Page Comparison

Here is an example of an XACML policy which addresses the following requirement: a given resource can be accessed only by a user belonging to a particular role, and all requests to access any other resource should fail.

Code Block


<Policy<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  PolicyId="urn:sample:xacml:2.0:samplepolicy"
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
 xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">  <Description>Sample XACML Authorization Policy</Description>

<Target>   <Subjects>
   <AnySubject />
  </Subjects><Target></Target>
  <Actions>    <AnyAction />
  </Actions>
  <Resources>
   <AnyResource />
  </Resources>
 </Target>
 <Rule Effect="Permit" RuleId="primary-group-rule">
      <Target>
   <Subjects>      <AnySubject<Resources>
/>    </Subjects>    <Resources>    <Resource>
         <ResourceMatch      <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
      </AttributeValue>      <ResourceAttributeDesignator      <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"       DataType="http://www.w3.org/2001/XMLSchema#string" />></ResourceAttributeDesignator>
               </ResourceMatch>
            </Resource>
         </Resources>
         <Actions>
            <Action>
               <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        <ActionAttributeDesignator          <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string" />></ActionAttributeDesignator>
               </ActionMatch>
            </Action>
         </Actions>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
            </Apply>
            <SubjectAttributeDesignator AttributeId="group"      DataType="http://www.w3.org/2001/XMLSchema#string" />></SubjectAttributeDesignator>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny-rule" ></>Rule>
</Policy>

The following are a few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.

The first XACML request

Resource - http://localhost:8280/services/echo/
User - "admin" belongs only to the "admin" group
Result - Permit

Code Block


<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

The Second XACML request

Resource - http://localhost:8280/services/echo/
User - "admin" belongs to the "admin" group and the "business" group
Result - Permit

Code Block


<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>business</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

The third XACML request

Resource - http://localhost:8280/services/test/
User - "admin" belongs to the "admin" group
Result - Deny

Code Block


<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/test/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

The forth XACML request

Resource - http://localhost:8280/services/echo/
User - "admin" belongs to the "business" group
Result - Deny

Code Block


<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Subject>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>admin</AttributeValue>
      </Attribute>
      <Attribute AttributeId="group"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>business</AttributeValue>
      </Attribute>
     </Subject>
     <Resource>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
      </Attribute>
     </Resource>
     <Action>
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string">
       <AttributeValue>read</AttributeValue>
      </Attribute>
     </Action>
     <Environment />
    </Request>

Excerpt

hidden	true

Instructions on how to write XACML policies in WSO2 Identity Server. Part 2.

Versions Compared

Old Version 1

New Version Current

Key

The first XACML request

The Second XACML request

The third XACML request

The forth XACML request