Thursday, December 1, 2016


XACML Architecture


1. Its an access control policy language.
2. The Identity Server supports XACML 3.0, which is based on Balana XACML implementation.
3. The XACML engine of the WSO2 Identity Server has two major components, i.e., PAP and PDP. 


Eg: 

MyPolicy.xml
==========

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="MyPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
     <Target>
   <AnyOf>
            <AllOf>
  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 
                                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
  </Match>
     </AllOf>
  </AnyOf>
      </Target>
          <Rule Effect="Permit" RuleId="permit"/>
</Policy>


Request 
=======

https://localhost:9443/entitlement/Decision/pdp

Authorization         Basic YWRtaW46YWRtaW4=
Accept                   application/xml
Content-Type        application/xml


<Request CombinedDecision="false" ReturnPolicyIdList="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://127.0.0.1/service/very_secure/</AttributeValue>
        </Attribute>
    </Attributes>
</Request>


Response
========

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Permit</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
    </Result>
</Response>
Posted by at 1 comment:
Subscribe to: Posts (Atom)