Why is this XACML Request returning a Deny?
bkrisler May 6, 2010 11:41 AMHi,
I have a very simple XACML request that is returning a Deny when I expect a Permit, and I can't figure out why, it appears to be releated to the
anyURI resource since changing the URI to a string works.
Any help is appreciated!
The Request:
<ns9:XACMLAuthzDecisionQuery IssueInstant="2010-05-06T11:05:25.911-04:00"> <ns3:Issuer>testIssuer</ns3:Issuer> <ns7:Request> <ns7:Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" Issuer="testIssuer"> <ns7:AttributeValue>john.doe@corporate.com</ns7:AttributeValue> </ns7:Attribute> <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="testIssuer"> <ns7:AttributeValue>executive</ns7:AttributeValue> </ns7:Attribute> </ns7:Subject> <ns7:Resource> <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="testIssuer"> <ns7:AttributeValue>http://www.corporate.com/feeds/financial.rss</ns7:AttributeValue> </ns7:Attribute> </ns7:Resource> <ns7:Action/> <ns7:Environment/> </ns7:Request> </ns9:XACMLAuthzDecisionQuery>
The Policy:
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd" PolicySetId="urn:oasis:names:tc:bbn:1.0:example:policyid:1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://www.corporate.com/feeds/financial.rss</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" /> </ResourceMatch> </Resource> </Resources> </Target> <Policy PolicyId="ExecutivePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description>My Test Policy</Description> <Target /> <Rule RuleId="ExecRule" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">corporate.com </AttributeValue> <SubjectAttributeDesignator DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" /> </SubjectMatch> </Subject> </Subjects> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">executive</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" /> </Apply> </Condition> </Rule> <Rule RuleId="DefaultPolicy" Effect="Deny" /> </Policy> </PolicySet>
The request is constructed at follows:
RequestType xacmlRequest = new RequestType(); SubjectType subject = new SubjectType(); subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"); List<AttributeType> attrList = new ArrayList<AttributeType>(); attrList.add(RequestAttributeFactory.createEmailAttributeType( "urn:oasis:names:tc:xacml:1.0:subject:subject-id", issuer,"john.doe@corporate.com")); attrList.add(RequestAttributeFactory.createStringAttributeType( "urn:oasis:names:tc:xacml:2.0:subject:role", issuer,"executive"))); subject.getAttribute().addAll(attrList); xacmlRequest.getSubject().add(subject); ResourceType resourceType = new ResourceType(); List<AttributeType> resList = new ArrayList<AttributeType>(); resList.add(RequestAttributeFactory.createAnyURIAttributeType( "urn:oasis:names:tc:xacml:1.0:resource:resource-id", issuer, new URI("http://corporate.com/feeds/financial.rss"))); resourceType.getAttribute().addAll(resList); xacmlRequest.getResource().add(resourceType); xacmlRequest.setAction(createAction()); xacmlRequest.setEnvironment(createEnvironment());
Thanks again
Brian