XACML restriction policies
I'm very new to XACML (eXtensible Access Control Markup Language), i'm studying what TSPM (it's a commercial product that makes use of XACML) can do for some business needs.
So i was looking f开发者_开发知识库or an answer to this question:
Let's assume i have a website page with 3 links accessed by a user with a certain application profile. Is that possible to create a policy which restricts and manage the "links" (let's say till midnight a certain profile user can see just 2 links instead of three) according some rules?
The main problem is that I can't figure out what a resource is in a XACML assertion, I just found in some documentation this definition:
A resource is anything to which access can be controlled. Examples include XQuery modules and Java methods.
Anyone can help on better understanding with real examples XACML?
Thank you all!
(I'm the technical lead for TSPM, or Tivoli Security Policy Manager for others that aren't familiar with the product).
The use case you're describing is definitely possible. You probably don't need to focus on the raw XACML though - we go to a lot of effort to provide a higher-level user interface for authoring policies.
One way to model this would be to have each link be represented by a different structure point in TSPM's UI, with appropriate policy attached to each. For example, two links could have policy that represents "permit all users at any time" and one link could have "permit when current-time is before midnight".
You would then call our runtime before rendering each link to see if the currently authenticated user should be able to view it. You could also make one call to get a list of currently viewable links if you prefer.
You could use the WebSphere Portal tag library or our Authorization API if you're running on WebSphere. If you're not, it's really easy to build a web service client for most platforms that can call over authorization service using XACML over SOAP. For more information on calling the authorization service, see our public wiki.
Edit:
I realized I didn't really address your question, which is about what a resource is in terms of XACML. As you may know, XACML breaks the request context into four sections: Subject, Resource, Action and Environment. Each of these sections contains zero or more Attributes, each with an identifier and a type. A resource in XACML is simply an attribute, or a combination of attributes, from the Resource section that together uniquely identifies whatever you're protecting.
The spec defines the identifier urn:oasis:names:tc:xacml:1.0:resource:resource-id
for this purpose, and it can be of any type but is usually a string or a URI.
In your use case, each link might have a string identifier like "link-1", "link-2" and "link-3". Your policy would use these identifiers, and your application would pass these in when requesting a decision for each link.
In XACML you can write policies that take into account any attributes. Attributes are essentially labels that describe a situation. For instance role, citizenship, age, and clearance are all user attributes. Page URL, classification, and location are attributes of the resource (i.e. what the user is trying to access). You can have attributes about the action (edit, view, delete...) and even about the environment.
In your example, you mention that you want to control access to webpages and that you want to take into account the time of the day. To do that you'd write a XACML policy where you would check the URL page of the page and the time of the day.
In pseudocode, that would be:
Permit if resource-id=='/pages/MyPage.jsp' AND current-time>09:00AM AND current-time<05:00PM
In ALFA, a shorthand notation for XACML, this would be:
namespace com.stackoverflow.xacml{
import Attributes.*
policy accessPages{
apply firstApplicable
rule accessPage1{
target clause resourceId=="/pages/MyPage.jspx"
and currentTime>"09:00:00":time
and currentTime<"17:00:00":time
permit
}
}
}
The ALFA plugin for Eclipse - a free tool - will generate this into XACML 3.0 code:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages.accessPage1">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">/pages/MyPage.jspx</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
Then all you need to do is send the right authorization question/request from your application to the XACML PDP. Essentially what you will ask is:
Can user Alice access page /pages/MyPage.jsp?
The PDP will then reply with either of a Permit, Deny or NotApplicable.
精彩评论