3 Replies Latest reply on May 10, 2010 10:55 AM by anil.saldhana

    Why is this XACML Request returning a Deny?

    bkrisler
    bkrisler May 6, 2010 11:41 AM

      Hi,

       

      I have a very simple XACML request that is returning a Deny when I expect a Permit, and I can't figure out why, it appears to be releated to the

      anyURI resource since changing the URI to a string works.

       

      Any help is appreciated!

       

      The Request:

       

      <ns9:XACMLAuthzDecisionQuery IssueInstant="2010-05-06T11:05:25.911-04:00">
  <ns3:Issuer>testIssuer</ns3:Issuer>
  <ns7:Request>
  <ns7:Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
                   DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" Issuer="testIssuer">
      <ns7:AttributeValue>john.doe@corporate.com</ns7:AttributeValue>
    </ns7:Attribute>
    <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 
                   DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="testIssuer">
      <ns7:AttributeValue>executive</ns7:AttributeValue>
    </ns7:Attribute>
  </ns7:Subject>
  <ns7:Resource>
    <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
                   DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="testIssuer">
      <ns7:AttributeValue>http://www.corporate.com/feeds/financial.rss</ns7:AttributeValue>
    </ns7:Attribute>
  </ns7:Resource>
  <ns7:Action/>
  <ns7:Environment/>
  </ns7:Request>
  </ns9:XACMLAuthzDecisionQuery>

       

      The Policy:

       

      <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 
                   http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
  PolicySetId="urn:oasis:names:tc:bbn:1.0:example:policyid:1"
  PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
  <Resources>
    <Resource>
      <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://www.corporate.com/feeds/financial.rss</AttributeValue>
        <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI" 
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
      </ResourceMatch>
    </Resource>
  </Resources>
</Target>

<Policy PolicyId="ExecutivePolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>My Test Policy</Description>
<Target />
<Rule RuleId="ExecRule" Effect="Permit">
<Target>
  <Subjects>
    <Subject>
      <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">corporate.com
        </AttributeValue>
        <SubjectAttributeDesignator DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" />
      </SubjectMatch>
    </Subject>
  </Subjects>
</Target>
<Condition>
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">executive</AttributeValue>
    <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" 
       AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
  </Apply>
</Condition>
</Rule>

<Rule RuleId="DefaultPolicy" Effect="Deny" />
</Policy>

</PolicySet>

       

      The request is constructed at follows:

       

      RequestType xacmlRequest = new RequestType();

SubjectType subject = new SubjectType();
subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"); 

List<AttributeType> attrList = new ArrayList<AttributeType>();
attrList.add(RequestAttributeFactory.createEmailAttributeType(
     "urn:oasis:names:tc:xacml:1.0:subject:subject-id", issuer,"john.doe@corporate.com"));
attrList.add(RequestAttributeFactory.createStringAttributeType(
     "urn:oasis:names:tc:xacml:2.0:subject:role", issuer,"executive"))); 
subject.getAttribute().addAll(attrList); 
 
xacmlRequest.getSubject().add(subject);

ResourceType resourceType = new ResourceType();
List<AttributeType> resList = new ArrayList<AttributeType>();
resList.add(RequestAttributeFactory.createAnyURIAttributeType(
     "urn:oasis:names:tc:xacml:1.0:resource:resource-id", issuer, 
     new URI("http://corporate.com/feeds/financial.rss")));
resourceType.getAttribute().addAll(resList);

xacmlRequest.getResource().add(resourceType);
xacmlRequest.setAction(createAction());
xacmlRequest.setEnvironment(createEnvironment());

       

      Thanks again

       

      Brian

        • 1. Re: Why is this XACML Request returning a Deny?
          anil.saldhana
          anil.saldhana May 9, 2010 4:45 PM (in response to bkrisler)

          Its possible that with anyURI, we are not matching any rules and hence you are hitting the rule that says deny.  You can enable the debug of JBossXACML to see what the behavior of matching rules is.

           

          https://jira.jboss.org/jira/browse/SECURITY-507

           

          I am going to investigate your example for any bugs. But no estimation on dates.

           

          For the time being, you can use "string" as you are getting your intended behavior.

            • Actions
          • 2. Re: Why is this XACML Request returning a Deny?
            bkrisler
            bkrisler May 9, 2010 9:19 PM (in response to anil.saldhana)

            After turning on debugging, I discovered it was failing on the subject match, further

            investigation indicated that the line with the 'corporate.com' for the domain was the issue,

            there was some hidden whitespace (end-of-line?), that was preventing a match.

             

            It looks like the URI stuff is working fine, so don't waste any time looking into it.

             

            Thanks for your help.

             

            Brian

              • Actions
            • 3. Re: Why is this XACML Request returning a Deny?
              anil.saldhana
              anil.saldhana May 10, 2010 10:55 AM (in response to bkrisler)

              Glad it worked, Brian.  The string trimming is one gray area that either has to be dealt by the user or the software that takes in any input.

               

              But I think it is sound software principle to sanitize your inputs before processing. Maybe string trimming must be part of the sanization.

                • Actions