Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Here is an example of an XACML policy which addresses the following requirement: a given resource can be accessed only by a user belonging to a particular role, and all requests to access any other resource should fail.

...

<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:sample:xacml:2.0:samplepolicy"

...

RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable

...

">
<Description>Sample XACML Authorization Policy</Description>
<Target></Target>
<Rule Effect="Permit"

...

RuleId="primary-group-rule">

...


<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">

...


<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"

...

>http://localhost:8280/services/echo/

...

</AttributeValue>

...


<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

...

DataType="http://www.w3.org/2001/XMLSchema#string"

...

></ResourceAttributeDesignator>
</ResourceMatch>

...


</Resource>

...


</Resources>

...


<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

...


<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>

...


<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

...

DataType="http://www.w3.org/2001/XMLSchema#string"

...

></ActionAttributeDesignator>
</ActionMatch>

...


</Action>

...


</Actions>

...


</Target>

...


<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">

...


<Apply

...

FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">

...


<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>

...


</Apply>

...


<SubjectAttributeDesignator

...

AttributeId="group"

...

DataType="http://www.w3.org/2001/XMLSchema#string"

...

></SubjectAttributeDesignator>
</Apply>

...


</Condition>

...


</Rule>

...


<Rule

...

Effect="Deny"

...

RuleId="deny-rule"

...

></

...

The following are a few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.

The first XACML request

  • Resource - http://localhost:8280/services/echo/
  • User - "admin" belongs only to the "admin" group
  • Result - Permit
Code Block

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

The Second XACML request

  • Resource - http://localhost:8280/services/echo/
  • User - "admin" belongs to the "admin" group and the "business" group
  • Result - Permit
Code Block

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>business</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

The third XACML request

  • Resource - http://localhost:8280/services/test/
  • User - "admin" belongs to the "admin" group
  • Result - Deny
Code Block

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/test/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

The forth XACML request

  • Resource - http://localhost:8280/services/echo/
  • User - "admin" belongs to the "business" group
  • Result - Deny
Code Block

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>business</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

Excerpt

hiddentrue
Instructions on how to write XACML policies in WSO2 Identity Server. Part 2.Rule>
</Policy>