Table of Contents
Policy Decision Point that communicates with a configured authorization service that has XACML Authorization Service interface. The PDP constructs a XACML Authorization Query and parses the XACML Authorization Decision response from the service to ascertain a decision. It uses the data types defined in SAML 2.0 Profile for XACML 2.0..
The PDP does not create or collect any attributes, but sends a subset of attributes from the RequestEntities object as part of XACML Request sent to the authorization service. Custom PIPs which collect relevant attributes should be configured in the authorization chain. Requestor attributes are added to SubjectType, action attributes to Action Type, resource attributes to ResourceType and environment attributes to EnvironmentType. Both identity and non-identity attributes that meet the following criteria are added:
Any attribute with data type set to http://www.w3.org/2001/XMLSchema#string with the attributes values of type java.lang.String are added.
Any attribute with data type set to http://www.w3.org/2001/XMLSchema#integerwith the attributes values of type java.lang.Integer are added.
Any attribute with the attributes values that implement org.opensaml.xml.XMLObject are added.
Only a subset of attributes are added, since these are known types to serialize and send on the wire. Custom types can be sent by adding attribute values that implement XMLObject interface.
The response is expected to have the attribute InResponseTo, since it is be sent in response to the query sent by the callout. If attribute is null or does not match query id, indeterminate decision is returned.
If no assertion is received or if no XACML Authz Decision Statement is found, an indeterminate decision is returned.
If return context is set to true and no request context is returned from service, an indeterminate decision is returned. The request context is NOT used currently for any decision making process.
If even a single XACMLAuthzDecsionStatement, embedded in a Response with InResponseTo attribute set to the Request id is found, with the ResultType deny, a deny decision is returned.
If even a single XACMLAuthzDecsionStatement, embedded in a Response with InResponseTo attribute set to the Request id is found, with the ResultType indeterminate, a indeterminate decision is returned.
If every XACMLAuthzDecisionStatement, embedded in a Response with InResponseTo attribute set to the Request id is found, with the ResultType permit, a permit decision is returned.Note: at least one such permit statement is required, if not an indeterminate decision is returned.
The response received from an authorization service should have explicit xmlns declarations for the prefixes that are part of values of xsi:type attribute. Example, if one of the elements in Response is <foo:element1 xsi:type="bar:type1"></foo:element1> and no other element in response has the prefix bar, an explicit xmlns:bar attribute should be added to the Response element, even if the ns is present in SOAP header.
This component is not installed by default, use the following options to install it.
Using Globus installer: The first step in an installer is to run configure command. Use option
-enablexacmlwith the configure command to install the XACML pieces .From source: XACML authorization module depends on Java WS Core installation, including the basic authorization module.
Checkout source code:
cvs co wsrf/schema wsrf/build.xml wsrf/java authorizationInstall to GLOBUS_LOCATION:
export GLOBUS_LOCATION /sandbox/globus/gtInstall
cd wsrf
ant all
cd authorization
ant deployXACML
This PDP uses OpenSAML 2 library for XACML handling. This includes and requires the following libraries:
OpenSAML jar - The jar included in this release was built from OpenSAML REL_2 branch, revision 4. All jars listed below are dependencies for this build.
xmltooling-1.1.0.jar
commons-lang-2.1
joda-time-1.5.2.jar
openws-1.2.0.jar
slf4j-api-1.5.0.jar
slf4j-log4j12-1.5.0.jar
velocity-1.5.jar
Code base is shipped with unit tests that leverage a sample XACML authorization service and test the callout.
export GLOBUS_LOCATION /sandbox/globus/gtInstall
cd authorization/java/xacml/test
ant test
Test reports are available in authorization/java/xacml/test/test-reports
The XACML callout can be used at container, service or resource level security and configured using security descriptors. The following properties can be configured:
Authorization service endpoint: This is a required configuration that provides the endpoint of the authorization service. The value should have the format <protocol>://<hostname>:<portNumber>/serivicePath. For example, https://foo.bar.edu:8443/wsrf/services/SampleAuthzService.
<authzService value="https://foo.bar.edu:8443/wsrf/services/SampleAuthzService"/>
Input context only: Determines the value of attribute set in XACML Authz Decision Query. Based on specification, if the value is "true", then the authorization decision MUST be made solely on the basis of information contained in the XACML Authz Decision Query and external XACML Attributes MUST NOT be used. If the value is “false”, then the authorization decision MAY be made on the basis of XACML Attributes not contained in the XACML Authz Decision Query. False, by default.
<inputContextOnly value="true"/>
Return Context: Attribute is set in the XACML Request. If the value is "true" then the PDP MUST include an <xacmlcontext:Request> instance in the XACMLAuthzDecision Statement in the XACMLAuthzDecision Response. This <xacml-context:Request> instance MUST include all those attributes supplied by the PEP in the <xacml-samlp:XACMLAuthzDecisionQuery> that were used in making the authorization decision. If *quot;false" then the PDP MUST NOT include an <xacml-context:Request> instance in the XACMLAuthzDecision Statement in the XACMLAuthzDecision Response. False, by default.
<returnContext value="true"/>
Combine Policies: Attribute is set in the XACML Request. If the attribute value is "true", then the PDP MUST insert all policies passed in the <xacmlsamlp:XACMLAuthzDecisionQuery> into the set of policies or policy sets that define the PDP as specified in Section 7.13 of the XACML 2.0 core specification. If the attribute value is "false", then there MUST be no more than one <xacml:Policy> or <xacml:PolicySet> passed in the <xacml-samlp:XACMLAuthzDecisionQuery>. True, by default.
<combinePolicies value="true"/>
Privacy enabled: If the attribute is set to true, encryption is enabled in communication with the authorization service. If the authorization service URL is http, then secure message is used and public certificate of the server can be configured for encryption.
<privacyEnabled value="true"/>
Authorization service identity: Expected identity of the authorization service.
<authzServiceIdentity value="Identity of service"/>
Obligation handlers: An arbitrary number of obligation handlers can be configured with a corresponding obligation Ids. The handlers should extend the abstract class org.globus.wsrf.impl.security.authorization.AbstractObligationHandler and are used to process the obligations returned by the authorization service. For example:
<param:ObligationHandlers> <param:SupportedObligation> <param:ObligationId> http://authz-interop.org/xacml/obligation/username </param:ObligationId> <param:FQClassName> org.globus.wsrf.impl.security.authorization.LocalAccountObligationHandler </param:FQClassName> </param:SupportedObligation> </param:ObligationHandlers>Details regarding custom obligation handler is described in Section 5.3, “Obligation Handlers”
Default container configuration is NOT used and hence relevant security descriptor should be configured with the properties
All requests to the authorization service uses the system credentials and is NOT configurable.
If authorization service URL starts with http, then GSI Secure Message is used for conversation. If the service URL starts with https, then GSI Secure Transport is used. This is not configurable.
Sample security descriptor with XACML configuration: Security Descriptor
The toolkit is shipped with a LocalAccountObligationHandler, that processes obligation with id provided in the constructor. It expects local user name to be added as an attribute with id XACMLConstants.USERNAME_ATTRIBUTE_ID, with string dataype. All values of the above attribute are added to the peer subject as local username principal, similar to the mechanism used in GridMap PDP.
The toolkit also allows custom obligation handlers. An obligation handler to process any obligation can be configured and should extend from the AbstractObligaitonHandler class. This requires the the method evaluateObligation be overridden with the code to process the obligation. The authorization context is provided as the RequestEntity object and can be used to store any processed obligation data.
public class LocalAccountObligationHandler extends AbstractObligationHandler {
public void setRequestEntities(RequestEntities reqEntities_) {
super.setRequestEntities(reqEntities_);
}
/**
* This is the method that processes the obligation. It checks for username
* attribute and adds the value to the peer subject.
*
* @param obligationProcessingContext {@inheritDoc}
* @param obligation {@inheritDoc}
* @throws ObligationProcessingException {@inheritDoc}
*/
public void
evaluateObligation(ObligationProcessingContext obligationProcessingContext,
ObligationType obligation)
throws ObligationProcessingException {
// Typically only obligation Id that the ObligationHandler is
// initialized with is processed by a handler.
if (!obligation.getObligationId().equals(this.getObligationId())) {
logger.debug("Obligation is not " + this.getObligationId());
return;
}
// process obligation
// attributes in obligation
List attrs = obligation.getAttributeAssignments();
if (attrs.size() < 1) {
logger.warn("No attributes found in obligation");
}
// examine and process attributes
Iterator attrsIterator = attrs.iterator();
while (attrsIterator.hasNext()) {
AttributeAssignmentType attrType =
(AttributeAssignmentType) attrsIterator.next();
...
}
}
}| No peer subject | INDETERMINATE |
| Configuration erors | INDETERMINATE |
| Deny response from authorization service | DENY |
| Response from authorization service vioates conditions explained in Section 2.2, “Evaluation of response from authoritzation service” | DENY |
| Permit response from authorization service | PERMIT |
Default bootstrap interceptor (X509 Bootstrap PIP)
Example of use of this PDP: OSG GUMS/VOMS for WS GRAM AUthorization