Google Site Search

Google
 

Tuesday, March 31, 2009

JBossXACML 2.0.3.CR5 released

http://www.jboss.org/jbosssecurity/downloads/JBoss XACML

Pick the JBossXACML CR5 version from the xacml downloads section (Ignore the download counter as it is not working).

Bugs Fixed:
SECURITY-403 XACML: Resource can have multiple attributes with resource-id
SECURITY-405 XACML:: TimeAttribute computes GMT miliseconds incorrectly when the date is 1 day after Jan 1, 1970

If you are interested in adding this to JBossAS 5.0.x, then from the common/lib directory, remove the (jboss-xacml.jar and jboss-sunxacml.jar) and place jbossxacml.jar there.


User Guide: http://www.jboss.org/auth/jbosssecurity/docs/jbossxacml/html/jbossxacml.html

Wednesday, March 25, 2009

JBossXACML 2.0.3.CR4 released

Please pick up the CR4 release of JBossXACML in the 2.0.3 cycle at:
http://www.jboss.org/jbosssecurity/downloads/JBoss%20XACML/

(NOTE: Ignore the download counter which is showing 0. It is broken).

Release Notes for JBoss Security and Identity Management
Includes versions: JBossXACML_2.0.3.CR4

** Sub-task
* [ SECURITY-396 ] Rule:: NPE if description of a rule is empty
* [ SECURITY-400 ] XACML Conformance Tests: Mandatory - attribute references, functions, combination algos
* [ SECURITY-401 ] XACML Conformance Tests: Mandatory - schema components

** Bug
* [ SECURITY-394 ] FunctionBase: bag-size throws an IllegalArgumentException
* [ SECURITY-395 ] AbstractPolicy: Empty Description element throws NPE
* [ SECURITY-397 ] XACML: HigherOrderFunction checkInputs needs to relax type checking on evaluations
* [ SECURITY-399 ] XACML: Apply->evaluate method tries to encode an attributeValue that can be a bag

** Task
* [ SECURITY-337 ] Validate the Oasis XACMLv2 conformance tests
* [ SECURITY-402 ] Release JBossXACML 2.0.3.CR4

References:
JBossXACML Announcements: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=152989

Additional Note: JBossXACML Debugging:
If you are looking at getting debug information for the rule evaluation:

Try to create a logging.properties file
============================
# Specify the handlers to create in the root logger
# (all loggers are children of the root logger)
# The following creates two handlers
handlers = java.util.logging.ConsoleHandler, java.util.logging.FileHandler

# Set the default logging level for the root logger
.level = ALL

# Set the default logging level for new ConsoleHandler instances
java.util.logging.ConsoleHandler.level = ALL

# Set the default logging level for new FileHandler instances
java.util.logging.FileHandler.level = ALL

# Set the default formatter for new ConsoleHandler instances
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter

# Set the default logging level for the logger named org.jboss
org.jboss.security.xacml.sunxacml.level = FINEST
com.sun.xml.bind.level = OFF
=====================================================

Now pass the system property with the location of this file such as:
-Djava.util.logging.config.file=src/test/resources/logging.properties

Then you should see something like:
=========================================
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.StandardCombiningAlgFactory initAlgorithms
CONFIG: Initializing standard combining algorithms
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initGeneralFunctions
CONFIG: Initializing standard General functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initConditionFunctions
CONFIG: Initializing standard Condition functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initTargetFunctions
CONFIG: Initializing standard Target functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.PDP <init>
FINE: creating a PDP
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.finder.PolicyFinder init
FINER: Initializing PolicyFinder
Resource must contain resource-id attr
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-bag-size:<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
:::result=2
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:integer-equal:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
::org.jboss.security.xacml.sunxacml.attr.IntegerAttribute@0:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-subset:<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string"/>
::<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:and:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
</Apply>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.DenyOverridesRuleAlg combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny:result=3
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=15:38:25.553000000-05:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=00:00:00-08:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=15:38:25.553000000-05:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=23:59:00-08:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:or:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.DenyOverridesRuleAlg combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny:result=1
=============================

This is very good debug information.


User Guide: http://www.jboss.org/auth/jbosssecurity/docs/jbossxacml/html/jbossxacml.html

Friday, March 20, 2009

JBossXACML 2.0.3.CR3 released

The next iteration of JBossXACML in the 2.0.3 is available now. It can be downloaded from the downloads page here:
http://www.jboss.org/jbosssecurity/downloads/JBoss%20XACML


====================
Release Notes for JBoss Security and Identity Management
Includes versions: JBossXACML_2.0.3.CR3

** Sub-task
* [ SECURITY-390 ] JBossXACML: ResourceLocator

** Feature Request
* [ SECURITY-388 ] JBossXACML: AttributeLocator

** Bug
* [ SECURITY-391 ] JBossXACML: PDP construction should be one time

** Task
* [ SECURITY-392 ] Release JBossXACML 2.0.3.CR3
=========================================

That is the release notes.

Improvements in 2.0.3.CR3:
* Support for specifying Attribute Locators and Resource Locators.
* Minor performance improvement where the internal pdp is constructed one time rather than at each request evaluation.

What are Attribute Locators?
Attribute Locators are consulted when the Policy specifies certain attributes to be necessary for evaluation and the the request comes without the required attribute. In that case, the PDP is going to ask the attribute locator for a value for the attribute to make an evaluation. Again, remember the attribute locator is driven by the POLICY and not the REQUEST.

Procedure for Attribute Locators:
  • Write a subclass of org.jboss.security.xacml.locators.AttributeLocator
  • The following methods need to be overridden in your attribute locator
    * @see AttributeFinderModule#findAttribute(String, org.w3c.dom.Node, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, String)
    * @see AttributeFinderModule#findAttribute(URI, URI, URI, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, int)
  • Then specify the attribute locator in your configuration file as shown in the example below.

Resource Locators
These are used in the Hierarchical Profile if you decide to use it.

Configuration File

=================================
<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
<ns:Policies>
<ns:PolicySet>
<ns:Location>test/policies/interop/xacml-policySet.xml</ns:Location>
<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy2.xml</ns:Location>
</ns:Policy>

<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy3.xml</ns:Location>
</ns:Policy>
<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy4.xml</ns:Location>
</ns:Policy>

<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy5.xml</ns:Location>
</ns:Policy>

</ns:PolicySet>
</ns:Policies>
<ns:Locators>
<ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>

<ns:Locator Name="org.jboss.test.security.xacml.locators.TestAttributeLocator">
<ns:Option Name="identifier">test-attrib</ns:Option>
<ns:Option Name="attributeDesignatorSupport">true</ns:Option>
<ns:Option Name="attributeSelectorSupport">true</ns:Option>
<ns:Option Name="attributeDesignatorInt">0</ns:Option>
<ns:Option Name="attributeDesignatorInt">1</ns:Option>
<ns:Option Name="attributeDesignatorInt">2</ns:Option>
<ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:action:action-id</ns:Option>
<ns:Option Name="attributeSupportedId">http://www.w3.org/2001/XMLSchema#string</ns:Option>
<ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:subject:buy-offer-price</ns:Option>
<ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>
</ns:Locator>

<ns:Locator Name="org.jboss.test.security.xacml.locators.TestResourceLocator">
<ns:Option Name="identifier">test-resource</ns:Option>
<ns:Option Name="resourceChildSupport">true</ns:Option>
<ns:Option Name="resourceDescendantSupport">true</ns:Option>
</ns:Locator>

</ns:Locators>
</ns:jbosspdp>
=================================

The "Option" element tags are got from AbstractLocator interface.
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.3.CR3/jboss-xacml/src/main/java/org/jboss/security/xacml/interfaces/AbstractLocator.java


------------------------
   String IDENTIFIER_TAG = "identifier";

String ATTRIBUTE_DESIGNATOR_SUPPORT_TAG = "attributeDesignatorSupport";

String ATTRIBUTE_SELECTOR_SUPPORT_TAG = "attributeSelectorSupport";

String ATTRIBUTE_SUPPORTED_ID_TAG = "attributeSupportedId";

String ATTRIBUTE_DESIGNATOR_INTEGER_TAG = "attributeDesignatorInt";

String RESOURCE_CHILD_SUPPORTED_TAG = "resourceChildSupport";


String RESOURCE_DESCENDANT_SUPPORTED_TAG = "resourceDescendantSupport";

================================


User Forum: http://www.jboss.org/index.html?module=bb&op=viewforum&f=49

Thursday, March 5, 2009

Vivek Kundra is the US Federal CIO

I had broached this topic in my previous blog post here.
http://anil-identity.blogspot.com/2009/01/us-cto-candidate-and-open-source.html


US President Obama has chosen 34 year old Vivek Kundra, a proponent of Open Government and use of Open Source/Web 2.0 technologies, as the US CIO.

White House Names First Chief Information Officer


Congrats to Vivek and please continue the use of Open Source software for eGovernance.

Wednesday, March 4, 2009

JBossXACML 2.0.3.CR1 released

I would like to announce the availability of JBossXACML v2.0.3.CR1 release. You can get to it from the downloads page here:
JBossXACML Download

What does this have over the last v2.0.2.SP1 release?
* Bug fixes.
* Consolidation of jboss-xacml.jar and jboss-sunxacml.jar into one jar - jbossxacml.jar
* Discontinuation of the jboss-xacml-saml.jar as this functionality is currently provided by JBossIdentity.

As always, please provide feedback at the user forum.

FAQ:
1) How do I use this CR1 jar in AS5.x?
AS5.0.0.GA and 5.0.1.GA contain the v2.0.2.SP1 release of JBossXACML. Just replace the jboss-xacml.jar and jboss-sunxacml.jar from common/lib directory with the jbossxacml.jar

2) Are there any tutorials?
http://java.dzone.com/articles/fine-grained-web-authorization