4 Replies Latest reply on Aug 9, 2010 2:23 PM by dangvo

XACML and EBJ, How are policies found?

bkrisler Jul 15, 2010 4:50 PM

Hi, I am trying a simple example of an EJB with XACML authorization. I thought I had everything setup correctly,

but I keep getting an exception, Missing xacml policy for contextid:HelloWorld.jar

I have:

package com.example.helloworld;
 
public interface SayHello {
public String sayHello(String name);
}

and

package com.example.helloworld;
 
import javax.ejb.Remote;
import javax.ejb.Stateless;
 
import org.jboss.ejb3.annotation.SecurityDomain;
 
@Stateless
@Remote(SayHello.class)
@SecurityDomain("example-sec")
public class SayHelloBean {
  public String sayHello(String name) {
     return "Hello " + name;
  }
}

When I build my jar, I put my policy files in the META-INF directory:

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Policies>
    <ns:Policy>
       <ns:Location>policies/policy1.xml</ns:Location>
     </ns:Policy>
  </ns:Policies>
  <ns:Locators>
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/> 
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/> 
  </ns:Locators>
</ns:jbosspdp>

and

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
        access_control-xacml-2.0-policy-schema-os.xsd"
PolicyId="urn:oasis:names:tc:xacml:2.0:jboss-test:XV:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description> Policy for Subject RBAC</Description>
<Target />
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:XVI:rule"
Effect="Permit">
<Description>Test
        </Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brian</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role1</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SayHelloBean</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sayHello</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>

The jar tree looks like:

META-INF/MANIFEST.MF

META-INF/policies

META-INF/policies/policy1.xml

META-INF/policyConfig.xml

com/example/helloworld/SayHello.class

com/example/helloworld/SayHelloBean.class

Finally, my login config has:

 <application-policy name="example-sec">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/my-users.properties</module-option>
        <module-option name="rolesProperties">props/my-roles.properties</module-option>
      </login-module>
    </authentication>
    <authorization>
      <policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule"
      flag="required"/>
    </authorization>    
 
  </application-policy>

My client code is:

package com.example.helloworld.client;
 
import java.util.Properties;
 
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
 
import org.jboss.security.auth.callback.AppCallbackHandler;
 
import com.example.helloworld.SayHello;
 
public class HelloWorld {
 
     public static void main(String[] args) throws LoginException {
          Properties env = new Properties();
          env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
          env.setProperty(Context.URL_PKG_PREFIXES, "org.jnp.interfaces.NamingContextFactory");
          env.setProperty(Context.PROVIDER_URL, "jnp://localhost:1099/");
               
          AppCallbackHandler handler = new AppCallbackHandler("brian", "123456".toCharArray());
          LoginContext lc = new LoginContext("my-security-client", handler);
          lc.login();
     
          System.out.println("Subject: " + lc.getSubject());
          
 
InitialContext ctx;
          try {
               ctx = new InitialContext(env);
               SayHello h = (SayHello) ctx.lookup("SayHelloBean/remote");
               System.out.println(h.sayHello("Brian"));
          } catch (NamingException e) {
e.printStackTrace();
          }
     }
}

Do I have to do something different to get the policy file located?

Thanks for any help!

Brian

1. Re: XACML and EBJ, How are policies found?

bkrisler Jul 16, 2010 11:55 AM (in response to bkrisler)
I figured out my problem.

I had to change the config file name to: jbossxacml-config.xml

and I changed the reference link in the config to:

<ns:Location>META-INF/policy1.xml</ns:Location>

So I META-INF now looks like:

META-INF
jbossxacml-config.xml
policy1.xml

All works fine now.

Brian
Actions
2. Re: XACML and EBJ, How are policies found?

dangvo Aug 5, 2010 8:33 PM (in response to bkrisler)

Hi Brian,

I'm too having problem trying to set up a simple XACML and EJB example. I mainly follow Anil's example here http://server.dzone.com/articles/security-features-jboss-510-1. So could you share your settings in login-config.xml, jbossxacml-config.xml and policy1.xml.

-- Dang
Actions
3. Re: XACML and EBJ, How are policies found?

bkrisler Aug 5, 2010 11:05 PM (in response to dangvo)

Hi,

I just created a tutorial with a simple example:
https://community.jboss.org/wiki/ProtectingEJBwebserviceswithXACMLAbeginnerstutorial

Hopefully this will help you with your issues.

Brian
Actions
4. Re: XACML and EBJ, How are policies found?

dangvo Aug 9, 2010 2:23 PM (in response to bkrisler)

Your example works perfectly, however my sample is still does not. I'm starting to suspect that my xacml policy is incorrect as opposed to a configuration problem.

One thing I'm not clear is in your example's policy, you specified an extra action 'write' (which I assume should have no effect) and an extra resource '/sampleDomain' of type anyURI, the question is if the sampleDomain URI neccesary consider you alread check for the EJB resource by name?
Actions

Go to original post