7 Replies Latest reply: Sep 27, 2010 4:36 PM by Brian Krisler RSS

Make JBossPDP an interface to allow easier insertion of custom PDP.

Brian Krisler Newbie

Hi,

 

I have been looking into using my own, custom PDP and have been discovering that the JBossPDP is pretty entwined to

the security component. For example it can get created in JBossPolicyRegistration, JBossXACMLUtil or in SOAPSAMLXACMLServlet.

 

To allow for easier swapping out of the PDP, for various reasons, should JBossPDP become an interface? And then in the security-deployer have a bean that defines the desired PDP?

 

While I understand that in most instances, the default PDP is probably good enough, I can envision circumstances were a custom PDP

would be the preferred choice.

 

Thanks for any comments.

 

Brian

  • 1. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Anil Saldhana Master

    And why would you create your own custom PDP?  I fail to understand why people want to reinvent the wheels themselves. This is a trend I am increasingly seeing at companies.

     

    A PDP's job is to evaluate policies. If our PDP is not doing that properly then there may be bugs (I have not seen any major bug reports and I have run our PDP in complex policies' scenarios at various interoperability events).

     

    I am pretty confident that our PDP is robust and can do good for the features we have advertised.

  • 2. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Anil Saldhana Master

    In JBAS, you should be able to replace the entire xacml infrastructure with a custom stack by implementing a new PolicyRegistration interface and then writing your own XACML policy module.  The JBoss Microcontainer can be used to add in your PR implementation.

     

    Correction above:-  If you are going to implement your custom xacml policy/authorization module, then you do not need to use the PolicyRegistration interface at all. You should be able to have custom logic to locate the policies applicable to your deployment.

  • 3. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Brian Krisler Newbie

    I too am against reinventing the wheel and that is one of the reasons we selected Picketbox/Picketlink as a

    staring point for our research. When we started, we reviewed all of the existing SAML/XACML

    solutions in the open source and found that Picketbox/Picketlink put us close to our goal with minimal modification.

     

    As far as why I need to create a custom PDP, there are two reasons, (if I missed something

    that would allow these features in the existing implementation, a pointer would be great!):

     

    1) We need to support attribute-based authorization. The current implementation appears to be

        role-based authorization.

     

    2) We need to support remote Attribute Authorities. From what I can determine, this would require

         modification of the PDP to allow for configuration of a known/trusted attribute authority that

         is not self contained.

     

    Another requirement I have not started to investigate, however I think should be supported in the existing

    PDP is the intergration of a custom rule combining algorithm.

     

    At the moment, the custom PolicyRegistration approach is the route I took. This has allowed my

    to extend and modify the existing PDP to meet my requirements. It is possible that what I am doing

    is very specific and not worth modification of the existing implementation.

     

    Hope this helps some in clarifying my intent.

     

    Brian

  • 4. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Anil Saldhana Master

    Brian, thanks for the explanation. I am glad that you are open to making modifications to the OSS codebase rather than reinventing something.

     

    Let me think more on what you said.

     

    XACML is what brings in the attribute based authorization to the Java EE specification.

     

    We can certainly discuss ways by which we can mutually get at a common ground.

     

    Please go ahead and give some detailed description if you have and I should be able to see where we can adapt/change our codebase to achieve the goals.  In the end, we both benefit.

  • 5. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Brian Krisler Newbie

    What I mean by attributes for a subject is the following.

     

    At the moment, this is a typical policy subject block from a request:

     

    <Subject>
      <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
        <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                                    DataType="http://www.w3.org/2001/XMLSchema#string" />
       </SubjectMatch>
       <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Developer</AttributeValue>
         <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                                     DataType="http://www.w3.org/2001/XMLSchema#string" />
       </SubjectMatch>
    </Subject>
    
    

     

    When a request is made against this policy, it would be in the form of a user id (Bob) and his roles (Manager), this is supporting role-based authorization.  However for attribute-based authorization, the policy would look more like:

     

    <Subject>
      <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
        <SubjectAttributeDesignator AttributeId="urn:my-org:manager:attribute"
                                                    DataType="http://www.w3.org/2001/XMLSchema#boolean" />
       </SubjectMatch>
       <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
         <SubjectAttributeDesignator AttributeId="urn:my-org:developer:attribute"
                                                     DataType="http://www.w3.org/2001/XMLSchema#boolean" />
       </SubjectMatch>
    </Subject>

     

    When a request is made against the attribute-based policy the requestor would pass in a list of values as such:

     

    urn:my-org:manager:attribute = true

    urn:my-org:developer:attribute = false

     

    In a review of the existing code (EJBXACMLUtil,java for example), it does not allow for such attribute-based values. Instead, it loops over the provided roles and creates the attributes based on the ATTRIBUTEID_ROLE constant.

     

    List<Role> rolesList = callerRoles.getRoles();
    if(rolesList != null)
    {
       for(Role role:rolesList)
       {
          String roleName = role.getRoleName(); 
          AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
                XACMLConstants.ATTRIBUTEID_ROLE, "jboss.org", roleName);
          subject.getAttribute().add(attSubjectID);
       }
    }

     

     

    An other issue is that the construction of the request is dependent upon the Principal for setting of the subject-id value. We are working on a model where there will never be a Princial object to extract a subject-id. In our case, we will instead pass in a set of attributes for evaluation.

     

    Upon further review, it might just be the helper methods (EJBXAMLUtil and WebXACMLUtil) that will require much modification. The addition of a second method in the util objects for creating of these attribute based request objects might just work.  I have not fully reviewed the policy application code in detail yet, but from a cursory glance it appears to be attribute-id agnostic and will just create a Set of attribute/value pairs and then upon validation, apply the proper attribute function.

     

    Brian

     

    Message was edited by: Brian Krisler  -- Tried to fix XML formatting.

  • 6. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Anil Saldhana Master

    I think you should consider writing a separate XACMLAuthorizationModule that makes the decisions based on the information available from the subject, JDK (time/date/ip) etc.

     

    In our case, we use it mainly for Java EE which is RBAC.

     

    You know how to plug in your own authorization module at the security domain level. correct?

     

    I would refrain from changing the EJBXACMLUtil/web...util because they are the core JBoss codebase.

     

    It is best to write your own XACML authz module that uses our XACML api.

  • 7. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
    Brian Krisler Newbie

    Upon further investigation, I am not sure creation of a seperate AuthorizationModule will provide me with everything I need.

    For my implementation, the attributes used for construction of the authorization request will be part of the request.  So the request

    will be a SOAP request, containing the service requested and the header will have a SAML block containing the attributes associated

    with the user requesting access.

     

    From what I can see, the AuthorizationModule does not have access to the SOAP message request and thus cannot extract the

    desired attributes.  Is this true, or am I overlooking something?