Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
6 replies Latest Post - ‏2013-03-15T02:17:11Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic XACML

‏2009-03-03T05:45:33Z |
I am planning to use XACML as the auththorization option DP AAA policy.
Does anybody has a custom Stylesheet to Bind AAA and XACML
and
a XACML policy decisions file which works with DP as PDP.
Updated on 2013-03-15T02:17:11Z at 2013-03-15T02:17:11Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: XACML

    ‏2009-03-06T14:31:28Z  in response to SystemAdmin
    Hi

    We do the same.
    Basically the xacml request is easy to perform. Just write a xml structure to the output in your stylesheet:
    
    <Request xmlns=
    "urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi=
    "http://www.w3.org/2001/XMLSchema-instance" xmlns:wsse=
    "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xsi:schemaLocation=
    "urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd">   <Subject> <Attribute AttributeId=
    "urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType=
    "http://www.w3.org/2001/XMLSchema#string"> <AttributeValue> <xsl:message dp:priority=
    "debug"> Building XCAML request 
    
    for subject: <xsl:value-of select=
    "$role" /> </xsl:message> <xsl:value-of select=
    "$role" /> </AttributeValue> </Attribute> </Subject>   <Resource> <Attribute AttributeId=
    "urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType=
    "http://www.w3.org/2001/XMLSchema#string"> <AttributeValue> <xsl:message dp:priority=
    "debug"> Building XCAML request 
    
    for resource: <xsl:value-of select=
    "dp:variable('var://context/WSM/resource/extracted-resource')" /> </xsl:message> <xsl:value-of select=
    "dp:variable('var://context/WSM/resource/extracted-resource')" /> </AttributeValue> </Attribute> </Resource>   <Action> <Attribute AttributeId=
    "urn:oasis:names:tc:xacml:1.0:action:action-id" DataType=
    "http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>execute</AttributeValue> </Attribute> </Action>   <Environment />   </Request>
    


    We have choosen to go to our ldap to get the users groups. Because one user could have several groups we did a group to role mapping in the stylesheet based upon a xml configuration file. This is a bit like role based access control.

    For the policy file there is a nice tool available http://xacml.dif.um.es

    Regards Michel Riondel
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: XACML

      ‏2009-03-06T14:46:11Z  in response to SystemAdmin
      I forgot

      Important in planing your policy file and your custom stylesheet is to know what you whant to authorize.
      1. Who is the subject? A single user, a group or role (department)
      2. What is the ressource to protect? a url/ a webservice operation?
      3. Do you want to distinguish the actions? execute/read/write etc..

      Upon this questions, your policy file and your stylesheet can be more or less complex to implement.

      If for example you have as ressource a webservice operation and as subject the user from the aaa policy then you can build a stylesheet, that passes the operation name(don't know witch dp variable to take) and the users department(taken from ldap) and pass it to the xacml pdp.
      You can build a policy in each subject (department) and ressource(operation) in your policy file.
      Be carefull with the RuleCombiningAlgId parameter. There you can specify if a policy can override another policy statement.

      Regards Michel Riondel
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: XACML

        ‏2009-03-10T03:43:53Z  in response to SystemAdmin
        Hi Michel,

        Many Many Thanks for your help.
        I can make the DP's in build PDP to work.
    • rmoney
      rmoney
      69 Posts
      ACCEPTED ANSWER

      Re: XACML

      ‏2009-04-03T04:27:31Z  in response to SystemAdmin
      Thanks for the example, this is very helpful. I am planning to use the built in pdp for xacml requests and have a question about how you used ldap groups for your requests. For example, as you say, a user might have more than one group. We can get a user's groups, but xacml pdp only supports one query per request. Did you write your stylesheet that maps aaa to xacml requests to send multiple requests, iterating through each group a user is a member of? You said you mapped groups to roles but I'm not sure exactly what you mean. If you have an example I'd be very interested in seeing it. Thank you.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: XACML

        ‏2009-04-03T16:25:42Z  in response to rmoney
        Hi

        In the AZ Step where you choose the build in pdp you can configure a custom stylesheet. So did we. We took the users credentials from the EI/AU Step an did a ldap lookup for the query parameter groupMembership. This returns you a nodeset with the users group from your ldap. We where interested in a few groups that allowed the user to pass the autorization step. Then we mapped the ldap group to a role like in j2ee containers, where you can map multiple ldap groups to one role. This is needed, if the groups mean something different.
        For an example, if a user is in the group customer service and credit management, because he works in both departments you can map him to a role creditAproval. If he is only in one group customer service you map him to normalUser.
        To choose the stronger role, if he is in both groups can be achieved by weighting the roles.
        We did this in an xml file, where both roles where mapped to the ldap group with an integer that indicated the weight.
        So if you have an xml like this:
        <role roleName="creditAproval" weight="1" group="credit Management"/>
        <role roleName="normalUser" weight="2" group="customer service"/>

        you will have to iterate over all ldap groups and get the corresponding role. if you have more than one role, take the one with the higher weight!

        Hope that helps

        Regards

        Michel Riondel
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: XACML

    ‏2013-03-15T02:17:11Z  in response to SystemAdmin
    I am trying to set XACML. As part of POC, I was just trying to a simple Request & Policy file.

    But DataPower is generation these logs

    : PDP status: 'urn:oasis:names:tc:xacml:1.0:status:processing-error'
    : PEP needs not to fulfill any obligations.
    : PDP's intension: 'Indeterminate'
    : Set PEP Authorize status to UP: 'xacml-AAA_XAuth-flag'='true'
    : PEP type: 'base'
    : PEP XACML version: '2.0'

    I understand "urn:oasis:names:tc:xacml:1.0:status:processing-error" means some syntax error, but I am not sure where is the error. The Request & Policy is compliant of XACML schema.

    
    <?xml version=
    "1.0" encoding=
    "UTF-8"?> <Request xmlns=
    "urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi=
    "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=
    "urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId=
    "urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType=
    "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue> bs@simpsons.com </AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId=
    "urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType=
    "http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue> file:
    //med/example/record/patient/BartSimpson </AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId=
    "urn:oasis:names:tc:xacml:1.0:action:action-id" DataType=
    "http://www.w3.org/2001/XMLSchema#string"> <AttributeValue> read </AttributeValue> </Attribute> </Action> <Environment/> </Request>
    


    Policy

    
    <Policy xmlns=
    "urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi=
    "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=
    "urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd" PolicyId=
    "urn:oasis:names:tc:example:SimplePolicy1" RuleCombiningAlgId=
    "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Med Example Corp access control policy </Description> <Target/> <Rule RuleId=
    "urn:oasis:names:tc:xacml:2.0:example:SimpleRule1" Effect=
    "Permit"> <Description> Any subject with an e-mail name in the med.example.com domain can perform any action on any resource. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId=
    "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> <AttributeValue DataType=
    "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> med.example.com </AttributeValue> <SubjectAttributeDesignator AttributeId=
    "urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType=
    "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> </Policy>