JIRA
https://jira.jboss.org/browse/SECURITY-519
Forum Thread
http://community.jboss.org/thread/155405?tstart=0
Availability
- PicketBox 3.0.0.CR1 and beyond
- JBoss AS 6.0.0
Example Policy
Let us take a look at a sample XACML policy governing an EJB:
<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd" PolicyId="urn:oasis:names:tc:xacml:2.0:jboss-test:XV:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Policy for Subject RBAC</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:XVI:rule" Effect="Permit"> <Description> scott can create,remove and invoke echo method of StatelessSession EJB when he has a role of ProjectUser. He can invoke "largeMethod" operation with a particular signature only </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scott</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ProjectUser</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">StatelessSession</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">echo</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">largeMethod(String,int[],String[])</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy>
An ejb may look as follows:
/**
* A simple POJO
*/
public class StatelessSession
{
public void echo(){}
public void largeMethod(){}
public void largeMethod( String a, int[] b ) {}
public void largeMethod( String a, int[] b, String[] c ) {}
}
If you look at the XACML policy, only the "public void largeMethod( String, int[], String[]) has been granted permissions for an user "scott".
Frequently Asked Questions
- I need this solution for JBoss Application Server v5.1
- What you need to do is checkout picketbox source( http://anonsvn.jboss.org/repos/picketbox/trunk/), once you build it (mvn clean install), replace the jars security-spi.jar and jbosssx.jar in AS5.1 with the ones built in picketbox. You can also get a release of PicketBox starting 3.0.0.CR1 and beyond and replace the 2 jars.
- I don't understand XACML. This is hard.
- No comments.
Comments