Version 2
Created by anil.saldhana on Aug 31, 2010 1:42 PM. Last modified by anil.saldhana on Aug 31, 2010 1:50 PM.

     

    << Go Back To MAIN XACML Article Dashboard

     

     

     

    Objective

    This article will describe an attribute locator using the file system.

     

    Availability

    This feature will be available as part of JBossXACML v2.0.5

     

     

    What is an XACML Attribute Locator?

    When  the PDP has to make a decision, if any attributes required for the  decision is not provided as part of the XACML request, the PDP will ask  the configured Attribute Locators to provide information on the missing  attribute.

     

    File System Attribute Locator

     

    In situations where you may have one or two attributes whose values need to be provided to the PDP and you have no access to other locators such as the ldap or database locators, you can use the file system based locator.

    Configuration

     

     

    • fileName:  Name of XML file that conforms to Java Properties XML DTD format on the class path.
    • attributeSupportedID:  the URI namespaces of attributes that this locator supports.

     

    Usage

     

     

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Policies>
    <ns:Policy>
      <ns:Location>locators/attrib/attribLocator_policy.xml</ns:Location> 
    </ns:Policy>
  </ns:Policies>
  <ns:Locators>
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
    <ns:Locator Name="org.jboss.security.xacml.locators.attrib.FileSystemAttributeLocator">   
      <ns:Option Name="fileName">locators/attrib/filesystemAttrib.properties</ns:Option>   
      <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status,urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>
    </ns:Locator> 
  </ns:Locators>
</ns:jbosspdp>

     

     

    In this example, we are configuring a FileSystemAttributeLocator to support two attribute IDs.  The attribute IDs are provided by a comma separated list of strings.

     

    • urn:xacml:2.0:interop:example:resource:account-status
    • urn:oasis:names:tc:xacml:1.0:subject:subject-id

     

    Let us take a look at the properties xml file called filesystemAttrib.properties.

     

     

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<entry key="urn:xacml:2.0:interop:example:resource:account-status">Active</entry>
<entry key="urn:oasis:names:tc:xacml:1.0:subject:subject-id">123456</entry>
</properties>

     

    NOTE:  Remember to inclde the DOCTYPE declaration and adhere to the DTD declaration as shown below:

     

    <?xml version="1.0" encoding="UTF-8"?>
<!-- DTD for properties -->
<!ELEMENT properties ( comment?, entry* ) >
<!ATTLIST properties version CDATA #FIXED "1.0">
<!ELEMENT comment (#PCDATA) >
<!ELEMENT entry (#PCDATA) >
<!ATTLIST entry key CDATA #REQUIRED>

    Conclusion

    This article has demonstrated the use of a file system based attribute locator.

    10672 Views Categories: Tags: