Authz: Default policy if no policy applicable
jervisliu Apr 12, 2010 1:49 PMHi I have a Authz use case like below:
I have defined several policies for different resources. Here by resources, I mean classes. I.e., for different classes, I defined different permission rules. For example below is a policy generated for class "org.drools.command.runtime.BatchExecutionCommand":
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" RuleCombiningAlgId="rule-combining-alg:nopermit-means-denied" Version="2.0" PolicyId="7dbc3f51-e069-4132-81bb-58e8282e0380">
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org.drools.command.runtime.BatchExecutionCommand</AttributeValue>
<ResourceAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule Effect="Permit" RuleId="280b759d-4857-4248-8ab6-5a2c51a57685">
<Target>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:jboss-drools:rule">
<VariableReference VariableId="roles://allowRule/91a5da6a-19a1-4b4f-9f2b-4845d17d5261"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="c80a3a48-3de2-4d96-b834-115825bc817d">
<Target>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:jboss-drools:rule">
<VariableReference VariableId="roles://allowRule/499e7366-70e0-4405-af2b-a1691e046fef"/>
</Apply>
</Condition>
</Rule>
</Policy>
As there are many classes I may need to protect with authorization, a default policy will come in handy. For example, in SecurityInterceptor, if the class being accessed is not "org.drools.command.runtime.BatchExecutionCommand" or any specific resource that has been associated with a specific policy, I want the access is evaluated by a default policy instead of simply returning NotApplicable.
With a default policy, I can write two policies for two specific classes, then write a default policy for everything else that is not covered by those two specific policies. Or this behavior can be achieved by other mechanism in Authz?
Thanks,
Jervis