Orbeon community‎ > ‎Contributions‎ > ‎

XACML PDP processor

Introduction

This document describes the functionalities implemented by the XACML PDP processor attached to this page. XACML stands for eXtensible Access Control Markup Language. PDP stands for Policy Decision Point. The PDP is a policy component which's main goal is to make accesscontrol decisions based upon XACML requests and XACML policies.

The PDP processor, as described in this document, generates a XACML response based upon two inputs: a XACML request document and a XACML policy document. This document does NOT describe where these policies and requests originate from, but is does point to the schema definition to which they should comply.


Libraries

The following additional libraries, apart from the ones shipped with Orbeon, are used by this processor:


Input document: request


Purpose

This input document contains the XACML request. The request contains a subject, resource and action. Each of these entities consist of one or more attribute/value pairs.


Namespace

All nodes in this document should be in the following namespace URN: urn:oasis:names:tc:xacml:1.0:context


XML Schema definition

http://www.oasis-open.org/committees/download.php/919/cs-xacml-schema-context-01.xsd


Example document

<Request xmlns="urn:oasis:names:tc:xacml:1.0:context">
    <Subject>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>jasper.linthorst</AttributeValue>
        </Attribute>
        <Attribute AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="avernet">
            <AttributeValue>volunteer</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>http://sites.google.com/a/orbeon.com/forms/contributions/xacml-pdp-processor</AttributeValue>
        </Attribute>
    </Resource>
    <Action>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>write</AttributeValue>
        </Attribute>
    </Action>
</Request>


Input document: policy


Purpose

This input document contains all policies needed for the PDP to evaluate the request.


Namespace

All nodes in this document should be in the following namespace URN: urn:oasis:names:tc:xacml:1.0:policy


XML Schema definition

http://www.oasis-open.org/committees/download.php/915/cs-xacml-schema-policy-01.xsd


Example document

<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
 xmlns:tn="custom-application-namespace"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
 PolicySetId="PolicySetForOrganisation">
    <Target>
        <Subjects>
            <AnySubject/>
        </Subjects>
        <Resources>
            <AnyResource/>
        </Resources>
        <Actions>
            <AnyAction/>
        </Actions>
    </Target>
    <Policy PolicyId="Edit_pdp_wiki_page" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
        <Description>Grant write access to contributors</Description>
        <PolicyDefaults>
            <XPathVersion>http://www.w3.org/TR/1999/Rec-xpath-19991116</XPathVersion>
        </PolicyDefaults>
        <Target>
            <Subjects>
                <AnySubject/>
            </Subjects>
            <Resources>
                <Resource>
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://sites.google.com/a/orbeon.com/forms/contributions/xacml-pdp-processor</AttributeValue>
                        <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </ResourceMatch>
                </Resource>
            </Resources>
            <Actions>
                <AnyAction/>
            </Actions>
        </Target>
        <Rule Effect="Permit" RuleId="PermitIfRoleIsContributor">
            <Description>Permit access if the resource content contains: contributor</Description>
            <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">contributor</AttributeValue>
                <AttributeSelector DataType="http://www.w3.org/2001/XMLSchema#string" RequestContextPath="//tn:users/tn:user/tn:role/text()"/>
            </Condition>
        </Rule>
        <Rule Effect="Permit" RuleId="PermitAlsoWhenUserIsJasper">
            <Description>Also permit access if the subject has an id of: jasper.linthorst</Description>
            <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"/>
                </Apply>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">jasper.linthorst</AttributeValue>
            </Condition>
        </Rule>
        <Rule Effect="Deny" RuleId="DenyIfOtherRulesDontApply"/>
    </Policy>
</PolicySet>


Processing

The high level internal workings of the PDP processor are illustrated in the following table:

Step

Description

1

Generate a com.sun.xacml.ctx.RequestCtx Object or retrieve it from Orbeon's cache using the request input document.

2

Generate a com.sun.xacml.ctx.PolicySet Object or retrieve it from Orbeon's cache using the policy input document.

3

Create a com.sun.xacml.PDP object.

4

Let the PDP evaluate the RequestCtx

5

Serialize the PDP's Response to the reponse document.


Output document: response


Purpose

This output document contains the result of the evaluation. The PDP can return the following decisions upon accesscontrol in its response:

  • Permit, access to the requested resource can be granted.

  • Deny, access to the requested resource must be denied.

  • Indeterminate, an error occured or some value is missing.

  • NotApplicable, there's no policy that matches the requested target.

Furthermore the PDP procesor can return a set of obligations. Depending on the XACML PEP these obligations will be executed after permitting or denying access to the requested resource. An example of an obligation could be to send a message to a log host whenever access to a resource is denied. The actual execution of the obligations have to be implemented by the PEP.


Namespace

This document should use the following namespace URN: urn:oasis:names:tc:xacml:1.0:context


XML Schema definition

http://www.oasis-open.org/committees/download.php/919/cs-xacml-schema-context-01.xsd


Example document

<Response xmlns="urn:oasis:names:tc:xacml:1.0:context">
    <Result resourceId="http://sites.google.com/a/orbeon.com/forms/contributions/xacml-pdp-processor">
        <Decision>Permit</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
    </Result>
</Response>


Usage in a pipeline


Within a pipeline the processor can be used as follows:

<p:processor name="oxf:pdp" xmlns:p="http://www.orbeon.com/oxf/pipeline">
    <p:input name="request">
        <Request xmlns="urn:oasis:names:tc:xacml:1.0:context">
            <Subject>
                <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
                    <AttributeValue>jasper.linthorst</AttributeValue>
                </Attribute>
                <Attribute AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="avernet">
                    <AttributeValue>volunteer</AttributeValue>
                </Attribute>
            </Subject>
            <Resource>
                <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
                    <AttributeValue>http://sites.google.com/a/orbeon.com/forms/contributions/xacml-pdp-processor</AttributeValue>
                </Attribute>
            </Resource>
            <Action>
                <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
                    <AttributeValue>write</AttributeValue>
                </Attribute>
            </Action>
        </Request>
    </p:input>
    <p:input name="policy">
        <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:tn="custom-application-namespace" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="PolicySetForOrganisation">
            <Target>
                <Subjects>
                    <AnySubject/>
                </Subjects>
                <Resources>
                    <AnyResource/>
                </Resources>
                <Actions>
                    <AnyAction/>
                </Actions>
            </Target>
            <Policy PolicyId="Edit_pdp_wiki_page" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
                <Description>Grant write access to contributors</Description>
                <PolicyDefaults>
                    <XPathVersion>http://www.w3.org/TR/1999/Rec-xpath-19991116</XPathVersion>
                </PolicyDefaults>
                <Target>
                    <Subjects>
                        <AnySubject/>
                    </Subjects>
                    <Resources>
                        <Resource>
                            <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://sites.google.com/a/orbeon.com/forms/contributions/xacml-pdp-processor</AttributeValue>
                                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                            </ResourceMatch>
                        </Resource>
                    </Resources>
                    <Actions>
                        <AnyAction/>
                    </Actions>
                </Target>
                <Rule Effect="Permit" RuleId="PermitIfRoleIsContributor">
                    <Description>Permit access if the resource content contains: contributor</Description>
                    <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">contributor</AttributeValue>
                        <AttributeSelector DataType="http://www.w3.org/2001/XMLSchema#string" RequestContextPath="//tn:users/tn:user/tn:role/text()"/>
                    </Condition>
                </Rule>
                <Rule Effect="Permit" RuleId="PermitAlsoWhenUserIsJasper">
                    <Description>Also permit access if the subject has an id of: jasper.linthorst</Description>
                    <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                            <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" issuer="jalin"/>
                        </Apply>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">jasper.linthorst</AttributeValue>
                    </Condition>
                </Rule>
                <Rule Effect="Deny" RuleId="DenyIfOtherRulesDontApply"/>
            </Policy>
        </PolicySet>
    </p:input>
    <p:output name="data" id="response"/>
</p:processor>



References and Documentation

SUN XACML – Developers guide

http://sunxacml.sourceforge.net/guide.html

SUN XACML – Javadoc

http://sunxacml.sourceforge.net/javadoc/index.html

OASIS XACML 1.1 spec

http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf


ċ
pdpprocessor-1.5-rc3-SNAPSHOT-jar-with-dependencies.jar
(663k)
Alessandro Vernet,
May 18, 2009, 8:43 AM
ċ
pdpprocessor-1.5-rc3-SNAPSHOT-src.zip
(35k)
Alessandro Vernet,
May 19, 2009, 6:51 AM
Comments