Version 4

    What is it?

    PicketLink v2 has a WSDL enabled SOAP Service that accepts SAML payload bearing XACML Authorization Requests.

    Where is it?

    There is a pdp.war packaged as part of PicketLink v2.  This web application contains the PDP soap service.

    How do I use it?

    Assuming that the pdp is deployed on JBoss AS,  the endpoint will something like: "http://localhost:8080/pdp/SOAPSAMLXACMLPDP"

    To this endpoint, you can send the SOAP calls.

     

    SOAPSAMLXACML :  this is a utility class available as part of PicketLink distribution, that you can use to create the SAML payload for the xacml authorization request.  For usage, see below.

    Configuration

     

    The pdp.war WEB-INF/classes has the following files/directories:

    • policyConfig.xml   :  This is the PicketBox XACML Configuration file.
    • policies : directory where you should place your policies/policy set files.

    WSDL File

     

    The wsdl is available in the WEB-INF/wsdl folder of the pdp web archive.

     

    Client Usage

     

    package org.picketlink.test.integration.pdp;
    
    import static org.junit.Assert.assertTrue;
    
    import java.util.ArrayList;
    import java.util.List;
    
    import org.jboss.security.xacml.core.model.context.ActionType;
    import org.jboss.security.xacml.core.model.context.AttributeType;
    import org.jboss.security.xacml.core.model.context.AttributeValueType;
    import org.jboss.security.xacml.core.model.context.EnvironmentType;
    import org.jboss.security.xacml.core.model.context.RequestType;
    import org.jboss.security.xacml.core.model.context.ResourceType;
    import org.jboss.security.xacml.core.model.context.SubjectType;
    import org.jboss.security.xacml.factories.RequestAttributeFactory;
    import org.junit.Test;
    import org.picketlink.identity.federation.api.soap.SOAPSAMLXACML;
    import org.picketlink.identity.federation.api.soap.SOAPSAMLXACML.Result;
    
    /**
     * Unit test the SOAP SAML XACML Unit Test
     * @author Anil.Saldhana@redhat.com
     * @since Jul 31, 2009
     */
    public class SOAPSAMLXACMLUnitTestCase
    {
       //Change it to true when you have an end point running locally
       private boolean sendRequest = true;
    
       private String endpoint = "http://localhost:8080/pdp/SOAPSAMLXACMLPDP";
    
       private String issuer = "testIssuer";
    
       @Test
       public void testXACML() throws Exception
       {
          if(sendRequest)
          {
             //Create an XACML Request
             RequestType xacmlRequest = getXACMLRequest();
             SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();
    
             Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
             assertTrue("No fault", result.isFault() == false);
             assertTrue("Decision available", result.isResponseAvailable());
             assertTrue("Deny", result.isDeny());
          }
       }
    
    
       private RequestType getXACMLRequest()
       {
          RequestType requestType = new RequestType();
    
    requestType.getSubject().add(createSubject());
          requestType.getResource().add(createResource());
          requestType.setAction(createAction());
          requestType.setEnvironment(createEnvironment());
          return requestType;
       }
    
       private SubjectType createSubject()
       {
          //Create a subject type
          SubjectType subject = new SubjectType();
          subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject");
    
          subject.getAttribute().addAll(getSubjectAttributes());
    
          return subject;
       }
    
       public ResourceType createResource()
       {
          ResourceType resourceType = new ResourceType();
    
          AttributeType attResourceID = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:type", issuer,
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record");
     //Create a multi-valued attribute - hl7 permissions
          AttributeType  multi = new AttributeType();
          multi.setAttributeId("urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission");
          multi.setDataType("http://www.w3.org/2001/XMLSchema#string");
    
          if (issuer != null)
             multi.setIssuer(issuer);
    
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-010"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-012"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-005"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-003"));
    
    
          AttributeType attConfidentialityCode = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code", issuer,
                "MA");
    
          AttributeType attDissentedSubjectId = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id", issuer,
                "Doctor, Bob I");
    
          //Add the attributes into the resource
          resourceType.getAttribute().add(attResourceID);
          resourceType.getAttribute().add(multi);
          resourceType.getAttribute().add(attConfidentialityCode);
          resourceType.getAttribute().add(attDissentedSubjectId);
          return resourceType;
       }
    private ActionType createAction()
       {
          ActionType actionType = new ActionType();
          AttributeType attActionID = RequestAttributeFactory.createStringAttributeType(
                "urn:oasis:names:tc:xacml:1.0:action:action-id", issuer, "read");
          actionType.getAttribute().add(attActionID);
          return actionType;
       }
    
       private List<AttributeType> getSubjectAttributes()
       {
          List<AttributeType> attrList = new ArrayList<AttributeType>();
    
          //create the subject attributes
    
          //SubjectID - Bob
          AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
                "urn:oasis:names:tc:xacml:1.0:subject:subject-id", issuer, "Doctor, Bob I");
    
          //Role - Physician
          AttributeType attRole = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:subject:role", issuer, "Physician");
    
    
          //Create a multi-valued attribute - hl7 permissions
          AttributeType  multi = new AttributeType();
          multi.setAttributeId("urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission");
          multi.setDataType("http://www.w3.org/2001/XMLSchema#string");
    
          if (issuer != null)
     multi.setIssuer(issuer);
    
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-010"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-012"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-017"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-005"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-003"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-009"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-006"));
    
          //Locality
          AttributeType attLocality = RequestAttributeFactory.createStringAttributeType(
                "urn:oasis:names:tc:xacml:1.0:subject:locality", issuer, "Facility A");
    
          attrList.add(attSubjectID);
          attrList.add(attRole);
          attrList.add(multi);
          attrList.add(attLocality);
    
          return attrList;
       }
    
       private EnvironmentType createEnvironment()
       {
          EnvironmentType env = new EnvironmentType();
    
          AttributeType attFacility = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:environment:locality", issuer, "Facility A");
    
          env.getAttribute().add(attFacility);
          return env;
       }
    
       private AttributeValueType createAttributeValueType(String value)
       {
          AttributeValueType avt = new AttributeValueType();
          avt.getContent().add(value);
          return avt;
       }
    } 
    

    Additional References

    For a Servlet based approach that takes in SOAP based requests with SAML-XACML based payload, refer to http://community.jboss.org/wiki/SAMLv2andXACMLv2Integration