PicketBox XACML : Simple Walk through

This article will function as a short primer to get started with PicketBox XACML (formerly known as JBossXACML). We still use the names interchangeably in our documentation/blog posts.

 

 

Wiki Article (one stop source) for information?

http://community.jboss.org/wiki/PicketBoxXACMLJBossXACML

 

 

Where to get the Library from?

From the downloads section of PicketBox: http://www.jboss.org/picketbox/downloads

 

How do I get started?

  1. Download the library which should be a single jar.
  2. Author one or more XACML policy files. You should be capable of understanding PolicySets vs Policies in XACML if you want to proceed.
  3. Author a configuration file for the xacml engine. This should basically configure the various Locators listed in the wiki page.
  4. Create the PDP and pass in the configuration file.
  5. In your Policy Enforcement Point (PEP), create a XACML request based on the context. Pass the XACML request to the PDP and you get a access decision (Permit, Deny, Indeterminate, NotApplicable).

Examples

 

Some examples of Configuration Files

 

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Policies>
    <ns:PolicySet>
      <ns:Location>test/policies/interop/xacml-policySet</ns:Location>
    </ns:PolicySet>
  </ns:Policies>
  <ns:Locators>
    <ns:Locator Name="org.jboss.test.security.xacml.JBossPolicySetLocator"> 
    </ns:Locator>
  </ns:Locators>
</ns:jbosspdp>

 

 

 

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Policies> 
      <ns:Policy>
         <ns:Location>test/policies/bindings/web/web-policy.xml</ns:Location>
      </ns:Policy> 
  </ns:Policies>
  <ns:Locators>
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"> 
    </ns:Locator>
  </ns:Locators>
</ns:jbosspdp>

 

 

Example usage in source code

 

import java.io.InputStream;

import org.jboss.security.xacml.core.JBossPDP;
import org.jboss.security.xacml.core.model.context.ActionType;
import org.jboss.security.xacml.core.model.context.AttributeType;
import org.jboss.security.xacml.core.model.context.EnvironmentType;
import org.jboss.security.xacml.core.model.context.RequestType;
import org.jboss.security.xacml.core.model.context.ResourceType;
import org.jboss.security.xacml.core.model.context.SubjectType;
import org.jboss.security.xacml.factories.RequestAttributeFactory;
import org.jboss.security.xacml.factories.RequestResponseContextFactory;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.XACMLConstants;



String configName = "test/config/interopPolicySetConfig.xml";

//Get the config file via the Thread Context Classloader or current classloader
ClassLoader tcl = Thread.currentThread().getContextClassLoader();  //  also,  = getClass().getClassLoader()
InputStream is = tcl.getResourceAsStream(getConfigFileName());
PolicyDecisionPoint pdp = new JBossPDP(is);

RequestContext request = getRequest( requestFileLoc );  //We constructed the xacml request
ResponseContext response = pdp.evaluate(request);
int decision = response.getDecision();

//Now you can compare the decision against  XACMLConstants.DECISION_DENY,  XACMLConstants.DECISION_PERMIT etc