Policy based authorization has been gaining ground lately though it is not fully adopted,
XACML – 4 main components
- PAP is the Policy Administration Point This is where you administer the policies changing the security rules, and policies. This is separate from the rest of the system as this is decoupled.
- PEP is the Policy Enforcement Point. The PEP enforces the access so this is the module that authenticates the request for validity, getting identity information and can also constrain data, cache, and gets the request and then also returns the result, usually a simple Yes or No, however in some systems the actual deliverable, the data being secured is returned from the PEP rather than just a yes/no decision.
- PIP is the Policy Information Point. PIP is a service that collects information for the policy decision point to use to make a decision; this is to ensure that all the information that is needed is available. The PIP usually is a front-end to many other backend systems containing the attributes you use for security policies decisions.
- PDP is the Policy Decision Point. This is where the magic happens, using a rules engine or something similar, the decision point makes a decision about the access request, and also can loop back to the PIP for more information as the policies are executed.
XACML Workflow –
- You attempt access to a secure system, you will essentially be calling a PEP (enforcement point) which will check your authentication to ensure you are who you say you are, if you are authentic, it will forward request to PDP.
- PEP packs this information along with roles and claims to the PDP for a decision to be made about you.
- PEP will check cache and return, if not available, it will then try to make a decision, most likely getting information from PIP to make a decision about your authorization access.
- PIP will query all identity system usually Active Directory or some Identity system.
- PIP will also query any other systems if needed, and send this back to PDP for decision.
- PDP caches data from PIP and makes a decision about authorization.
- PDP sends decision back to PEP to then allow request or deny.
- PEP allows or disallows request based on policies.
Policy –
A policy is an XML document that describes a couple of things needed to grant permission or access to a resource.
1. Subject – who is requesting access, the “WHO”
2. Resource – “WHAT” is the resource being requested.
3. Action – Operation being performed. read, write
Default behavior –
Deny-Overrides: This is that a deny permission will always override a permit, so that if you have 100 rules applied to you, if only 1 of them is deny, you cannot access, this is a more default-secure method for security.
The composition above describes the Scheme of a Policy and Policy set as is required by the XACML standard. In summary you can see that
A Policy has
0 or 1 Targets,
has 1 policy combining algorithm,
0 or 1 Obligations,
1 Rule Combining Algorithm.
A Target has a Subject, Resource, and Action, and Rule, and a Policy Set and Policy.
A Rule has an Effect and 0 or 1 Conditions, and a Rule Combining Algorithm.
A Policy Set has a Target, A Policy Combining Algorithm, and 0 or 1 Obligations.
An Example Policy is shown below:
<Policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target>
<Subjects>
<AnySubject />
</Subjects>
<Resources>
<AnyResource />
</Resources>
<Actions>
<AnyAction />
</Actions>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:rule" Effect="Permit">
<Description>
DemoUser can read about page.
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">demouser</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/StsClient/Home/AccessLinkOne</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
PIP –
Per XACML reference architecture, PIP is the system entity that acts as a source of attribute values. Basically if there are missing attributes in the XACML request which is sent by PEP, PIP would find them for the PDP to evaluate the policy.
- AttributeId must be match
- DataType must be match
- Issuer must be match .But Issuer is an optional property
Sample Request –
<Request
xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd">
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>demouser</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://localhost/StsClient/Home/AccessLinkOne</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
</Request>
In that case, PDP would look for available PIPs and ask from them to find a matching attribute…
PDP would send following details to PIP
- attribute designator —> subject attribute designator
- attribute id —-> http://localhost/StsClient/Home/AccessLinkOne
- data type —-> http://www.w3.org/2001/XMLSchema#string
- issuer —-> null
- Subject Attribute value in request —> demouser
Implementation logic in PIP would know that PDP wants the email of the user Bob. Therefore PIP would contact external attribute source and find the email address of it. Email address of user “bob” would be returned from the PIP to the PDP
Therefore, finally PDP just have to perform the “string-regexp-match” function on these two attribute values “bob@wso2.com” and “[0-9a-zA-Z]+@wso2.com”.
PIP Attribute Finder should implement following methods
Init (Properties properties) Here you can write the logic to initialize your module. Any properties that are defined in the entitlement-config.xml file, can be access here.
b). GetAttributeValues (String subject, String resource, String action, String environment, String attributeId, URI issuer) Here you can write the logic to find your attribute value
c). GetSupportedAttributes() Here you can write the logic to find all the attribute ids supported by your module
PDP – Should implement following methods
1. bool Evaluate(String xacmlRequest)
Where you need to input a XML String object of XACML request and XACML response also is received as XML String
2. bool GetDecisionByAttributes(String subject, String resource, String action, String[] environment)
Where you can pass one attribute value of a subject, a resource and an action as input value.
Example —
I have modified the sample with xacml.net to demonstrate the policy based authorization.
How the sample works –
Custom Authorization Manager will create a request with following information and pass it to PDP
- Subject
- Resource
- Action
A sample Xml Request looks like this
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd">
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>demouser</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://localhost/StsClient/Home/AccessLinkOne</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
</Request>
PDP will take the request and run against the policy defined.
A sample policy look like this.
<?xml version="1.0" encoding="utf-8"?>
<Policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target>
<Subjects>
<AnySubject />
</Subjects>
<Resources>
<AnyResource />
</Resources>
<Actions>
<AnyAction />
</Actions>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:rule" Effect="Permit">
<Description>
DemoUser can read about page.
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">demouser</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/StsClient/Home/AccessLinkOne</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
PDP will result the decision with either Permit or Deny
XACML PDP call looks like this
var r = new EvaluationEngine().Evaluate((PolicyDocument)PolicyLoader.LoadPolicyDocument(policyStream), (ContextDocument) ContextLoader.LoadContextDocument(requestSteam));
Where r is the result from PDP.
CustomAuthorizationManager will allow or deny the access to resource based on PDP’s decsion
if (r != null && r.Results != null && r.Results.Count > 0)
return r.Results[0].Decision == Decision.Permit;
An example source code for this article can be found at github.
Reference –
http://viswaug.wordpress.com/2007/11/29/xacml-a-standard-that-i-wish-i-had-known-about-earlier/
http://sourceforge.net/projects/xacmlpdp/
http://mvpos.sourceforge.net/
http://xacmlinfo.com/
http://codingbliss.com/?tag=xacml
http://www.ibm.com/developerworks/xml/library/x-xacml/
cprakash 