F a c i l e L o g i n

Identity patterns and anti-patterns in real world web services

2009-12-03T19:49:00.001+05:30

@ Apache Asia Roadshow 2009 ~ Colombo ~ 03rd Nov

Identity patterns and anit-patterns in real world web services

Blog from your iPhone / iPod

2009-11-29T18:56:00.002+05:30

BlogPress is a nice free tool you can use to blog from your iPod/iPhone it self - if this appears on my blog - then it works :)

Manage your EC2 instances from your iPhone / iPod

2009-11-28T20:03:00.002+05:30

I came accross this nice app for iPhone / iPod Touch - which helps you connecting to Amazon Cloud- and it's FREE.

Only weekness was - the way it accepts credentials - one way it's more convenient - but in other, you have to pass your credentias over the network in cleartext - and the app will store those internally.

Google Caffaine

2009-11-27T09:41:00.002+05:30

Caffaine is the codename of the new, upgraded version of Google search engine.

This explains how it performs against the old one.

If you want to have an early look hear are the steps.

Adding DZone to iPhone / iPod Touch

2009-11-21T21:49:00.004+05:30

I was looking for an aplication or an add-on to iPod/Safari where I could post a link to DZone - from the corresponding web site it self.

Failing to find one - I followed the following work-around - which worked perfectly for me - so, thought of sharng it for the benefit of others.

1. Open up Safari and go to http://www.dzone.com

2. Add a bookmark to it - and set the Title of the bookmark as - 'Submit to DZone'

3. Now - tap on the Bookmarks link, as in the image shown below - click 'Edit' and select 'Submit to DZone'.

4. Remove the current Address of the 'Submit to DZone' bookmark and set the following..

javascript:window.loaction='http://www.dzone.com/links/add.html?url='+escape(window.location)+'&title='+escape(document.title)+'&description='+escape(document.title)

5. Now - go to any web site you want - and to submit that link to DZone - just tap on the Bookmarks link on the bottom of the browser and select 'Submit to DZone'.

First look at Google Chrome OS

2009-11-21T08:58:00.003+05:30

First we need to download the Chrome OS VMWare image from here.

To run this - we need to have VMWare Workstation - a 7 days trial version availbale from here to download.

Now - you need to wait hours and hours to get the trial version license key from VMWare. Instead of that use this - M142T-1034J-M8280-0KA8H-A49PC. If you are curious about this - here is the news behind that.

All set - setup your image with the VMWare Workstaion - steps here.

That's it - now you can login with your GMail account to your OS :)

Not bad at all - how about using an OpenID instead...

Read this for more info - "11 Things You Need to Know About Google's Chrome OS".

http://RampartFAQ.COM

2009-11-20T06:41:00.004+05:30

We started with http://RampartFAQ.COM few months back as an effort towards helping the open source community around axis2/rampart. This post summarises all the posts there, as of now.

Basics
1.What is Rampart?
2.How to configure Rampart in Axis2?
3.How to run Rampart samples with Apache Tomcat?
4.How to enable SSL on Tomcat?
5.How does the nonce and the timestamp get generated for hashed passwords in UsernameToken?
6.How to create wildcard certificates with java keytool?
7.How to import/export certificates using Java keytool?

Intermediate
1.How to use Axis2 Dynamic Client to invoke Secured Web Services?
2.How password Callback Handlers work in Rampart?
3.How to ask for a hashed password in security policy?
4.How identity delegation works with ActAs in WS-Trust 1.4?
5.How SOAP message encryption works?
6.What is Assymetric Binding?
7.Would timestamp validation fail when servers and clients running in different timezones?
8.How to secure a web service with UsernameToken + HTTPS?
9.How to enable SSL on WAMP?
10.How to dump out JKS private key?
11.How to create a Certificate Authority with OpenSSL on Windows?
12.How to secure web services with HTTP Basic Authentication?
13.How to do UsernameToken authentication for web services based on AD?
14.How to secure a web service with UsernameToken?
15.Can we have multiple private keys in a single JKS?
16.<ramp:user> vs <ramp:encryptionUser> vs <ramp:userCertAlias>

Advance
1.How to call web services having SSL mutual authentication enabled?
2.How to setup a secure conversation with an STS?
3.How to ceate a new JKS with an existing private key and a signed certificate?
4.Can we have per service, policy based results validators?
5.How to apply policies at binding hierarchy?
6.Can we avoid duplicating crypto info added to RampartConfig in different services.xml files?
7.How to enable NTLM authentication in Axis2 client?
8.What are the Rampart handlers in inflow and what do they do?
9.How to do proxy authenticaion at runtime - in Axis2 client or stub?
10.What are policy subjects and where goes security policy assertions?
11.How Token referencing works in WS-Security?
12.How to add a secured and a non secured end point to the same service?
13.How to enable security for JAX-WS services with Axis2/Rampart?
14.How to generate a non-secured response to a secured request?

Common Errors
1.org.apache.axis2.AxisFault: First Element must contain the local name, Envelope , but found html
2.java.security.UnrecoverableKeyException: Cannot recover key
3.org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used
4.[ERROR] Referenced security token could not be retrieved (Reference "#CertId-238146")
5.java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/NONE/OAEPPADDING
6.org.apache.axis2.phaseresolver.PhaseException: Did not find the desired phase 'Security' while deploying handler 'PolicyBasedSecurityOutHandler'
7.java.security.InvalidKeyException: Illegal key size or default parameters
8.org.apache.rampart.RampartException: The timestamp could not be validated

Integrating Novell eDirectory with WSO2 Identity Server

2009-11-17T03:58:00.003+05:30

You can download an evaluation copy of Novell eDirectory from here.

Then go through this blog post which explains - how to setup an LDAP based user store with Identity Server.

You need to follow exact the same steps - except - you need to have the settings from the above image while installing Novell eDirectory - for the Identity Server LDAP configuration as shown below.

Amazon CloudFront with Blogger blogs as a Content Delivery Network

2009-11-14T17:02:00.007+05:30

Web sites like CNN, Yahoo and many more with high traffic use a Content Delivery Network like Akamai - so end users have to spend less time waiting for the web page to load on their screens.

Amazon CloudFront delivers the content using a global network of edge locations. Requests for your objects are automatically routed to the nearest edge location, so content is delivered with the best possible performance.

This blog post explains how to setup Amazon CloudFront with your blog.

First you need to have an Amazon account and signed up for an S3 bucket.

This explains everything you need to know - to set that up.

Now - you have an S3 bucket - say facilelogin.

Then - we need to sign up for a CloudFront account.

Go to http://aws.amazon.com/cloudfront and sign up with the same Amazon credentials you used before.

Now - sign in to the CloudFront management console.

Click the link - Create Distribution.

Set Origin as the S3 bucket you created earlier.

Give a child domain of your blog as the CNAME [e.g. cache.facilelogin.com]

This will create a CloudFront for the set S3 bucket.

Once you highlight the distribution you created - you can see it's details on the bottom panel.

Note down following.

Domain Name : d2npqrbnybq989.cloudfront.net
CNAME : cache.facilelogin.com

Now - you need to add a CNAME record to your domain.

I got my domain from Yahoo - so to add a CNAME record there, first sign in here, and a CNAME record to your domain with,

Source : cache.facilelogin.com [Value corresponding to the Amazon distribution CNAME]
Destination : d2npqrbnybq989.cloudfront.net [Value corresponding to the Amazon distribution Domain Name]

That's it - give some time to get your CNAME updated.

Now - add whatever content you want to - the Amazon S3 bucket and refer to content from you blog as http://cache.facilelogin.com/[resource name].

The image shown in the post is loaded from the S3 bucket - managed by Amazon CloudFront.

Hands on CLOUD while legs on EARTH

2009-11-14T04:34:00.003+05:30

1. Sign up for S3

Go to http://aws.amazon.com/s3/ and sign up for an Amazon S3 account.

Amazon S3 is storage on cloud.It provides a simple web services interface that can be used to store and retrieve any amount of data.

Read more on S3 from http://aws.amazon.com/s3/faqs/

2. Tools

Once you created the storage on cloud - there are tools which let you talk to the S3 iterface from your local computer.

CloudBerry Explorer is the one I use, it makes managing files in Amazon S3 storage EASY. By providing a user interface to Amazon S3 accounts, files, and buckets, CloudBerry lets you manage your files on cloud just as you would on your own local computer.

3. S3 with CloudBerry Explorer

Start CloudBerry Explorer --> File --> Amazon S3 Account --> New Account

Here you need to provide, an Access Key, a Secret Key and a Display. Make sure you tick the 'Use SSL' tick box.

To find your Access Key and the Secret Key - first you need to login to http://aws.amazon.com/account/ with your Amazon credentials and click on the link for 'Security Credentials'

Once you are there you can see both your Access Key ID and Secret Access Key listed under Access Keys.

Copy thoe keys from there and give those to CloudBerry Explorer.

Once you create the new account in CloudBerry Explorer - it will be listed under 'Source'.

Select your account from 'Source' - CloudBerry Explorer will talk to your S3 account and will display the buckets you created.

4. Buckets

Just like a bucket holds water, Amazon buckets are like a container for your files. You can name your buckets the way you like but it should be unique across the Amazon system.

To create a Bucket from CloudBerry - click the 'New Bucket' icon in blue on the top row.

Amazon S3 offers storage in the United States and in Europe (within the EU). You can specify where you want to store your data when you create your Amazon S3 buckets.

Keep in mind that the bucket namespace is shared by all users of the system. So the name you give needs to be unique accross the system.

Once you created the bucket - that will be displayed in the left pane of the CloudBerry Explorer.

Right click on the bucket and select 'Web URL' - that will show the web url to access your bucket [e.g. http://facilelogin.s3.amazonaws.com/]

Type that on a web browser and try to access it - you won't be.

Now you need to set the access control setting for your bucket.

Once again right click on the bucket and select ACL and then ACL Settings.

If yu want all the users to have read access to your bucket - then select 'All Users' and set 'Read' permission.

Now - try to access the link from the web browser.

To move data from your local machine to the S3 bucket in the cloud - just drag and drop the files from the right pane to the S3 bucket on the left pane.

5. Sign up for EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud.

Just as Amazon Simple Storage Service (Amazon S3) enables storage in the cloud, Amazon EC2 enables “compute” in the cloud.

Go to http://aws.amazon.com/ec2/ and sign up for an EC2 acount. You can use same Amazon credentials you used to create the S3 accont.

Read more on EC2 from http://aws.amazon.com/ec2/faqs/

6. Amazon Management console

Now, go to htp://aws.amazon.com/console/ - select EC2 from right hand side combo box and 'Sign in to the AWS Console'.

The AWS Management Console gives you a quick, global picture of your cloud computing environment so that you can see what resources you’re operating and conveniently manage those resources

7. Starting an EC2 instance

Once you sign in to the Amazon Management console, you will see a dashboard.

To start using Amazon EC2 you will want to launch a virtual server, known as an Amazon EC2 instance.

Click on the link 'Launch Instances'.

Now - this will display a set of available AMI(Amazon Machine Image)s.

Select any AMI you want - I selected 'Basic Fedora Core 8'.

In the next screen - set the number of instances as - 1.

Select create new key pair.

Public/private key pairs allow you to securely connect to your instance after it launches. To create a key pair, enter a name and click Create & Download your Key Pair.

You will then be prompted to save the private key to your computer. Note, you only need to generate a key pair once — not each time you want to deploy an Amazon EC2 instance.

Let's also create a new security group - accept the default settings there only giving access to SSH port.

Security groups determine whether a network port is open or blocked on your instance(s).

Once you are done with all tha - you'll be back on the dashboard and under 'Instances' - you can see the instance you started now.

Click on that instance and you'll see all the details about it listed down - and copy the Public DNS value[e.g: ec2-75-101-193-101.compute-1.amazonaws.com]

Now - you have a Fedora instance running on the cloud.

Let's see how to login in to it from the local machine.

8. Putty

I am using Putty under Windows, to SSH in to my Fedora instance running on the cloud.

First we need to setup the private key with it. [Rember we download a key while launching the AMI].

Start Putty --> Session --> Set Host Name - the Public DNS of our running Fedora instance.

Go to Connection/SSH/Auth - set the private key file for authentication.

Here it requires the private key in PPK format - but what we downloaded is in PEM format.

Now we need to do a conversion - we can use puttygen for that.

Once done set the PPK file as the private key file for authentication in Putty.

Now, go to Connection/Data - set 'root' as the Auto-login user name.

Now - we are done - click on 'Open' to connect to your Fedora instance running on EC2.

9. Launching a Windows Instance

Hear we try to launch a Windows Instance and try to remote login in to it.

Before launching a Windows AMI - let's first create new Security Group.

From the main dashboard - you can select 'Security Groups' and then create a new secuirty group.

Once created - allow RDP connection for this security group - to allow windows remote login.

Now - in the same way we did before - launch a Windows AMI - but make sure you set it's security group - the one we just created with RDP connections allowed.

To get the Windows admin password to login through remote login - highlight the Windows instance from Dashboard/Instances - select Instance Actions/Windows Actions/Get Windows Admin Password.

Hashing alone is NOT a life saver

2009-11-12T19:02:00.005+05:30

Hashing is a one way - irreversible algorithm which is used to store passwords in databases.

So - nobody other than you know what your actual password is.

When you create your password - your password will go through the hashing algorithm and the hashed password will be stored in the database.

When you try to login - you enter your password in clear text - then the application will calculate the hash of the entered password and will match that with the hashed password already stored in the database. If matches, you will let in.

How does this make your password safe?

Say somebody hacked in to the database.But - still he cant see your password in clear text. So - he can't login to your account. Hacker will only get access to the hashed password - but not to the password in clear text. Keep in mind - you can't never login with the hashed password. That is bacause - what ever you enter as the password will go through a hashing algorithm and that hashed value will be matched with hashed password in the database. In case if you enter the value you found from the database - which is actually the hashed password - then that will be rehashed by tha application and try to match with the hashed password from the database - which will obviously fail.

But - is this safe enough ?

The hacker who has access to your database can still replace your hashed password with a hash he caculated with a clear text known to him. Then he can login to your account with the clear text known to him - because it will be evaluated against the hash value he replaced in the database.

That is; hashing alone is never safe.

Whenever you store anything in clear text as a hashed value - you need to store it as a salted hash.

In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase in clear text. Output is the 'salt' value. Now - the application will caculate the hash value of password in clear text + the salt value and store that in the database.

Application will also store the salt value - but for best security, the salt value should be kept secret, separate from the password database.

When a user enters his password for login - the application will retreive the salt value and caculate the hash over both the salt and the entered password - and will match the result with the hash value stored in the password database.

In case a hacker having access to the database replaces the user's password with a hash value of a clear text known to him - still the password verification will fail - bacause now the hash is not just caculated with the password along - it's from both the password and the salt value. In this case if the hacker wants to access user account he should be able to gain access to the database which stores hash values as well.

So - the bottom line is - hashing along is never secure - salted hashing much secure - but all that will make it's hard to break - but never stop from breaking fully.

Although you store clear text passwords as salted hashes - it's never an alternative to not to secure access to the database.

Interoperability Through Community

2009-11-11T07:34:00.000+05:30

Secured SOA

2009-11-10T20:37:00.003+05:30

WSO2 SOA Workshop - Santa Clara, California

2009-10-16T11:01:00.004+05:30

ESBs and SOA

Most enterprises start with creating basic services and connecting them with an Enterprise Service Bus when first adopting SOA. This session will talk about the wider usage of an ESB in SOA infrastructure and the decoupling of communication layers.

SOA Security

As many businesses move ahead with SOA, security and identity management need to be made available as a service in the architecture in a consistent and reusable way across all applications. This session will focus on implementing key security standards and identity management for SOA.

Mashups and Business Process Management for SOA

This session will introduce Mashups as an enterprise integration tool and will demonstrate the various technologies in use for service compositions in SOAs. Focusing on both automated processes and looking at how BPM fits into people-based processes, this session will also examine Open Standards for BPM, how the BPMN and BPEL standards fit together.

SOA Governance

Governance is a vital part of any SOA, and has an impact on runtime as well as design-time. Some major components of SOA governance include a registry, policy, monitoring and testing procedures. This session will discuss some predefined patterns and recommendations along with service life-cycles, resource life-cycles, metadata storage, policies and validations.

SOA with C, C++, PHP and more

As C, C++ and other such languages have been around for many years, it is predominant in legacy systems. This session will explore how These languages can be used to implement and integrate systems that use SOA principles to provide great business value to enterprise applications.

SOA Enterprise Architecture Patterns

This session will provide in-depth knowledge on how to implement an SOA solution using the basic elements in an SOA infrastructure discussed in other sessions.

The Secured Enterprise: Leverage OpenID with Web Services

2009-07-24T04:07:00.000+05:30

[VIDEO] Identity & Cloud Services

2009-07-12T08:27:00.001+05:30

Deploying WSO2 Identity Server 2.0 over WebLogic

2009-07-06T00:21:00.002+05:30

Yumani explains here all what you need to know...

WSO2 Identity Server 2.0 is available to download from here...

WSO2 SOA Summer School - SOA Governance by Asanka

2009-07-04T08:09:00.000+05:30

Security in SOA

2009-07-03T11:48:00.001+05:30

WSO2 SOA Summer School - Security in SOA : The brain friendly edition of complex security specs

2009-06-27T12:17:00.004+05:30

I'll be doing the webinar, WSO2 SOA Summer School: Security in SOA on 2nd of July - next Thursday.

As many businesses move ahead with SOA, security and identity management need to be made available as a service in the architecture in a consistent and reusable way across all applications.

During this webinar I will focus on implementing key security standards and identity management for SOA with regards to two emerging user centric identities: OpenID & Information Cards, and also XACML for fine-grained authorization.

If you are yet to register - do it today from here.

I hope you'll enjoy this session and learn Security concepts in a brain friendly manner.

SOA Summer School: Scalable SOA by Samisa

2009-06-25T13:56:00.001+05:30

Samisa will be doing a presentation on the $subject in few hours time.

Serious business applications that demand high volumes of transactions are most often based on SOAs. Clustering technologies are critical for some of these deployments to help achieve load balancing and high availability. This session digs deep into the scaling techniques that can be used in SOA deployments that demand high throughput and high reliability.

If you are yet to register - still its's open - further details here.

Extracting SAML assertions from a proxy service and adding them back to the service behind

2009-06-23T11:29:00.008+05:30

This blog post explains how to do the intial setup with WSO2 ESB and the Identity Server to develop claim aware web services - please go through it first.

There - we get the SAML Assertion to the proxy service.

Here what we are going to do is - to extract SAML Assertions from the Security header of the incoming message and add those as a custom header to the message going to the actual service.

First, please download the org.wso2.carbon.identity.samples.saml.mediator-2.0.0.SNAPSHOT.jar from here.

Stop - the ESB if it's running already.

Copy the above jar to [ESB_HOME]\webapps\ROOT\WEB-INF\plugins\console.

Open [ESB_HOME]\webapps\ROOT\WEB-INF\eclipse\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info and add the following entry to the end [one line].

org.wso2.carbon.identity.samples.saml.mediator,2.0.0.SNAPSHOT,file:plugins/org.wso2.carbon.identity.samples.saml.mediator-2.0.0.SNAPSHOT.jar,10,true

Start the ESB with following.

\> wso2server.bat -cleanCache

Now, you need to add the above mediator to the in sequence of your proxy service as a Class mediator.

Following is the synapase configuration for the in/out sequences of the proxy service.


<syn:proxy name="test" transports="https http" startOnLoad="true" trace="disable">
  <syn:target>
    <syn:inSequence>
      <syn:class name="org.wso2.carbon.identity.samples.saml.mediator.SAMLAttrMediator"/>
      <syn:header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" name="wsse:Security" action="remove"/>
      <syn:log level="full"/>
      <syn:send/>
    </syn:inSequence>
    <syn:outSequence>
      <syn:send/>
    </syn:outSequence>
  </syn:target>
</syn:proxy>

You can clearly see Class/Header/Log & Send mediators are in the in-sequence and Send mediator in the out-sequence.

Now - the question is how do we capture the SAML attributes from the actual service.

You can call the following method from any service method to get the attributes in a HashMap.

getAttributes(MessageContext.getCurrentMessageContext());

Following is the code for getAttributes() method.


 private static final String USER_ATTRIBUTES_ELEMENT = "UserAttributes";
 private static final String USER_ATTRIBUTES_NS = "http://attributes.saml.axis2.org";
 private static final String ATTRIBUTE = "Attribute";
 private static final String ATTRIBUTE_NS = "AttributeNamespace";
 private static final String ATTRIBUTE_VALUE = "AttributeValue";
 public final static String SAML10_NS = "urn:oasis:names:tc:SAML:1.0:assertion";
 public final static String SAML11_NS = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
 public final static String SAML20_NS = "urn:oasis:names:tc:SAML:2.0:assertion";

 public Map getAttributes(MessageContext messageContext) {
  OMElement header = null;
  OMElement userAttr = null;
  Iterator iterator = null;
  String samlNameSpace = null;

  header = messageContext.getEnvelope().getHeader();
  userAttr = header.getFirstChildWithName(new QName(USER_ATTRIBUTES_NS,
    USER_ATTRIBUTES_ELEMENT));
  iterator = userAttr.getChildrenWithName(new QName(SAML10_NS, ATTRIBUTE));

  if (iterator.hasNext()) {
   samlNameSpace = SAML10_NS;
  } else {
   iterator = userAttr.getChildrenWithName(new QName(SAML11_NS, ATTRIBUTE));
   if (iterator.hasNext()) {
    samlNameSpace = SAML11_NS;
   } else {
    iterator = userAttr.getChildrenWithName(new QName(SAML20_NS, ATTRIBUTE));
    if (iterator.hasNext()) {
     samlNameSpace = SAML20_NS;
    }
   }
  }

  if (samlNameSpace == null) {
   // Unsupported SAML token type;
   return null;
  }

  Map attributes;
  attributes = new HashMap();

  while (iterator.hasNext()) {
   OMElement attr = iterator.next();
   OMElement attrValElement = null;
   String attributeName = null;
   String attributeValue = null;
   attributeName = attr.getAttributeValue(new QName(ATTRIBUTE_NS));
   attrValElement = attr.getFirstChildWithName(new QName(samlNameSpace, ATTRIBUTE_VALUE));
   attributeValue = attrValElement.getText();
   attributes.put(attributeName, attributeValue);
  }

  return attributes;
 }

Also make sure you import following packages as well.


import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axis2.context.MessageContext;

WSO2 Identity Server 2.0 Overview

2009-06-19T23:11:00.002+05:30

SOA Summer School: SOA Enterprise Architecture Patterns by Asanka

2009-06-18T16:14:00.001+05:30

Asanka will be doing a training on the $subject in few hours time.

This session will provide in-depth knowledge on how to implement an SOA solution using the basic elements in an SOA infrastructure. There will be several enterprise SOA patterns mapped to real world and hypothetical business requirements. Implementation details will be practically explained using the WSO2 SOA platform.

If you are yet to register - still its's open - further details here.

Guide to write XACML policies in WSO2 Identity Server 2.0 - Part - I

2009-06-17T13:39:00.030+05:30

This blog post explains how to write policies in XACML for WSO2 Identity Server.

A given policy has an identifier, a rule combining algorithm, a description, a target and a set of rules.


<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

  <Description>Sample XACML Authorization Policy.</Description>

  <Target>...</Target>

  <Rule>...</Rule>

</Policy>

Since, a given Policy may contain multiple Rules, each of which may evaluate to different access control decisions, XACML needs some way of reconciling the decisions each makes.

This is done through a collection of Combining Algorithms.

Each algorithm represents a different way of combining multiple descisions evaluated through different rules into a single descision.

Following rule combining algorithms are defined in XACML 2.0.


urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides
urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides
urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable
urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-denyoverrides
urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permitoverrides

when we have urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable as the rule combining alogorithm, it will pick the first rule applicable from the defined set of Rules.

Once a XACML request being received at the PDP it needs to find a policy that applies to the corresponding request.

To do this, XACML uses the element Target.

A Target is basically a set of simplified conditions for the Subject, Resource and Action that must be met for a Policy or Rule to apply to a given request.

Once a Target is defined directly under Policy element - it defines the set of conditions that must be met to pick that Policy.


<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

  <Description>Sample XACML Authorization Policy.</Description>

  <Target>

    <Subjects>...</Subjects>
    <Resources>...</Resources>
    <Actions>...</Actions>

  </Target>

  <Rule>...</Rule>

</Policy>

To make this very clear - let's go through an example.

This policy will be picked for a request having, any Subject, any Action on Resource http://localhost:8280/services/echo/.


<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

  <Description>Sample XACML Authorization Policy.</Description>

  <Target>

    <Subjects> <AnySubject/> </Subjects>

    <Resources>
      <Resource>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
        <ResourceAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
          DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ResourceMatch>
      </Resource>
    </Resources>

    <Actions> <AnyAction/> </Actions>

  </Target>

  <Rule>...</Rule>

</Policy>

For the time being, let's not worry too much about <Resources/> element.

Let's see another example. Here the Target is applied to the Rule - not to the entire Policy it self.


<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

  <Description>Sample XACML Authorization Policy.</Description>

  <Rule Effect="Permit" RuleId="primary-access-rule">

    <Target>

      <Subjects> <AnySubject/> </Subjects>

      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
          <AttributeValue
            DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
          <ResourceAttributeDesignator 
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>

      <Actions> <AnyAction/> </Actions>

    </Target>

  </Rule>

</Policy>

I guess, that explains enough about <Policy/> and <Target/> elements.

Let's move to the <Rule/> element. You may recall, that I mentioned there can be multiple Rule elements per given Policy.

Also - we discussed about Rule Combining Algorithms.

Let's focus on the child elements of the Rule element.

The way the Sun XACML engine determines whether a rule is applicable to an incoming request is by evaluating the Target and optional Condition (if it exists).

These are ANDed together, and the rule's effect achieved if the ANDed value is TRUE.

You know where Rule element fits in to a XACML policy - for the purpose of explaining, I'll just take out the isolated Rule element only - so keep in mind this is always within <Policy> tags.


<Rule Effect="Permit" RuleId="primary-access-rule">

  <Target>...</Target>
  <Condition>...</Condition>

</Rule>

A policy contains one or more Rules.

Each rule has a RuleId and an Effect.

An Effect is the intended consequence of a satisfied rule, which can be either "Deny" or "Permit." This means that if the rule is deemed applicable to an incoming service request, and the rule's conditions evaluate to TRUE, then the specified effect should be enforced.

Since we already discussed about the <Target/> element under the context of <Rule/>, we'll skip it here.

Let's focus on the <Condition/> element.

A Condition is a predicate that must be satisfied for a rule to be assigned its effect.

Okay - a Target defines a set of constraints for a Rule. So - what does a Condition do? Let's differentiate Condition from Target.

While Targets are appealing, frame-like expressions, they have a constrained logic which isn't always expressive enough to narrow down whether a policy is applicable to a service request.

Hence, the need for Condition element arises. If either the policy Target or the Rule Target is not able to adequately express a constraint, a Condition can be added to a Rule.

A Condition can only present within a Rule.

If a Condition is intended to be applicable to the entire Policy, the Condition must be repeated in every Rule in that Policy.

Let's go ahead with an example.

We want to restrict users based on their attributes.

Say - for example a given user has an accessList attribute - and we want to restrict access to a given resource based on the accessList.

I'll take an isolated <Condition/> element here...


<Condition>
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
    <SubjectAttributeDesignator AttributeId="accessList" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">nurses</AttributeValue>
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctors</AttributeValue>
    </Apply>
  </Apply>
</Condition>

Let's start from the inner most <Apply/> element.

It uses the string-bag function on two attributes.

This bag function wraps a set of possible values for the attribute defined under <SubjectAttributeDesignator/> element. In this case - possible values for the attribute 'accessList' should be either 'nurses' or 'doctors'.

Now, let's look at the outer most <Apply/> element. It uses string-at-least-one-member-of function which will be applied on the results of the inner function.

In other words - final condition says - if you want to access the resource you have to be a member of 'doctors' or 'nurses'.

This will basically conclude the part-1 of this series of blog posts.

In the next blog post I would like to write about Attributes and Attribute Designators.