Retrieving policy information from the policy file

[bouanani]

Hi ,
i am new with HERAS-AF XACML and actually i am searching for the best way by which i could detect the XACML policies (Subject , Action ...)  inside any policy file and this using java and the HERAS-AF XACML API .
a peice of a sample code by which i can refer to retrieve what i need could be realy very helpful to me .

Thanks in advance

[Florian Huonder]

Hi Bouanani,

I am not sure if I understood your question correctly.
Would you like to detect policies or target attributes (subject, action, ...)?

For both:
You have to load the policies in their XML form. This can be done (as described in the getting started guide: http://dev.herasaf.org/wiki/display/XACMLCORE/GettingStarted) with the PolicyMarshaller.
For a file-source for example:

Code:

Evaluatable eval = PolicyMarshaller.unmarshal(policyFile);

The Evaluatable is then either a PolicyType or a PolicySetType.

For extracting the attributes:
You can access the target attributes within the PolicyType or the PolicySetType:

Code:

PolicyType policy = ...
TargetType target = policy.getTarget();
SubjectsType subjects = target.getSubjects();
 ...

Let me know if we can give you further support.

Best regards,
Florian

[bouanani]

Thanks a lot for answering ,
actually after parsing the xacml-policy-file.xml i have to represent authorizations by a simple reprsentation like this AHTORISATION(Subject S , Action A , Ressource R , +|-) which stating that a subject s is either authorized or forbidden to perform action a on resource r,depending on the value of the result parameter being either permit (+) or deny(-) .
I hope that i am much more cleare for the meanig time

[Florian Huonder]

Hi,

It is not easily possible to make such statements from viewing a policy.

• A Target may have multiple Subject/Resource/Action/Environment elements that are or-connected. Means, one of each must match that the target matches.
• A missing target element (Subjects, Resources, ...) means "match".
• Within each element (Subject, ...) multiple *-Match elements are present. These *-Match elements are and-connected. Means, each of the must match that the surrounding element (e.g. Subject) matches.
• Each *-Match element may contain multiple attribute values that are or-connected.
• Further policies may be arranged in a hierarchy, means a PolicySet may contain multiple PolicySets and/or Policies, each Policy may contain multiple rules. The target-elements of the "super-type" always also apply to the current type.

So you see that the building of an XACML policy may be very complex and I did not yet mention references and conditions that makes every thing even more complex.

Best regards,
Florian

[bouanani]

THank you very much for answering , i understood actually that it's not easy to deal with this kind of representation when i had a look to the xsd's file , but i have to find a way that simplify the complexity of the coding stuf and that's why i wonder that may be HERAS-AF could help so i started to develop something with it and i am facing some problems from the first steps ,
but could you please more sepecific in loading XML File in its well format unsing PolicyMarshaller ?
i have tryed with this source code :

Code:

Set<Initializer> initializers = new HashSet<Initializer>();
initializers.add(new JAXBInitializer());
initializers.add(new PolicyCombiningAlgorithmsJAXBInitializer());
initializers.add(new RuleCombiningAlgorithmsJAXBInitializer());
initializers.add(new DataTypesJAXBInitializer());
initializers.add(new MyCustomFunctionsJAXBInitializer());
SimplePDPFactory.setInitalizers(initializers);
SimplePDPFactory.getSimplePDP();
Evaluatable eval = PolicyMarshaller.unmarshal(f);

but i have an Error like this one :

Code:

org.herasaf.xacml.core.SyntaxException: Unable to unmarshal the file.
at org.herasaf.xacml.core.policy.PolicyMarshaller.unmarshal(PolicyMarshaller.java:606)
at learningaboutjtable.xacml.CustomFunctionTest.loadPolicyOtherWay(CustomFunctionTest.java:70)
at learningaboutjtable.xacml.CustomFunctionTest.main(CustomFunctionTest.java:80)

Kind Reguards

[Florian Huonder]

Please add the XACML-XML file that you try to load as well.
I will then come back to you later.

Regards,
Florian

[bouanani]

And here is the XML file that i tried to load it

Code:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
PolicyId="urn:oasis:names:tc:example:SimplePolicy1"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
med.example.com
</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Policy>

[Florian Huonder]

Hi,

The problem is that you've chosen a match-function that is not available by default. The HERAS-AF XACML Core only provides standard XACML 2.0 functions.
I think you meant: "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match".
As far as I remember "urn:oasis:names:tc:xacml:1.0:function:regexp-string-match" is an XACML 1.0 function.

You pasted the top of the stack trace, further down it said (as reason of the SyntaxException):

Code:

Caused by: java.lang.IllegalArgumentException: Function urn:oasis:names:tc:xacml:1.0:function:regexp-string-match unknown.

within the FunctionsJAXBTypeAdapter.

As a hint: SyntaxException always means that something with the policy (or request, response) is not ok.

I hope that'll help.

Best regards,
Florian

[bouanani]

Thanks a lot for your help , i am able to retreive the informations i need