XACML Attribute Locator using LDAP

Version 6


    <<  Go back to main XACML Article DASHBOARD



    This feature will be available as part of JBossXACML v2.0.5


    What is an XACML Attribute Locator?

    When  the PDP has to make a decision, if any attributes required for the decision is not provided as part of the XACML request, the PDP will ask  the configured Attribute Locators to provide information on the missing attribute.


    LDAP Attribute Locators


    A missing attribute may be part of the XACML Subject, Resource,  Environment or an Action. The administrator has to appropriately  configure the available Database Attribute Locators.


    The locators are:

    • org.jboss.security.xacml.locators.attrib.LDAPResourceAttributeLocator
    • org.jboss.security.xacml.locators.attrib.LDAPSubjectAttributeLocator
    • org.jboss.security.xacml.locators.attrib.LDAPActionAttributeLocator
    • org.jboss.security.xacml.locators.attrib.LDAPEnvAttributeLocator




    All the above locators have the following options common.

    • url - The LDAP server URL to connect to.
    • factory - The JNDI factory that is JDK specific such as "com.sun.jndi.ldap.LdapCtxFactory" which is the default.
    • username - The username to connect to the LDAP server. This user must have search privileges
    • password - The password of the user to connect to the LDAP server
    • filter - The search filter to be used to find the entries that have a policy
    • attribute - The name of the entry's attribute that we are going to get the value from.
    • searchScope - Scope of the search for entries. Default is SUBTREE
    • searchTimeLimit - Search time limit. Default is 10000 (10 seconds)
    • attributeSupportedId : Attribute that is supported by this locator for retrieval.
    • substituteValue : This is the URI of the attribute available from the request that will be plugged into the ldap filter wildcard.
    • valueDataType: The data type of the attribute that is being plugged into the filter of the wildcard.


    The following option is what is different in the locators.

    • name : the fully qualified name (FQN) of the class.

    Masking the LDAP Password

    Additionally, The password value can be masked using PBE.

    To create a masked password invoke  org.jboss.security.xacml.util.PBEUtils salt iterationCount password
    When using a masked password add also the options

    • salt - the 8 character String
    • iterationCount - an integer


    NOTE:  Those options must have the same value used for encryption.





    I assume that you have a good understanding of

    • the JBossXACML Config file.
    • the XACML Policy Structure.
    • the XACML Request Structure.


    If any of the above pre-requisites are not met, I strongly suggest you familiarize yourself with that.



    I have a JUnit Test Class that you can take a look if you want to.  JUnit Test


    XACML Policy is listed in the other article   (<== POLICY is here)



    Case 1:  The XACML Request comes with a missing attribute in the resource element.

    Note that the attribute that is missing is commented out for viewer's benefit.

    The attribute missing from the request is "urn:xacml:2.0:interop:example:resource:account-status"


    Request is listed in case 1 of the other article.



    The XACML configuration file is here.


    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
        <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
        <ns:Locator Name="org.jboss.security.xacml.locators.attrib.LDAPResourceAttributeLocator">
            <ns:Option Name="url">ldap://localhost:10389</ns:Option>
            <ns:Option Name="username">cn=Directory Manager</ns:Option>
            <ns:Option Name="password">password</ns:Option> 
            <ns:Option Name="attribute">employeeType</ns:Option>
            <ns:Option Name="baseDN">dc=jboss,dc=org</ns:Option> 
            <ns:Option Name="filter">(uid={0})</ns:Option> 
            <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option>   
            <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option> 
            <ns:Option Name="substituteValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option>   




    Case 2: When the request is missing a Subject attribute.


    Let  us take a look at the request. Like before, the attribute that will be  missing from the request (and will be supplied by the DB attribute  locator) is commented out for the viewer's benefit.


    The attribute missing from the request is "urn:oasis:names:tc:xacml:1.0:subject:subject-id".


    To look at the XACML request please refer to the other article.



    The XACML config file is here.


    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
        <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
        <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseSubjectAttributeLocator">   
          <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option>  
          <ns:Option Name="sql">SELECT subject_id FROM subject where name=?;</ns:Option>  
          <ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option> 
          <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:subject:user-name</ns:Option>  
          <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option>   
          <ns:Option Name="columnName">subject_id</ns:Option> 





    The LDAP  locators can retrieve one attribute at a time. Multiple  attributes that need to be retrieved from the LDAP will require a  stacked set of locators.