1 Reply Latest reply on Apr 21, 2010 8:15 AM by Sohil Shah

    Authz: Default policy if no policy applicable

    Jervis Liu Apprentice

      Hi I have a Authz use case like below:

       

      I have defined several policies for different resources. Here by resources, I mean classes. I.e., for different classes, I defined different permission rules. For example below is a policy generated for class "org.drools.command.runtime.BatchExecutionCommand":

       

      <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" RuleCombiningAlgId="rule-combining-alg:nopermit-means-denied" Version="2.0" PolicyId="7dbc3f51-e069-4132-81bb-58e8282e0380">
          <Target>
              <Resources>
                  <Resource>
                      <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org.drools.command.runtime.BatchExecutionCommand</AttributeValue>
                          <ResourceAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
                      </ResourceMatch>
                  </Resource>
              </Resources>
          </Target>
          <Rule Effect="Permit" RuleId="280b759d-4857-4248-8ab6-5a2c51a57685">
              <Target>
                  <Actions>
                      <Action>
                          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                              <ActionAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                          </ActionMatch>
                      </Action>
                  </Actions>
              </Target>
              <Condition>
                  <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:jboss-drools:rule">
                      <VariableReference VariableId="roles://allowRule/91a5da6a-19a1-4b4f-9f2b-4845d17d5261"/>
                  </Apply>
              </Condition>
          </Rule>
          <Rule Effect="Permit" RuleId="c80a3a48-3de2-4d96-b834-115825bc817d">
              <Target>
                  <Actions>
                      <Action>
                          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
                              <ActionAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                          </ActionMatch>
                      </Action>
                  </Actions>
              </Target>
              <Condition>
                  <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:jboss-drools:rule">
                      <VariableReference VariableId="roles://allowRule/499e7366-70e0-4405-af2b-a1691e046fef"/>
                  </Apply>
              </Condition>
          </Rule>
      </Policy>

       

      As there are many classes I may need to protect with authorization, a default policy will come in handy. For example, in SecurityInterceptor, if the class being accessed is not "org.drools.command.runtime.BatchExecutionCommand" or any specific resource that has been associated with a specific policy, I want the access is evaluated by a default policy instead of simply returning NotApplicable.

       

      With a default policy, I can write two policies for two specific classes, then write a default policy for everything else that is not covered by those two specific policies. Or this behavior can be achieved by other mechanism in Authz?

       

      Thanks,

      Jervis

        • 1. Re: Authz: Default policy if no policy applicable
          Sohil Shah Master

          Jervis-

           

          The easiest way you can do the default policy approach would be to define a Policy associated with a "Default" Target such as this:

           

          <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" RuleCombiningAlgId="rule-combining-alg:nopermit-means-denied" Version="2.0" PolicyId="7dbc3f51-e069-4132-81bb-58e8282e0380">
              <Target>
                  <Resources>
                      <Resource>
                          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DefaultDroolsClass</AttributeValue>
                              <ResourceAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
                          </ResourceMatch>
                      </Resource>
                  </Resources>
              </Target>

           

          Then in your SecurityInterceptor when you construct your EnforcementContext, you can specify the Resource value as the "Default" target which is "DefaultDroolsClass" in this example, and if its the special Class which has a specific Policy associated with it, then use its "ClassName" as the target as specified in its Policy Target section.

           

           

          This is one way. There is also a regular expression way to do this, but that can get a bit more complicated.

           

          Thanks

          Sohil