XrML Use Case Example - Security

The following use case illustrates how to use XrML in a service-centric business model, which focuses on specifying Rights, Conditions, and metadata for services, such as Web services. In this use case, Alice pays $2 each time she uses a Web service to receive stock quotes. Figure 9.11 illustrates this use case.

Figure 9.11  Alice may use the content from a Stock Quote
Web service if she pays $2 for such use.

To specify this information in XrML, you need to

1. Identify Alice as the person to whom the Rights are granted.

2. Specify the Right that Alice is granted—the right to use the stock service.

3. Identify the Resource (the Web service) to which Alice is being granted rights.

4. Specify the Condition (the fee) that applies when Alice exercises her right to use the stock service.

Figure 9.12 illustrates the structure of Alice's license.

Figure 9.12  The XrML license for Alice's use case.

The license in Listing 9.12 illustrates how Alice's right to use a stock quote service subject to a fee could be expressed in XrML. In this example, the prefix sx: identifies elements from the standard extension. The prefix service: identifies elements from the sample service extension. The prefix stocks: refers to the WSDL definition namespace. The prefix dsig: refers to the namespace that defines XML signatures. All other elements are defined in the XrML core.

Listing 9.12 XrML Specifying Alice's Rights to Use a Fee-Based Stock Quote Service

<license>
 <grant>

<!- -
 Alice is represented as the holder of a particular key
 - ->
  <keyHolder licensePartId="Alice">
   <info>
    <dsig:KeyValue>
     <dsig:RSAKeyValue>
      <dsig:Modulus>4hre4NP7R...</dsig:Modulus>
      <dsig:Exponent>AQABAA==</dsig:Exponent>
     </dsig:RSAKeyValue>
    </dsig:KeyValue>
   </info>
  </keyHolder>

<!- -
 Alice is granted the right to use the stock quote service
 - ->
  <service:use/>

<!- -
 The stock quote service is represented with a service reference that contains
  a WSDL file
 - ->
   <serviceReference>
    <wsdl>
     <xml>
      <wsdl:definitions name="StockQuote" targetNamespace="http://
        http://www.xrml.org/examples/2001/11/wsdl-stocks/stockquote.wsdl">
       <wsdl:types>
        <xsd:schema targetNamespace="http://www.xrml.org/examples/2001/
         11/wsdl-stocks/stockquote.xsd">
         <xsd:element name="TradePriceRequest">
          <xsd:complexType>
           <xsd:all>
            <xsd:element name="tickerSymbol" type="xsd:string"/>
           </xsd:all>
          </xsd:complexType>
         </xsd:element>
         <xsd:element name="TradePrice">
          <xsd:complexType>
           <xsd:all>
            <xsd:element name="price" type="xsd:float"/>
           </xsd:all>
          </xsd:complexType>
         </xsd:element>
        </xsd:schema>
       </wsdl:types>
       <wsdl:message name="GetLastTradePriceInput">
        <wsdl:part name="body" element="stocks-xsd:TradePriceRequest"/>
       </wsdl:message>
       <wsdl:message name="GetLastTradePriceOutput">
        <wsdl:part name="body" element="stocks-xsd:TradePrice"/>
       </wsdl:message>
       <wsdl:portType name="StockQuotePortType">
        <wsdl:operation name="GetLastTradePrice">
         <wsdl:input message="stocks:GetLastTradePriceInput"/>
         <wsdl:output message="stocks:GetLastTradePriceOutput"/>
        </wsdl:operation>
       </wsdl:portType>
       <wsdl:binding name="StockQuoteSoapBinding" type="stocks:
         StockQuotePortType">
        <soap:binding style="document" transport="http://
          schemas.xmlsoap.org/soap/http"/>
        <wsdl:operation name="GetLastTradePrice">
         <soap:operation soapAction="http://example.com/
           GetLastTradePrice"/>
         <wsdl:input>
          <soap:body use="literal"/>
         </wsdl:input>
         <wsdl:output>
          <soap:body use="literal"/>
         </wsdl:output>
        </wsdl:operation>
       </wsdl:binding>
       <wsdl:service name="StockQuoteService">
        <wsdl:documentation>My first service</wsdl:documentation>
        <wsdl:port name="StockQuotePort" binding=
         "stocks:StockQuoteSoapBinding">
         <soap:address location="http://example.com/stockquote"/>
        </wsdl:port>
       </wsdl:service>
      </wsdl:definitions>
     </xml>
    </wsdl>
    <service>stocks:StockQuoteService</service>
    <portType>stocks:StockQuotePortType</portType>
   </serviceReference>

<!- -
 Alice pays $2.00 each time she exercises her right to use the stock
  quote service
 - ->
   <sx:fee>
    <sx:paymentPerUse>
     <sx:rate>
      <sx:amount>2.00</sx:amount>
      <sx:currency>US</sx:currency>
     </sx:rate>
    </sx:paymentPerUse>
    <sx:to>
     <sx:aba>
      <sx:institution>13937151</sx:institution>
      <sx:account>4281938823</sx:account>
     </sx:aba>
    </sx:to>
   </sx:fee>
 </grant>
</license>

The following are some XrML resources:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=rights

http://www.xrml.org/

http://xml.coverpages.org/xrml.html

http://www.giantstepsmts.com/DRM%20Watch/xrml20.htm

---

SAML, XACML, XrML: Overlapping Standards? - XACML and XrML both deal with authorization. They share requirements from many of the same application domains. Both share the same concepts but use different terms. Both are based on XML Schema.

Both SAML and XrML have the concept of attribute assertion. In SAML it's just an Attribute, whereas in XrML it's based on the PossessProperty construct.

Both XACML and XrML deal with an authorization policy. In XACML it's just Policy, whereas in XrML its part of the License construct.

XrML operates in terms of licenses and rights. XACML operates in terms of policies. But attributes can seem like rights.

XACML is consistent with and builds on SAML. XrML may be focused more tightly on the specific issues of Digital Rights Management. In the meantime, however, the overlap is confusing; OASIS knows this and claims to be trying to make sense of it.

Because it is trivial to write an XSLT transform for an SAML:Request into XACML:Context, it follows that the two are closely related.

It is also interesting to note that SAML's PDP is implemented with XACML. Figure 9.13 shows how SAML depends on XACML.

Figure 9.13  How SAML PDPs communicate policy using XACML.

What does all of this overlap portend? It's hard to say, but OASIS is trying to simplify matters. There are always the politics of standards with territories that need to be protected, so expect this situation to take quite some time to settle.

---