XACML Request creation
An interface is provided in CXF with a method to return an XACML request given a number of parameters. Only XACML 2.0 is considered for Talend ESB, as XACML 3.0 is not supported. It is designed in such a way that the parameters encapsulate all useful information for making an authorization request on either the client or endpoint side. The method parameters are as follows:
- A Principal corresponding to the Subject of the request
- A list of roles corresponding to the roles of the principal
- A CXF Message object describing the current request
The method implementation creates a XACML request using these parameters and marshals it into an OpenSAML RequestType object. OpenSAML contains some functionality to handle XACML Requests, Responses and Policies, which can be marshalled to DOM Elements, and so it makes sense to re-use this functionality.
A default implementation is also provided of the interface defined above, that provides a XACML request that will be accepted by the TESB PDP, as well as standard third-party PDPs. The implementation constructs the request from the given parameters by associating the following values with the following (standard) XACML attributes:
- Principal name is mapped to urn:oasis:names:tc:xacml:1.0:subject:subject-id
- Each Principal role is mapped to urn:oasis:names:tc:xacml:2.0:subject:role
- An Action String is mapped to urn:oasis:names:tc:xacml:1.0:action:action-id
- A Resource String is mapped to urn:oasis:names:tc:xacml:1.0:resource:resource-id
- The current DateTime is mapped to urn:oasis:names:tc:xacml:1.0:environment:current-dateTime
The Principal name and role attributes additionally have an Issuer attribute corresponding to the Issuer of the SAML Assertion, as it may be that the PDP requires the knowledge of who provided the roles of the authenticated principal.
The Action String describes the Action being performed, which the XACML specification defines as “an Operation on a Resource”. It is configured differently for both a JAX-RS and JAX-WS service:
- JAX-WS: The action is a statically configured String, defaulting to execute.
- JAX-RS: The action is the HTTP verb, e.g. “GET".
The “Resource” String which describes the JAX-RS or JAX-WS endpoint is extracted from the CXF Message object. The default is as follows:
- JAX-WS: {Service namespace}Operation (via CXF's Message.WSDL_OPERATION)
- JAX-RS: The REST URI (via CXF's Message.REQUEST_URI)
Note that for JAX-RS, the REST URI obtained via Message.REQUEST_URI does not include the “https://<ip-address>” prefix. In general, the policy will not care about how the service is deployed. However, this is configurable via a boolean property on the XACMLRequestBuilder. If set to true (the default is false), the full Request URL will be sent for both a JAX-WS and JAX-RS service.
Typically, a JAX-RS request includes a variable parameter, which you might not care about for authorization. XACML is flexible enough to handle this using regular expressions. For example, the following is a resource in an XACML request as sent by CXF:
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>
/numberservice/doubleit/20
</xacml-context:AttributeValue>
</xacml-context:Attribute>
A policy that will successfully match this resource is as follows:
<Resources>
<Resource>
<ResourceMatch MatchId=
"urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType=
"http://www.w3.org/2001/XMLSchema#string">
/numberservice/doubleit/(\d)*
</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId=
"urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
</ResourceMatch>
</Resource>
</Resources>
An example of a XACML request for a JAX-WS service using the definitions given above is listed below.
<xacml-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Subject SubjectCategory=
"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Issuer="STSIssuer">
<xacml-context:AttributeValue>
alice
</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#anyURI”
Issuer="STSIssuer">
<xacml-context:AttributeValue>
manager
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Subject>
<xacml-context:Resource>
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>
{http://www.example.org/contract/DoubleIt}DoubleIt
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Resource>
<xacml-context:Action>
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>
execute
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Action>
<xacml-context:Environment>
<xacml-context:Attribute AttributeId=
"urn:oasis:names:tc:xacml:1.0:environment:current-dateTime"
DataType="http://www.w3.org/2001/XMLSchema#dateTime">
<xacml-context:AttributeValue>
2012-10-09T14:36:07.003Z
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Environment>
</xacml-context:Request>