2 Replies Latest reply on Oct 4, 2011 9:16 AM by Josh Cain

    Problems using multiple XACML policy sets

    Josh Cain Newbie

      I've been having problems getting the JBossPDP to evaluate multiple policy sets.  I already searched and found a similar solution here: http://community.jboss.org/thread/166862, but I have not been able to implement it correctly.  I pass my JBossPDP constructor the following config file:

       

      <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">

         <ns:Policies>

          <ns:PolicySet>

              <ns:Location>file:/opt/common/policies/policy1.xml</ns:Location>

          </ns:PolicySet>

          <ns:PolicySet>

              <ns:Location>file:/opt/common/policies/policy2.xml</ns:Location>

          </ns:PolicySet>

         </ns:Policies>

         <ns:Locators>

            <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>

         </ns:Locators>

      </ns:jbosspdp>

       

      with my policy1.xml file:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"

          PolicySetId="esf2:policy1"

          PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">

          <Target />

          <!-- Policy to allow bob access -->

          <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"

              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

              xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os

              access_control-xacml-2.0-policy-schema-os.xsd"

              PolicyId="esf2:policy1"

              RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">

                <Description>Sample policy</Description>

                <Target/>

                <Rule RuleId="Permit-bob" Effect="Permit">

                  <Description>This rule does something else</Description>

                  <Target>

                  <Subjects>

                    <Subject>

                  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>

                    <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"

                        DataType="http://www.w3.org/2001/XMLSchema#string" />

                  </SubjectMatch>

                  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role1</AttributeValue>

                    <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"

                       DataType="http://www.w3.org/2001/XMLSchema#string" />

                  </SubjectMatch>

                    </Subject>

                  </Subjects>

                  <Resources>

                    <Resource>

                  <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">

                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">/sampleDomain</AttributeValue>

                    <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

                       DataType="http://www.w3.org/2001/XMLSchema#anyURI" />

                  </ResourceMatch>

                    </Resource>

                </Resources>

                <Actions>

                  <Action>

                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>

                  <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

                     DataType="http://www.w3.org/2001/XMLSchema#string" />

                    </ActionMatch>

                  </Action>

                </Actions>

                </Target>

                </Rule>

          </Policy>

      </PolicySet>

       

      And the policy2.xml file:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"

          PolicySetId="esf2:policy2"

          PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">

          <Target />

          <!-- Policy to allow admin access and deny all -->

          <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"

              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

              xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os

              access_control-xacml-2.0-policy-schema-os.xsd"

              PolicyId="esf2:policy1"

              RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">

                <Description>Sample policy</Description>

                <Target/>

                <Rule RuleId="Permit-sue" Effect="Permit">

                  <Description>This rule does something else</Description>

                  <Target>

                  <Subjects>

                    <Subject>

                  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>

                    <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"

                       DataType="http://www.w3.org/2001/XMLSchema#string" />

                  </SubjectMatch>

                    </Subject>

                  </Subjects>

                  <Resources>

                    <Resource>

                  <AnyResource/>

                    </Resource>

                </Resources>

                <Actions>

                  <Action>

                    <AnyAction/>

                  </Action>

                </Actions>

                </Target>

                </Rule>

                <Rule RuleId="ImplicitDeny" Effect="Deny"/>

          </Policy>

      </PolicySet>

       

      Everything seems to work when I evaluate against a policy set that is applicable to policy1, such as:

       

      <Request>

          <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"><AttributeValue>bob</AttributeValue></Attribute>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"><AttributeValue>role1</AttributeValue></Attribute>

          </Subject>

          <Resource>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>/sampleDomain</AttributeValue></Attribute>

          </Resource>

          <Action>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"><AttributeValue>read</AttributeValue></Attribute>

          </Action>

          <Environment>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#dateTime"><AttributeValue>2011-08-08T15:36:02.101000000-04:00</AttributeValue></Attribute>

          </Environment>

      </Request>

       

      This request returns a permitted decision.  However, when I send a request that requires rules used in policy2 such as this one:

       

      <Request>

          <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"><AttributeValue>admin</AttributeValue></Attribute>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"><AttributeValue>admin</AttributeValue></Attribute>

          </Subject>

          <Resource>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>/rootFolder</AttributeValue></Attribute>

          </Resource>

          <Action>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="jboss.org"><AttributeValue>all</AttributeValue></Attribute>

          </Action>

          <Environment>

              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#dateTime"><AttributeValue>2011-08-08T15:36:02.126000000-04:00</AttributeValue></Attribute>

          </Environment>

      </Request>

       

      I receive an indeterminate response.  It seems (at least from what I could dig up) that this indicates a failure to evaluate the second policy.  Any ideas why?