XACML and EBJ, How are policies found?
bkrisler Jul 15, 2010 4:50 PMHi, I am trying a simple example of an EJB with XACML authorization. I thought I had everything setup correctly,
but I keep getting an exception, Missing xacml policy for contextid:HelloWorld.jar
I have:
package com.example.helloworld;
public interface SayHello {
public String sayHello(String name);
}
and
package com.example.helloworld;
import javax.ejb.Remote;
import javax.ejb.Stateless;
import org.jboss.ejb3.annotation.SecurityDomain;
@Stateless
@Remote(SayHello.class)
@SecurityDomain("example-sec")
public class SayHelloBean {
public String sayHello(String name) {
return "Hello " + name;
}
}
When I build my jar, I put my policy files in the META-INF directory:
<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
<ns:Policies>
<ns:Policy>
<ns:Location>policies/policy1.xml</ns:Location>
</ns:Policy>
</ns:Policies>
<ns:Locators>
<ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>
<ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
</ns:Locators>
</ns:jbosspdp>
and
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
access_control-xacml-2.0-policy-schema-os.xsd"
PolicyId="urn:oasis:names:tc:xacml:2.0:jboss-test:XV:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description> Policy for Subject RBAC</Description>
<Target />
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:XVI:rule"
Effect="Permit">
<Description>Test
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brian</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role1</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SayHelloBean</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sayHello</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
The jar tree looks like:
META-INF/MANIFEST.MF
META-INF/policies
META-INF/policies/policy1.xml
META-INF/policyConfig.xml
com/example/helloworld/SayHello.class
com/example/helloworld/SayHelloBean.class
Finally, my login config has:
<application-policy name="example-sec"><authentication><login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"flag="required"><module-option name="usersProperties">props/my-users.properties</module-option><module-option name="rolesProperties">props/my-roles.properties</module-option></login-module></authentication><authorization><policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule"flag="required"/></authorization></application-policy>
My client code is:
package com.example.helloworld.client;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.security.auth.callback.AppCallbackHandler;
import com.example.helloworld.SayHello;
public class HelloWorld {
public static void main(String[] args) throws LoginException {
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
env.setProperty(Context.URL_PKG_PREFIXES, "org.jnp.interfaces.NamingContextFactory");
env.setProperty(Context.PROVIDER_URL, "jnp://localhost:1099/");
AppCallbackHandler handler = new AppCallbackHandler("brian", "123456".toCharArray());
LoginContext lc = new LoginContext("my-security-client", handler);
lc.login();
System.out.println("Subject: " + lc.getSubject());
InitialContext ctx;
try {
ctx = new InitialContext(env);
SayHello h = (SayHello) ctx.lookup("SayHelloBean/remote");
System.out.println(h.sayHello("Brian"));
} catch (NamingException e) {
e.printStackTrace();
}
}
}
Do I have to do something different to get the policy file located?
Thanks for any help!
Brian