7 Replies Latest reply on Sep 27, 2010 4:36 PM by bkrisler

    Make JBossPDP an interface to allow easier insertion of custom PDP.

    bkrisler

      Hi,

       

      I have been looking into using my own, custom PDP and have been discovering that the JBossPDP is pretty entwined to

      the security component. For example it can get created in JBossPolicyRegistration, JBossXACMLUtil or in SOAPSAMLXACMLServlet.

       

      To allow for easier swapping out of the PDP, for various reasons, should JBossPDP become an interface? And then in the security-deployer have a bean that defines the desired PDP?

       

      While I understand that in most instances, the default PDP is probably good enough, I can envision circumstances were a custom PDP

      would be the preferred choice.

       

      Thanks for any comments.

       

      Brian

        • 1. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
          anil.saldhana

          And why would you create your own custom PDP?  I fail to understand why people want to reinvent the wheels themselves. This is a trend I am increasingly seeing at companies.

           

          A PDP's job is to evaluate policies. If our PDP is not doing that properly then there may be bugs (I have not seen any major bug reports and I have run our PDP in complex policies' scenarios at various interoperability events).

           

          I am pretty confident that our PDP is robust and can do good for the features we have advertised.

          • 2. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
            anil.saldhana

            In JBAS, you should be able to replace the entire xacml infrastructure with a custom stack by implementing a new PolicyRegistration interface and then writing your own XACML policy module.  The JBoss Microcontainer can be used to add in your PR implementation.

             

            Correction above:-  If you are going to implement your custom xacml policy/authorization module, then you do not need to use the PolicyRegistration interface at all. You should be able to have custom logic to locate the policies applicable to your deployment.

            • 3. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
              bkrisler

              I too am against reinventing the wheel and that is one of the reasons we selected Picketbox/Picketlink as a

              staring point for our research. When we started, we reviewed all of the existing SAML/XACML

              solutions in the open source and found that Picketbox/Picketlink put us close to our goal with minimal modification.

               

              As far as why I need to create a custom PDP, there are two reasons, (if I missed something

              that would allow these features in the existing implementation, a pointer would be great!):

               

              1) We need to support attribute-based authorization. The current implementation appears to be

                  role-based authorization.

               

              2) We need to support remote Attribute Authorities. From what I can determine, this would require

                   modification of the PDP to allow for configuration of a known/trusted attribute authority that

                   is not self contained.

               

              Another requirement I have not started to investigate, however I think should be supported in the existing

              PDP is the intergration of a custom rule combining algorithm.

               

              At the moment, the custom PolicyRegistration approach is the route I took. This has allowed my

              to extend and modify the existing PDP to meet my requirements. It is possible that what I am doing

              is very specific and not worth modification of the existing implementation.

               

              Hope this helps some in clarifying my intent.

               

              Brian

              • 4. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
                anil.saldhana

                Brian, thanks for the explanation. I am glad that you are open to making modifications to the OSS codebase rather than reinventing something.

                 

                Let me think more on what you said.

                 

                XACML is what brings in the attribute based authorization to the Java EE specification.

                 

                We can certainly discuss ways by which we can mutually get at a common ground.

                 

                Please go ahead and give some detailed description if you have and I should be able to see where we can adapt/change our codebase to achieve the goals.  In the end, we both benefit.

                • 5. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
                  bkrisler

                  What I mean by attributes for a subject is the following.

                   

                  At the moment, this is a typical policy subject block from a request:

                   

                  <Subject>
                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
                      <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                                                  DataType="http://www.w3.org/2001/XMLSchema#string" />
                     </SubjectMatch>
                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Developer</AttributeValue>
                       <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                                                   DataType="http://www.w3.org/2001/XMLSchema#string" />
                     </SubjectMatch>
                  </Subject>
                  
                  

                   

                  When a request is made against this policy, it would be in the form of a user id (Bob) and his roles (Manager), this is supporting role-based authorization.  However for attribute-based authorization, the policy would look more like:

                   

                  <Subject>
                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
                      <SubjectAttributeDesignator AttributeId="urn:my-org:manager:attribute"
                                                                  DataType="http://www.w3.org/2001/XMLSchema#boolean" />
                     </SubjectMatch>
                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
                       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
                       <SubjectAttributeDesignator AttributeId="urn:my-org:developer:attribute"
                                                                   DataType="http://www.w3.org/2001/XMLSchema#boolean" />
                     </SubjectMatch>
                  </Subject>

                   

                  When a request is made against the attribute-based policy the requestor would pass in a list of values as such:

                   

                  urn:my-org:manager:attribute = true
                  urn:my-org:developer:attribute = false

                   

                  In a review of the existing code (EJBXACMLUtil,java for example), it does not allow for such attribute-based values. Instead, it loops over the provided roles and creates the attributes based on the ATTRIBUTEID_ROLE constant.

                   

                  List<Role> rolesList = callerRoles.getRoles();
                  if(rolesList != null)
                  {
                     for(Role role:rolesList)
                     {
                        String roleName = role.getRoleName(); 
                        AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
                              XACMLConstants.ATTRIBUTEID_ROLE, "jboss.org", roleName);
                        subject.getAttribute().add(attSubjectID);
                     }
                  }

                   

                   

                  An other issue is that the construction of the request is dependent upon the Principal for setting of the subject-id value. We are working on a model where there will never be a Princial object to extract a subject-id. In our case, we will instead pass in a set of attributes for evaluation.

                   

                  Upon further review, it might just be the helper methods (EJBXAMLUtil and WebXACMLUtil) that will require much modification. The addition of a second method in the util objects for creating of these attribute based request objects might just work.  I have not fully reviewed the policy application code in detail yet, but from a cursory glance it appears to be attribute-id agnostic and will just create a Set of attribute/value pairs and then upon validation, apply the proper attribute function.

                   

                  Brian

                   

                  Message was edited by: Brian Krisler  -- Tried to fix XML formatting.

                  • 6. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
                    anil.saldhana

                    I think you should consider writing a separate XACMLAuthorizationModule that makes the decisions based on the information available from the subject, JDK (time/date/ip) etc.

                     

                    In our case, we use it mainly for Java EE which is RBAC.

                     

                    You know how to plug in your own authorization module at the security domain level. correct?

                     

                    I would refrain from changing the EJBXACMLUtil/web...util because they are the core JBoss codebase.

                     

                    It is best to write your own XACML authz module that uses our XACML api.

                    • 7. Re: Make JBossPDP an interface to allow easier insertion of custom PDP.
                      bkrisler

                      Upon further investigation, I am not sure creation of a seperate AuthorizationModule will provide me with everything I need.

                      For my implementation, the attributes used for construction of the authorization request will be part of the request.  So the request

                      will be a SOAP request, containing the service requested and the header will have a SAML block containing the attributes associated

                      with the user requesting access.

                       

                      From what I can see, the AuthorizationModule does not have access to the SOAP message request and thus cannot extract the

                      desired attributes.  Is this true, or am I overlooking something?