpecifier Format="j2se:SerializedObject" Scope="immediate" ResourceURI="j2se:com.simpsons.FooPermission"/> <ResourceContent> <xs:base64Binary> CCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQR6BWe3NaAr3ZH2cJddxf </xs:Base64Binary> </Resource> <Action> "urn:oasis:names:tc:xacml:identifiers:Implied" </Action> </Request>
The XACML PDP now evaluates the request against the target of Rule 2.
The XACML PDP attempts to reference a "role" attribute with value "System Administrator" in the Subjects portion of the Request. This initiates a call to an Attribute Authority, which retrieves such an attribute for Subject "cn=Bart Simpson, o=simpsons, c=us" and returns it. This satisfies the Subjects target of Rule2.
The XACML PDP attempts to reference a "FooPermission" resourceURI, finds it, and this satisfies the remainder of the Target for Rule 2.
The XACML PDP now attempts to evaluate the condition portion of Rule 2.
The XACML PDP recognizes FunctionName "j2se:implies" as a reference to a function provided by the J2SE Extensions Support module. The PDP passes the Function specification (probably parsed) to the J2SE module.
The J2SE module recognizes AttributeName "com.simpsons.FooPermission" as a Class, and namespace "j2se:Constructor" as an indicator that an instance of this class is to be constructed using the provided arguments. The module locates a constructor that takes two "String" arguments, and uses it to construct an object instance.
The J2SE module then de-serializes the AttributeSelector into another instance of com.simpsons.FooPermission.
The J2SE module then passes the deserialized FooPermission to the "implies" method of the constructed "FooPermission" and returns the result.
Assume the result of the FooPermission.implies is "false". Since Rule2 is a "Permit" rule, and since our RuleCombiningAlgId is "PermitOverrides", we return a value of "Deny", since there was no Permit returned from either of the two rules.
<Response> <Decision> <Effect>Deny</Effect> </Decision> </Response>The Policy API "implies" method returns "false".
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC