Trust, Access Control, and Rights for Web Services, Part 2 - XACML Policy Example (Page 6 of 9 )
Following in Listing 9.11 is a simple example to illustrate implementation of an XACML Policy. The Target says that the Policy applies only to requests for the server called "SampleServer". The Policy has a Rule with a Target that requires an action of "login" and a Condition that applies only if the Subject is trying to log in between 9 a.m. and 5 p.m.
Listing 9.11 -XACML for SamplePolicy on SampleServer for Login Only Between 9 and 5
<Policy PolicyId="SamplePolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:
rule-combining-algorithm:first-applicable">
<!-- This Policy only applies to requests on the SampleServer -->
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:
function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
SampleServer</AttributeValue>
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/
XMLSchema#string"
AttributeId="urn:oasis:names:tc:xacml:
1.0:resource:resource-id"/>
</ResourceMatch>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<!-- Rule to see if we should allow the Subject to login -->
<Rule RuleId="LoginRule" Effect="Permit">
<!-- Only use this Rule if the action is login -->
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:
function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
login</AttributeValue>
<ActionAttributeDesignator DataType="http://www.w3.org/2001/
XMLSchema#string"
AttributeId="ServerAction"/>
</ActionMatch>
</Actions>
</Target>
<!-- Only allow logins from 9am to 5pm -->
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
function:time-greater-than-or-equal"
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:
time-one-and-only">
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/
XMLSchema#time"
AttributeId="urn:oasis:names:tc:
xacml:1.0:environment:current-time"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">
09:00:00</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
function:time-less-than-or-equal"
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:
function:time-one-and-only">
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/
XMLSchema#time"
AttributeId="urn:oasis:names:tc:
xacml:1.0:environment:current-time"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">
17:00:00</AttributeValue>
</Apply>
</Condition>
</Rule>
<!-- We could include other Rules for different actions here -->
<!-- A final, "fall-through" Rule that always Denies -->
<Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>
XACML will probably affect the way security policy is built into applications, making less work for developers. XACML would do that by taking implicit policy that today is often spread across multiple applications in the form of executable code and bringing it to a central point of administration where it can be more easily created, modified, made consistent, and analyzed for effect by individuals other than developers responsible for security policy.
The following are some XACML resources:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
http://sunxacml.sourceforge.net/guide.html#xacml
http://www.idevnews.com/TipsTricks.asp?ID=57
http://www.entrust.com/resources/standards/xacml.htm
 This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.
Buy this book now. |
Next: eXtensible Rights Markup Language (XrML) Management Specification >>
More Security Articles
More By Sams Publishing
