Home arrow Security arrow Page 6 - Trust, Access Control, and Rights for Web Services, Part 2

XACML Policy Example - Security

Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Trust, Access Control, and Rights for Web Services, Part 2
  2. The XKMS Services
  3. X-KRSS
  4. eXtensible Access Control Markup Language (XACML) Specification
  5. The XACML Data Model
  6. XACML Policy Example
  7. eXtensible Rights Markup Language (XrML) Management Specification
  8. XrML Use Case Example
  9. Summary
By: Sams Publishing
Poor Best
Rating: starstarstarstarstar / 6
October 12, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Following in Listing 9.11 is a simple example to illustrate implementation of an XACML Policy. The Target says that the Policy applies only to requests for the server called "SampleServer". The Policy has a Rule with a Target that requires an action of "login" and a Condition that applies only if the Subject is trying to log in between 9 a.m. and 5 p.m.

Listing 9.11 -XACML for SamplePolicy on SampleServer for Login Only Between 9 and 5

 <Policy PolicyId="SamplePolicy"
     RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:
      rule-combining-algorithm:first-applicable">

  <!-- This Policy only applies to requests on the SampleServer -->
  <Target>
   <Subjects>
    <AnySubject/>
   </Subjects>
   <Resources>
    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:
      function:string-equal">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
       SampleServer</AttributeValue>
     <ResourceAttributeDesignator DataType="http://www.w3.org/2001/
       XMLSchema#string"
                    AttributeId="urn:oasis:names:tc:xacml:
                     1.0:resource:resource-id"/>
    </ResourceMatch>
   </Resources>
   <Actions>
    <AnyAction/>
   </Actions>
  </Target>

  <!-- Rule to see if we should allow the Subject to login -->
  <Rule RuleId="LoginRule" Effect="Permit">

   <!-- Only use this Rule if the action is login -->
   <Target>
    <Subjects>
     <AnySubject/>
    </Subjects>
    <Resources>
     <AnyResource/>
    </Resources>
    <Actions>
     <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:
       function:string-equal">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
       login</AttributeValue>
      <ActionAttributeDesignator DataType="http://www.w3.org/2001/
        XMLSchema#string"
                    AttributeId="ServerAction"/>
     </ActionMatch>
    </Actions>
   </Target>

   <!-- Only allow logins from 9am to 5pm -->
   <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
     function:time-greater-than-or-equal"
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:
       time-one-and-only">
      <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/
        XMLSchema#time"
                     AttributeId="urn:oasis:names:tc:
                     xacml:1.0:environment:current-time"/>
     </Apply>
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">
       09:00:00</AttributeValue>
    </Apply>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
     function:time-less-than-or-equal"
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
      function:time-one-and-only">
      <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/
        XMLSchema#time"
                     AttributeId="urn:oasis:names:tc:
                     xacml:1.0:environment:current-time"/>
     </Apply>
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">
      17:00:00</AttributeValue>
    </Apply>
   </Condition>

  </Rule>

  <!-- We could include other Rules for different actions here -->

  <!-- A final, "fall-through" Rule that always Denies -->
  <Rule RuleId="FinalRule" Effect="Deny"/>

 </Policy>

XACML will probably affect the way security policy is built into applications, making less work for developers. XACML would do that by taking implicit policy that today is often spread across multiple applications in the form of executable code and bringing it to a central point of administration where it can be more easily created, modified, made consistent, and analyzed for effect by individuals other than developers responsible for security policy.

The following are some XACML resources:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

http://sunxacml.sourceforge.net/guide.html#xacml

http://www.idevnews.com/TipsTricks.asp?ID=57

http://www.entrust.com/resources/standards/xacml.htm

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Sams Publishing
 

blog comments powered by Disqus
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
Find More Security Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: