2 Replies Latest reply on Aug 10, 2014 7:30 AM by fcorneli

    XACML: x500Name-regexp-match

    fcorneli

      Hi,

       

      I'm trying to use x500Name-regexp-match within a XACML 2.0 policy document as follows:

      <?xml version="1.0" encoding="UTF-8"?>
      <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
              http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"
          PolicyId="whatever"
          RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
          <Target />
          <Rule RuleId="whatever" Effect="Permit">
              <Target>
                  <Subjects>
                  <Subject>
                      <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match">
                          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SERIALNUMBER=79102520991,.*</AttributeValue>
                          <SubjectAttributeDesignator
                              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                              DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" />
                      </SubjectMatch>
                  </Subject>
              </Subjects>
                  <Resources>
                      <Resource>
                          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:dss</AttributeValue>
                              <ResourceAttributeDesignator
                                  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                  DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
                          </ResourceMatch>
                      </Resource>
                  </Resources>
                  <Actions>
                      <Action>
                          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>
                              <ActionAttributeDesignator
                                  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                  DataType="http://www.w3.org/2001/XMLSchema#string" />
                          </ActionMatch>
                      </Action>
                  </Actions>
              </Target>
          </Rule>
      </Policy>
      
      

      which should result in a PERMIT against the following request:

      <?xml version="1.0" encoding="UTF-8"?>
      <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
              http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd">
          <Subject>
              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                  DataType="hturn:oasis:names:tc:xacml:1.0:data-type:x500Name">
                  <AttributeValue>SERIALNUMBER=79102520991, GIVENNAME=Frank Henri, SURNAME=Cornelis, CN=Frank Cornelis (Signature), C=BE</AttributeValue>
              </Attribute>
          </Subject>
          <Resource>
              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                  DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                  <AttributeValue>urn:dss</AttributeValue>
              </Attribute>
          </Resource>
          <Action>
              <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                  DataType="http://www.w3.org/2001/XMLSchema#string">
                  <AttributeValue>sign</AttributeValue>
              </Attribute>
          </Action>
          <Environment />
      </Request>
      
      

      but the following junit test:

      @Test
          public void testXACML3() throws Exception {
              PDPConfig config = new PDPConfig(null, null, null);
              PolicyFinder policyFinder = config.getPolicyFinder();
              Set<PolicyFinderModule> modules = new HashSet<PolicyFinderModule>();
              List<String> policyList = new LinkedList<String>();
              policyList.add(XACMLTest.class.getResource("/xacml/policy-3.xml")
                      .toString());
              PolicyFinderModule policyFinderModule = new StaticPolicyFinderModule(
                      policyList);
              modules.add(policyFinderModule);
              policyFinder.setModules(modules);
              PDP pdp = new PDP(config);
      
              RequestContext requestContext = RequestResponseContextFactory
                      .createRequestCtx();
              requestContext.readRequest(XACMLTest.class
                      .getResourceAsStream("/xacml/request-3.xml"));
              RequestCtx requestCtx = (RequestCtx) requestContext
                      .get(XACMLConstants.REQUEST_CTX);
      
              ResponseCtx responseCtx = pdp.evaluate(requestCtx);
      
              ResponseContext responseContext = RequestResponseContextFactory
                      .createResponseContext();
              responseContext.set(XACMLConstants.RESPONSE_CTX, responseCtx);
      
              LOG.debug("decision: " + responseContext.getDecision());
              assertEquals(XACMLConstants.DECISION_PERMIT,
                      responseContext.getDecision());
          }
      

      gives me:

      org.jboss.security.xacml.sunxacml.ParsingException: Unknown MatchId
      ...
      Caused by: org.jboss.security.xacml.sunxacml.UnknownIdentifierException: functions of type urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match are not supported by this factory
      at org.jboss.security.xacml.sunxacml.cond.BaseFunctionFactory.createFunction(BaseFunctionFactory.java:266)
      

       

      Any idea what I'm doing wrong? Could someone give me a simple example of how to use:

      urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match
      

      within a SubjectMatch element?

       

      Kind Regards,

      Frank.

        • 1. Re: XACML: x500Name-regexp-match
          fcorneli

          The following patch fixes the issue for me:

          diff --git a/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/MatchFunction.java b/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/MatchFunction.java
          index 69c6d9f..4198aa5 100644
          --- a/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/MatchFunction.java
          +++ b/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/MatchFunction.java
          @@ -257,6 +257,7 @@ public class MatchFunction extends FunctionBase
                   set.add(NAME_DNSNAME_REGEXP_MATCH);
                   set.add(NAME_RFC822NAME_MATCH);
                   set.add(NAME_X500NAME_MATCH);
          +        set.add(NAME_X500NAME_REGEXP_MATCH);
          
                   return set;
               }
          
          • 2. Re: XACML: x500Name-regexp-match
            fcorneli