Version 3
Created by anil.saldhana on Aug 26, 2010 12:49 PM. Last modified by anil.saldhana on Aug 26, 2010 1:47 PM.

     

    <<  Go back to main XACML Article DASHBOARD

    Availability

    Starting v2.0.5.final

    What is an XACML Policy Locator?

     

    During decision making, the Policy Decision Point (PDP) will utilize one or more configured policy/policyset locators to obtain policies/policy sets required for making the access control decision.

     

    NOTE:  A Locator is a concept used by the XACML implementation by JBoss.

     

    LDAP Policy Locators

     

    Even though storing the base64 encoded version of xml content as ldap attributes,  many users may be in need of using a central ldap server for all their PDPs.  In those situations, you may require the ldap policy locator.

     

    As an alternative, you can define fixed policies as part of your file system where the PDP operates and keep missing attributes in the ldap.  Look for XACML Attribute Locators using LDAP.

     

    Configuration

     

    The following options are configurable:

    • url - The LDAP server URL to connect to
    • factory - The JNDI factory that is JDK specific such as "com.sun.jndi.ldap.LdapCtxFactory"
    • username - The username to connect to the LDAP server. This user must have search privileges
    • password - The password of the user to connect to the LDAP server
    • filter - The search filter to be used to find the entries that have a policy
    • attribute - The name of the entry's attribute containing the XACML policy in the xml format
    • searchScope - Scope of the search for entries. Default is SUBTREE
    • searchTimeLimit - Search time limit. Default is 10000 (10 seconds)

     

     

    The password value can be masked using PBE. To create a masked password invoke

     

    org.jboss.security.xacml.util.PBEUtils salt iterationCount password

     

    When using a masked password add also the options

     

    • salt - the 8 character String
    • iterationCount - an integer

     

    Those options must have the same value used for encryption.

    Example

     

     

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Locators>
    <ns:Locator Name="org.jboss.security.xacml.locators.policy.JBossLDAPPolicyLocator">
        <ns:Option Name="url">ldap://localhost:10389</ns:Option>
        <ns:Option Name="username">cn=Directory Manager</ns:Option>
        <ns:Option Name="password">password</ns:Option>
        <ns:Option Name="filter">(objectclass=organizationalRole)</ns:Option>
        <ns:Option Name="attribute">description</ns:Option>
        <ns:Option Name="baseDN">dc=jboss,dc=org</ns:Option>
    </ns:Locator>
  </ns:Locators>
</ns:jbosspdp>

    In the above configuration file, apart from the standard ldap url, username, password,  we need to look at the following:

    • filter:  we are saying that we are looking for type 
    (objectclass=organizationalRole) to filter the ldap entries out.
    • attribute:  description is the ldap attribute where the xml file is serialized as base64 encoded stream


    Acknowledgements

    Marcus Moyses for implementing this feature.