PicketBox XACML Integration with Exist DB

PicketBox XACML (formerly called JBossXACML)

 

has capabilities of integrating with Exist DB to store/retrieve XACML policies/attributes.

What is Exist DB?

 

Exist DB is an open source native XML database.  Please refer to [1] [2] links for more information on Exist DB.

 

 

How do I install the PicketBox XACML ExistDB Integration?

  • Step 1: Ensure that you have PicketBox XACML v2.0.5.CR2 and later. Check downloads of PicketBox project.
  • Step 2: Download the PicketBox XACML ExistDB Integration v1.0.0.CR1 and later from the same downloads page.  Ensure that you download the ZIP file.
  • Step 3: Unzip the xacml-existdb integration zip file in the directory which is on the classpath of your application.

 

Usage  - Retrieving Policy Sets from Exist DB

Name:  org.jboss.security.xacml.existdb.locators.policy.ExistPolicySetLocator


Configuration Example:

  • databaseURL :  Database URL of Exist DB in the XMLDB format
  • collectionName:  this is the name of the collection you have in the database.  It is analogous to a directory in the xml db.
  • namesOfDocuments:  a comma separated values of policies.
  • documentName: name of a single policy set.  You can use this attribute instead of namesOfDocuments if there is just one policy set.

 

<ns:Locator Name="org.jboss.security.xacml.existdb.locators.policy.ExistPolicySetLocator"> 
   <ns:Option Name="databaseURL">xmldb:exist://localhost:11080/exist/xmlrpc/</ns:Option>     
   <ns:Option Name="collectionName">xacml</ns:Option>      
   <ns:Option Name="namesOfDocuments">attribLocator_policy.xml, web-policy.xml</ns:Option>    
</ns:Locator>

 

Usage  - Retrieving Policy from Exist DB

Name:  org.jboss.security.xacml.existdb.locators.policy.ExistPolicyLocator


Configuration Example:

  • databaseURL :  Database URL of Exist DB in the XMLDB format
  • collectionName:  this is the name of the collection you have in the database.  It is analogous to a directory in the xml db.
  • namesOfDocuments:  a comma separated values of policies.
  • documentName: name of a single policy set.  You can use this attribute instead of namesOfDocuments if there is just one policy.

 

<ns:Locator Name="org.jboss.security.xacml.existdb.locators.policy.ExistPolicyLocator"> 
  <ns:Option Name="databaseURL">xmldb:exist://localhost:11080/exist/xmlrpc/</ns:Option>     
  <ns:Option Name="collectionName">xacml</ns:Option>    
  <ns:Option Name="documentName">attribLocator_policy.xml</ns:Option>    
</ns:Locator>

Usage - Retrieving Missing Subject Attribute from Exist DB

Objective: Many a times, XACML requests may be missing one or more attributes (subject, resource, action, environment) needed to make an access decision.  In those case, the PDP will go through attribute locators to get the values.

 

Name: org.jboss.security.xacml.existdb.locators.attrib.ExistDatabaseSubjectAttributeLocator

 

Configuration Example:

  • databaseURL :  Database URL of Exist DB in the XMLDB format
  • collectionName:  this is the name of the collection you have in the database.  It is analogous to a directory in the xml db.
  • namesOfDocuments:  a comma separated values of policies.
  • xqueryFile: name of a file containing an xquery that returns a single value.

 

 

<ns:Locator Name="org.jboss.security.xacml.existdb.locators.attrib.ExistDatabaseSubjectAttributeLocator">   
      <ns:Option Name="databaseURL">xmldb:exist://localhost:11080/exist/xmlrpc/</ns:Option>     
      <ns:Option Name="collectionName">xacml</ns:Option>      
      <ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>  
      <ns:Option Name="xqueryFile">src/test/resources/attrib/subjectattribute.xql</ns:Option>    
    </ns:Locator>

Usage - Retrieving Missing Resource Attribute from Exist DB

Objective: Many a times, XACML requests may be missing one or more attributes (subject, resource, action, environment) needed to make an access decision.  In those case, the PDP will go through attribute locators to get the values.

 

Name: org.jboss.security.xacml.existdb.locators.attrib.ExistDatabaseResourceAttributeLocator

 

Configuration Example:

  • databaseURL :  Database URL of Exist DB in the XMLDB format
  • collectionName:  this is the name of the collection you have in the database.  It is analogous to a directory in the xml db.
  • namesOfDocuments:  a comma separated values of policies.
  • xqueryFile: name of a file containing an xquery that returns a single value.

Similar Attribute Locators

Action: org.jboss.security.xacml.existdb.locators.attrib.ExistDatabaseActionAttributeLocator

Environment: org.jboss.security.xacml.existdb.locators.attrib.ExistDatabaseEnvAttributeLocator

 

The configuration is as above.

 

References

 

A Full Example

 

Here we show a full example of the usage of the XACML ExistDB integration.

 

Policies and Configuration Files are available: Directory Listing

Test Case: Code  (<===)