OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: using the xacml obligation mechanism for service request or response rewrite

Hi all,


as promised in the last tecon below some insights in a way how to use xacml’s obligation mechanism in SOA:


·         the pep intercepts the communication between the subject und the service – e.g an Web Service request  or response r in format x (ie. r.x)

·         the ctx handler transforms the r.x and includes it a xacml decision request in format y (ie. r.y)

·         to enforce most of the access rights based on the Web service request there is a need to rewrite the request. additionally some rights need to be enforced through rewrite of the response. in both cases the aim behind the rewrite is to allow the intersection of the indented interaction and the permitted interactions

·         the rewrite can be done by rewrite functions defined in obligations that refer to r.y

·         a ctx handler receiving rewrite rules transforms r.y (i.e. the representation of the request in the evaluation context) correspondingly. this will result in r.y’

·         after the ac process the ctx transforms r.y’ back to the original format x so you get r.x’

·         the pep can choose between different options how to proceed

§         no rewrite --> forward original request | response

§         rewrite -> forward rewritten Web Service  request|response

§         rewrite -> deny request, send error msg to user (optinally show him r.x’ to show him the permitted subset of his request)




request form user in string format:

r.x :=

select *

from Building

where owner = ’state’


request form user in xml format as included under <content> in xacml access decision request

r.y :=






  <where>owner = ’state’</where>



obligation in a rule that matches:

- subject.name = alice

- xpath-node-equal(content-selector, /select[ from/table/text() = Building])


- functionToCall = addToWhereClauseByAnd

- argument1 = ‘price < 1,000,000’

- optional: functionDefInEgJava = public string  addToWhereClauseByAnd(string s){….} //this could allow for flexible obligation-function definition and will still keep interop)


result in ctx handler after ac process:


r.y’ :=






<where>owner = ’state’ AND price < 1,000,000 </where>



rewritten request in original sql string format:

r.x’ :=

select *

from Building

where owner = ’state’ AND price < 1,000,000


The rewritten request implies that the user can only access building data  with a price less than one million. According to this solution it is very useful to allow obligation processing in the ctx handler (which could run on a different machine than the pep). for those that know oracles virtual private database tech. this approach is similar but more flexible, external from the service/dbms implementation and could be standardised

Looking forward to hear your thoughts on this solution.


best regards



Jan Herrmann
Dipl.-Inform., Dipl.-Geogr. 

wissenschaftlicher Mitarbeiter

Technische Universität München
Institut für Informatik

Lehrstuhl für Angewandte Informatik / Kooperative Systeme

Boltzmannstr. 3
85748 Garching

Tel:      +49 (0)89 289-18692
Fax:     +49 (0)89 289-18657



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]