XACML Locators

JBossXACML in PicketBox suite provides Oasis XACML v2.0 support for Java applications.

 

What are Locators?

Locators are interfaces in JBossXACML that allow one to provide additional or missing information to the PDP during evaluation.

 

They include:

  • Attribute Locators
  • Resource Locators


Attribute Locators
Attribute Locators are consulted when the Policy specifies certain attributes to be necessary for evaluation and the the request comes without the required attribute. In that case, the PDP is going to ask the attribute locator for a value for the attribute to make an evaluation. Again, remember the attribute locator is driven by the POLICY and not the REQUEST.

 

Procedure for Attribute Locators:

  • Write a subclass of org.jboss.security.xacml.locators.AttributeLocator
  • The following methods need to be overridden in your attribute locator
    * @see AttributeFinderModule#findAttribute(String, org.w3c.dom.Node, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, String)
    * @see AttributeFinderModule#findAttribute(URI, URI, URI, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, int)
  • Then specify the attribute locator in your configuration file as shown in the example below.

Resource Locators
These are used in the Hierarchical Profile if you decide to use it.


Configuration

 

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
  <ns:Policies>
    <ns:PolicySet>
      <ns:Location>test/policies/interop/xacml-policySet.xml</ns:Location>
      <ns:Policy>
         <ns:Location>test/policies/interop/xacml-policy2.xml</ns:Location>
      </ns:Policy>
      
      <ns:Policy>
         <ns:Location>test/policies/interop/xacml-policy3.xml</ns:Location>
      </ns:Policy>
      <ns:Policy>
         <ns:Location>test/policies/interop/xacml-policy4.xml</ns:Location>
      </ns:Policy>
      
      <ns:Policy>
         <ns:Location>test/policies/interop/xacml-policy5.xml</ns:Location>
      </ns:Policy>
      
    </ns:PolicySet>
  </ns:Policies>
  <ns:Locators>
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/> 
    
    <ns:Locator Name="org.jboss.test.security.xacml.locators.TestAttributeLocator">
      <ns:Option Name="identifier">test-attrib</ns:Option>
      <ns:Option Name="attributeDesignatorSupport">true</ns:Option>
      <ns:Option Name="attributeSelectorSupport">true</ns:Option>
      <ns:Option Name="attributeDesignatorInt">0</ns:Option>
      <ns:Option Name="attributeDesignatorInt">1</ns:Option>
      <ns:Option Name="attributeDesignatorInt">2</ns:Option>
      <ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:action:action-id</ns:Option>
      <ns:Option Name="attributeSupportedId">http://www.w3.org/2001/XMLSchema#string</ns:Option>
      <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:subject:buy-offer-price</ns:Option>
      <ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>
    </ns:Locator>
    
    <ns:Locator Name="org.jboss.test.security.xacml.locators.TestResourceLocator">
      <ns:Option Name="identifier">test-resource</ns:Option>
      <ns:Option Name="resourceChildSupport">true</ns:Option>
      <ns:Option Name="resourceDescendantSupport">true</ns:Option>
     </ns:Locator>
    
  </ns:Locators>
</ns:jbosspdp>

 


The "Option" element tags are got from AbstractLocator interface.

 

 String IDENTIFIER_TAG = "identifier";
 
  String ATTRIBUTE_DESIGNATOR_SUPPORT_TAG = "attributeDesignatorSupport";
 
  String ATTRIBUTE_SELECTOR_SUPPORT_TAG = "attributeSelectorSupport";
 
  String ATTRIBUTE_SUPPORTED_ID_TAG = "attributeSupportedId";
 
  String ATTRIBUTE_DESIGNATOR_INTEGER_TAG = "attributeDesignatorInt";
 
  String RESOURCE_CHILD_SUPPORTED_TAG = "resourceChildSupport";
 
  String RESOURCE_DESCENDANT_SUPPORTED_TAG = "resourceDescendantSupport";

 

 

References

  1. Anil's Blog on XACML Topics
  2. User Forum