Heras-AF implementation and Oasis interop tests

[ffaure32]

Hi All,

I'm actually trying to compare different xacml implementations and I'm very impressed by your solution. Unfortunately, I've got some problems to make it run properly.
I'm deploying a configuration based on your integration tests:

Here is my applicationContext.ctx.xml:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<!-- Example ApplicationContext for the PDP. -->

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">

<import resource="../config/TestPersistenceManager.xml" />
<import resource="../config/Locator.xml" />
<import resource="../config/ContextAndPolicyConfiguration.xml" />
<import resource="../config/Functions.xml" />
<import resource="../config/DataTypeAttributes.xml" />

<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory">
        <property name="messageFactory">
            <bean class="com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl"></bean>
        </property>
    </bean>

<bean id="pdpImpl" class="org.herasaf.xacml.pdp.impl.PDPImpl">
<property name="policyCombiningAlgorithm"> <!-- The root combining algorithm -->
<ref bean="policyPermitOverridesAlgorithm" />
</property>
</bean>

<bean id="initDb" class="org.herasaf.pdp.ws.integration.PolicyInitializer">
<constructor-arg ref="pdpImpl"/>
<property name="policies">
            <list>
                <value>XacmlPolicySet-01-top-level.xml</value>
                <value>XacmlPolicySet-02a-CDA.xml</value>
                <value>XacmlPolicySet-02b-N.xml</value>
                <value>XacmlPolicySet-02c-N-PermCollections.xml</value>
                <value>XacmlPolicySet-02d-prog-note.xml</value>
                <value>XacmlPolicySet-02e-MA.xml</value>
                <value>XacmlPolicySet-02f-emergency.xml</value>
                <value>XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml</value>
                <value>XacmlPolicySet-04-N-PPS-PRD-004.xml</value>
            </list>
        </property>
</bean>

<!-- ============================================================  Locator definition  ================================================================= -->

<bean id="herasafIndexHandler" class="org.herasaf.xacml.pdp.locator.impl.index.impl.IndexHandlerImpl" />

<!-- ============================================================  ReferenceLoader definition  ====================================================== -->

<bean id="referenceLoader" class="org.herasaf.xacml.pdp.referenceloader.impl.ReferenceLoaderMock" />

<!-- ============================================================  Attribute Finder================================================================= -->

<bean id="herasafAttributeFinder" class="org.herasaf.xacml.core.attributeFinder.impl.AttributeFinderMock" />

<!-- ================  PolicyCombiningAlgorithm Converter definition and PolicyCombiningAlgorithm  ============================== -->

<!-- ================  PolicyCombiningAlgorithm Converter definition and PolicyCombiningAlgorithm  ============================== -->

<bean id="URNToPolicyCombiningAlgorithmConverter"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod">
<value>org.herasaf.xacml.core.converter.URNToPolicyCombiningAlgorithmConverter.setCombiningAlgorithms</value>
</property>
<property name="arguments">
<map>
<entry
key="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"
value-ref="policyDenyOverridesAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
value-ref="policyPermitOverridesAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
value-ref="policyFirstApplicableAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable"
value-ref="onlyOneApplicableAlgorithm" />
</map>
</property>
</bean>

<bean id="onlyOneApplicableAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.policy.impl.OnlyOneApplicableAlgorithm" />

<bean id="policyFirstApplicableAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.policy.impl.PolicyFirstApplicableAlgorithm" />

<bean id="policyDenyOverridesAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.policy.impl.PolicyDenyOverridesAlgorithm" />

<bean id="policyPermitOverridesAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.policy.impl.PolicyPermitOverridesAlgorithm" />

<!-- ================  RuleCombiningAlgorithm Converter definition and RuleCombiningAlgorithm  ================================== -->

<bean id="initURNToRuleCombiningAlgorithmConverter"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod">
<value>org.herasaf.xacml.core.converter.URNToRuleCombiningAlgorithmConverter.setCombiningAlgorithms</value>
</property>
<property name="arguments">
<map>
<entry
key="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
value-ref="ruleDenyOverridesAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-deny-overrides"
value-ref="ruleOrderedDenyOverridesAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
value-ref="rulePermitOverridesAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides"
value-ref="ruleOrderedPermitOverridesAlgorithm" />
<entry
key="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
value-ref="ruleFirstApplicableAlgorithm" />
</map>
</property>
</bean>

<bean id="ruleDenyOverridesAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.rule.impl.RuleDenyOverridesAlgorithm" />

<bean id="ruleOrderedDenyOverridesAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.rule.impl.RuleOrderedDenyOverridesAlgorithm" />

<bean id="rulePermitOverridesAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.rule.impl.RulePermitOverridesAlgorithm" />

<bean id="ruleOrderedPermitOverridesAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.rule.impl.RuleOrderedPermitOverridesAlgorithm" />

<bean id="ruleFirstApplicableAlgorithm" class="org.herasaf.xacml.core.combiningAlgorithm.rule.impl.RuleFirstApplicableAlgorithm" />

<!-- ======================================  Target Matcher  ========================================================== -->

<bean id="targetMatcher" class="org.herasaf.xacml.core.targetMatcher.impl.TargetMatcherImpl" />
</beans>

As you can see, I'm loading policies from the Oasis Interop Tests:

• XacmlPolicySet-01-top-level.xml
• XacmlPolicySet-02a-CDA.xml
• XacmlPolicySet-02b-N.xml
• XacmlPolicySet-02c-N-PermCollections.xml
• XacmlPolicySet-02d-prog-note.xml
• XacmlPolicySet-02e-MA.xml
• XacmlPolicySet-02f-emergency.xml
• XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml
• XacmlPolicySet-04-N-PPS-PRD-004.xml

Apparently, there is a sort of hierarchy with this policies (I can see it from the way it is declared in the JBoss XACML implementation) but I don't know how to respect this hierarchy in Heras-AF.
I've just upgraded the PolicyInitializer given to load the xml policies one by one:

Code:

            for (String name : policies) {
                Evaluatable eva = PolicyConverter.unmarshal(new File(servletContext.getRealPath("/WEB-INF/Policies/" + name)));

                evals.add(eva);
            }

When I'm running the XACML request from the interop test, I've got no exceptions and real XACML responses but I get only DENY responses except for the "emergency_access" that returns a permit. Normally, I should also obtain a permit for patient_search and charliefacilityB_patientA_emergency_request requests.

I guess I'm missing some thing but what?

I know there are lots of question in my post but I hope you'll be able to give me some hints.

For information, I'm running the request through SoapUI with a SAML enveloppe...

Many thanks in advance,

Fred

[René Eggenschwiler]

Hi Fred

Our Implementation doesn't yet support policy-trees splittet into multiple files.
Because of our indexing mechanism every policy in a single xml file, will be treated a a root policy. Which leads to different results in combining.

For the interop showcase in London we had to tweak our deployment module a little bit. But that was not an official release.
We are still thinking about the best way of deployment interpretation.

In the meantime you can solve the problem with the splitted xml files/policies.
Just merge the files which belong to a tree into one physical tree.
E.g in pseudo xml:

Code:

PolicySet A
-> Policy 1
-> PolicySet B
->->Policy2
->->Policy3

I hope I could help you with my answer. Feel free to contact us if you need more support.

Best regards
René

[Florian Huonder]

Good morning,

As René said, we cannot handle a tree that is spread over multiple "deployment units".
Everything you deploy (every Evaluatable) is in the root of the PDP. That's the reason why the Interop-Tests fail.
The merging René mentioned means that everywhere in the toplevel policy where a <*IdReference> is, you must put in the referenced policy (or PolicySet) with <Policy ...>.
If you use our ReferencePreprocessor you only must replace one Reference if there are multiple.
I attached a sample Toplevel policy that is merged and an Application Context that shows how to configure the XACML Implementation. (As far as I know the property respectAbandonedEvaluatable of the policy-combiningalgorithms must be enabled)

As René said, we had to tweak our PDP a little bit that it worked for the interop because at this time we weren't able to handle Obligations.
The latest trunk can handle Obligations (http://svn.herasaf.org/herasaf-xacml/trunk/ - Revision 1061).
As I tried to run the interop demo tests I found out that there is a bug in the way the Obligations are handled. Stefan and Me fixed that and we committed the changes to the trunk. So the most recent trunk should work.

If you have any questions just ask and let us know if it works

Regards,
Florian

[René Eggenschwiler]

Hi All

The changes mentioned by Florian are now included in our release version 0.12.0.
See also our release announcement: http://forum.herasaf.org/index.php/topic,21.0.html

Best regards
René

[Florian Huonder]

The release-notes with all related changes can be found here:
http://jira.herasaf.org/secure/IssueNavigator.jspa?reset=true&pid=10002&fixfor=10002

Regards,
Flo