7 Replies Latest reply on Apr 1, 2011 1:31 PM by anil.saldhana

RBAC Profile of XACML

valeriu.nedelcu Oct 27, 2009 12:42 PM

Hi everyone!

Our organization is trying to implement an authorization scheme based on JBoss' XACML library (v2.0.4) and RBAC profile of XACML. (RBAC profile is a standard specification available here: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf).

I had several issues with implementing this profile, mostly related to difficulties in finding policies and policy sets by reference.

Therefore I wrote a JUnit test case for the example given in the aforementioned document and ran it inside the jboss-xacml project (latest revision on trunk).

The authorization scenario is the following: there are two roles ('employee' and 'manager'), a resource ('purchase order') and two actions ('create' and 'sign'). The employee can only create purchase orders, while the manager has also the ability to sign them.
The policies needed for this scenario are described in greater detail in the RBAC profile document, pages 7-12.
For each role there are two policy sets, the role policy set (RPS) and the permission policy set (PPS). The RPS is the primary policy set that has to be checked firsthand by the PDP and must include a reference to the applicable PPS.
For example, RPS for employee looks like this (XacmlRolePolicySet-employee.xml):

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
 PolicySetId="RPS:employee:role"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
 <Target>
 <Subjects>
 <Subject>
 <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:example:role-values:employee</AttributeValue>
 <SubjectAttributeDesignator
 DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
 </SubjectMatch>
 </Subject>
 </Subjects>
 </Target>

 <!--Include permissions associated with employee role-->
 <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>

</PolicySet>

and the corresponding PPS is (XacmlPermissionPolicySet-employee.xml):

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
 PolicySetId="PPS:employee:role"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
 <Target />
 <Policy
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
 PolicyId="Permissions:specifically:for:the:employee:role">
 <Description>
 Permissions specifically for the employee role.
 </Description>
 <Target />
 <!-- Permission to create a purchase order -->
 <Rule Effect="Permit" RuleId="Permission:to:create:a:purchase:order">
 <Target>
 <Resources>
 <Resource>
 <ResourceMatch
 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order</AttributeValue>
 <ResourceAttributeDesignator
 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
 DataType="http://www.w3.org/2001/XMLSchema#string" />
 </ResourceMatch>
 </Resource>
 </Resources>
 <Actions>
 <Action>
 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue
 DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
 <ActionAttributeDesignator
 DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
 </ActionMatch>
 </Action>
 </Actions>
 </Target>
 </Rule>
 </Policy>

</PolicySet>

The JBoss XACML Configuration File used (src/test/resouces/test/config/rbacPolicySetConfig.xml):

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
 <ns:Policies>
 <ns:PolicySet>
 <ns:Location>test/policies/rbac/XacmlRolePolicySet-employee.xml</ns:Location>
 <ns:PolicySet>
 <ns:Location>test/policies/rbac/XacmlPermissionPolicySet-employee.xml</ns:Location>
 </ns:PolicySet>
 </ns:PolicySet>
 <ns:PolicySet>
 <ns:Location>test/policies/rbac/XacmlRolePolicySet-manager.xml</ns:Location>
 <ns:PolicySet>
 <ns:Location>test/policies/rbac/XacmlPermissionPolicySet-manager.xml</ns:Location>
 </ns:PolicySet>

 </ns:PolicySet>
 </ns:Policies>
 <ns:Locators>
 <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>
 </ns:Locators>
</ns:jbosspdp>

The following request file asks for authorization for an employee that wants to create a purchase order. According to the policy the request should be granted.

<?xml version="1.0" encoding="UTF-8"?>
<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
 <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
 DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
 <AttributeValue>500</AttributeValue>
 </Attribute>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
 DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
 <AttributeValue>Nick the Employee</AttributeValue>
 </Attribute>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
 DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="xacml20.rbac.example">
 <AttributeValue>urn:example:role-values:employee</AttributeValue>
 </Attribute>
 </Subject>
 <Resource>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
 DataType="http://www.w3.org/2001/XMLSchema#string">
 <AttributeValue>purchase order</AttributeValue>
 </Attribute>
 </Resource>
 <Action>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
 DataType="http://www.w3.org/2001/XMLSchema#string">
 <AttributeValue>create</AttributeValue>
 </Attribute>
 </Action>
 <Environment />
</xacml-context:Request>

This one is for an employee who want to sign a purchase order (src/test/resources/test/policies/rbac/sign-purchase-order-by-employee-request.xml):

<?xml version="1.0" encoding="UTF-8"?>
<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
 <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
 DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
 <AttributeValue>500</AttributeValue>
 </Attribute>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
 DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.rbac.example">
 <AttributeValue>Nick the Employee</AttributeValue>
 </Attribute>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
 DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="xacml20.rbac.example">
 <AttributeValue>urn:example:role-values:employee</AttributeValue>
 </Attribute>
 </Subject>
 <Resource>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
 DataType="http://www.w3.org/2001/XMLSchema#string">
 <AttributeValue>purchase order</AttributeValue>
 </Attribute>
 </Resource>
 <Action>
 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
 DataType="http://www.w3.org/2001/XMLSchema#string">
 <AttributeValue>sign</AttributeValue>
 </Attribute>
 </Action>
 <Environment />
</xacml-context:Request>

This request should be denied but surprisingly, I got a DECISION_NOT_APPLICABLE. Here is the method:

public void testRBACSignPurchaseOrderByEmployee() throws Exception
 {
 String fileName = "test/config/rbacPolicySetConfig.xml";
 ClassLoader tcl = Thread.currentThread().getContextClassLoader();
 URL configFile = tcl.getResource(fileName);
 JAXBContext jc = JAXBContext.newInstance("org.jboss.security.xacml.jaxb");
 assertNotNull("JAXBContext is !null", jc);
 Unmarshaller u = jc.createUnmarshaller();
 JAXBElement<?> j = (JAXBElement<?>) u.unmarshal(configFile);
 assertNotNull("JAXBElement is !null", j);

 assertNotNull("configFile != null", configFile);
 PolicyDecisionPoint pdp = new JBossPDP(j);
 TestCase.assertEquals("Sign purchase order by employee should be denied",
 XACMLConstants.DECISION_DENY, XACMLTestUtil.getDecision(pdp,
 "test/policies/rbac/sign-purchase-order-by-employee-request.xml"));
 }

The JUnit test case is a slight adaptation of JBossXACMLConfigUnitTestCase.
I ran the test from inside Eclipse SDK and as part of Maven build process, and the results were the same.

So my questions are:

How this result can be explained? Have I done anything wrong on the configuration level?
Can I configure/implement a policy (module) finder that would discover the policies referenced by PolicySetIdReference or PolicyIdReference elements?

1. Re: RBAC Profile of XACML

valeriu.nedelcu Nov 2, 2009 4:24 AM (in response to valeriu.nedelcu)

Ahem...no answer yet.
Let me summarize my previous post.
I'm trying to use RBAC profile of XACML 2.0 (described here: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf)

I ran into some issues with it so I wrote a JUnit test (plus supporting resources).
I would like to contribute it to the jboss-xacml project (I have a .diff file so it should be easy to include it) so that everyone interested in the XACML could have a look and try to explain why is it failing.

I even sent a request to JBoss to become a contributor, but so far I haven't got any word from them regarding my request status.

Aren't there any alternative ways I could submit the code for everyone to see?

[PS: To the maintainers of this forum: if this is not the proper place to post this, please suggest where/to whom I should write, because I would really like to get an answer anytime soon]
Actions
2. Re: RBAC Profile of XACML

anil.saldhana Nov 5, 2009 5:52 PM (in response to valeriu.nedelcu)

A decision of NA is as good as Deny. You don't permit the access.

The NA may be happening because an expected attribute is not passed as part of the request.
Actions

3. Re: RBAC Profile of XACML

valeriu.nedelcu Nov 9, 2009 3:12 AM (in response to valeriu.nedelcu)

"anil.saldhana@jboss.com" wrote:
A decision of NA is as good as Deny. You don't permit the access.

The NA may be happening because an expected attribute is not passed as part of the request.

Actually all the expected attributes were present in the request (You can verify that by looking closely at my previous post). The policies were exactly the same as those described in the RBAC profile document.

I managed to fix the JUnit test by adding another rule inside the PPS for the employees:

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
 PolicySetId="PPS:employee:role"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
 <Target />
 <Policy
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
 PolicyId="Permissions:specifically:for:the:employee:role">
 <Description>
 Permissions specifically for the employee role.
 </Description>
 <Target />
 <!-- Permission to create a purchase order -->
 <Rule Effect="Permit" RuleId="Permission:to:create:a:purchase:order">
 <Target>
 <Resources>
 <Resource>
 <ResourceMatch
 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
 </AttributeValue>
 <ResourceAttributeDesignator
 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
 DataType="http://www.w3.org/2001/XMLSchema#string" />
 </ResourceMatch>
 </Resource>
 </Resources>
 <Actions>
 <Action>
 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create
 </AttributeValue>
 <ActionAttributeDesignator
 DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
 </ActionMatch>
 </Action>
 </Actions>
 </Target>
 </Rule>
 <Rule Effect="Deny" RuleId="DefaultDeny"></Rule>
 </Policy>

</PolicySet>

That fixed the issues when run against jboss-xacml 2.0.4.
On the trunk (rev 96011) I still have two tests failing: the creation of a purchase order by a manager or an employee is denied (when it shoud be allowed).

4. Re: RBAC Profile of XACML

kirikiki Mar 17, 2011 1:15 PM (in response to valeriu.nedelcu)

Hi all,

I tried your example that implements the RBAC profile of XACML and I haven't the same result than you.

I identified two problems:

The first is that in your policy (XacmlPermissionPolicySet-employee.xml) that specifies permissions of employee role, the rule says that the access is permit if you perform a "create" operation on the resource "purchase order". This means that all the other roles (ex : student role) can create a purchase order ? I don't understand how this policy enforces that "only" employee can perform this type of operation ?

Another thing that I don't understand is that, when I test your policies with Jbossxacml, I have this result :

<ns5:Decision>Indeterminate</ns5:Decision>
               <ns5:Status>
                  <ns5:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
                  <ns5:StatusMessage>too many applicable top-level policies</ns5:StatusMessage>
</ns5:Status>
</ns5:Result>

This is because the two policySet match your request.
Do you have the same result that me ?
Actions
5. Re: RBAC Profile of XACML

kirikiki Mar 24, 2011 1:14 PM (in response to kirikiki)

.no answer ????
Actions
6. RBAC Profile of XACML

anil.saldhana Mar 31, 2011 11:59 AM (in response to kirikiki)

https://issues.jboss.org/browse/SECURITY-575

Expect some RBAC profile support in the 2.0.6.final version.
Actions
7. RBAC Profile of XACML

anil.saldhana Apr 1, 2011 1:31 PM (in response to anil.saldhana)

XACML v2.0.6.Final released. http://anil-identity.blogspot.com/2011/04/picketbox-xacml-v206final-released.html
Actions

Go to original post