Thursday, November 11, 2010

Guide to write XACML policies in WSO2 Identity Server - Part - 2

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server 2.0 - Part - I and also you may go through following as well..

- Using XACML Fine Grained Authorization with the WSO2 Product Platform
- Identity Server 2.0 as an XACML engine
- Anatomy of the XACML Request

Here I will present a XACML policy which addresses following requirement.

"A given resource can be accessed only by any user belong to a particular role and all the requests to any other resource other than this should fail"
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
 xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
 <Description>Sample XACML Authorization Policy</Description>
 <Target>
  <Subjects>
   <AnySubject />
  </Subjects>
  <Actions>
   <AnyAction />
  </Actions>
  <Resources>
   <AnyResource />
  </Resources>
 </Target>
 <Rule Effect="Permit" RuleId="primary-group-rule">
  <Target>
   <Subjects>
    <AnySubject />
   </Subjects>
   <Resources>
   <Resource>
    <ResourceMatch
     MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/
     </AttributeValue>
     <ResourceAttributeDesignator
      AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
      DataType="http://www.w3.org/2001/XMLSchema#string" />
    </ResourceMatch>
   </Resource>
   </Resources>
   <Actions>
    <Action>
     <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
      <ActionAttributeDesignator
       AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string" />
     </ActionMatch>
    </Action>
   </Actions>
  </Target>
  <Condition>
   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    </Apply>
    <SubjectAttributeDesignator AttributeId="group"
     DataType="http://www.w3.org/2001/XMLSchema#string" />
   </Apply>
  </Condition>
 </Rule>
 <Rule Effect="Deny" RuleId="deny-rule" />
</Policy>
Following are few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.

XACML request - 1
Resource : http://localhost:8280/services/echo/
User : "admin" belongs only to "admin" group
Result : Permit
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request> 

XACML request - 2
Resource : http://localhost:8280/services/echo/
User : "admin" belongs to "admin" group and "business" group
Result : Permit
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>business</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request>

XACML request - 3
Resource : http://localhost:8280/services/test/
User : "admin" belongs to "admin" group
Result : Deny
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/test/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request>

XACML request - 4
Resource : http://localhost:8280/services/echo/
User : "admin" belongs to "business" group
Result : Deny
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>business</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request>

3 comments:

Amila Suriarachchi said...

"A given resource can be accessed only by any user belong to a particular role and all the requests to any other resource other than this should fail"

In the given XACMAL policy xml you have implemented this by declaring a target with AnyUser and adding a condition to handle the role part. In other words it says any user can access as far as user group attribute is admin.

Isn't it more appropriate to write this as given here[1]? As I understood, in this way it is possible to directly say user should be in a pirticular role.

I feel condition may be something go beyond the conventional security model. In the given article it has given these two examples.
1. Allow access to this web resource to employees who are active and between the business hours of 9am-5pm on Mondays through Thursday and 9am -2pm on Fridays and no access on weekends.
2. Do not allow access to this EJB application from this particular subnet.


[1] http://server.dzone.com/articles/security-features-jboss-510-1

Prabath said...

Hi Amila,

The other policy given in your comment caters to different purpose..


It takes subject as the point of restriction and my example takes resource as the restriction point...

Amila Suriarachchi said...

yes that is true.

Is there a standard to map attribute "group" to role?

If we put that jboss xacmal policy to Identity server, I think that would work since
user role is defined using a xacmal standard type (urn:oasis:names:tc:xacml:2.0:subject:role). Would the
same thing applies for group attribute?

I got these term definitions from the xacmal spec.

Target - The set of decision requests, identified by definitions for resource, subject and action,
that a rule, policy or policy set is intended to evaluate

Decision request - The request by a PEP to a PDP to render an authorization decision

The element is a Boolean function over subject, resource, action and
environment attributes or functions of attributes.

When I looked into these what came to my mind was the normal Autherization manager which should have the
fuction of isAutherized(Subject, Resource, Action). It seems xacmal has extened it as isAutherized(Subject,Resource,Action,Condition)

For me it is easy to analyse a system in this way and write xacmal polices since that is what I used to do. May be in the
link I gave has done along in this thinking.

Before I read your blog I did not know anything about XACMAL and I learned a lot from your blog.
Thanks a lot.