[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] XACML RequestContext proposal based on flatten structure
Here is my proposal on XACML Context and attribute selector. I tried to make the spec symmetric, simpler, and generic. I borrowed many notions from Simon's proposal (predicate expression). Since my proposal is based on Anne's proposal (based on J2SE policy), I list only differences below: 1. Comments on element names 2. To more flatten XACML Context structure 3. Unabbreviated XACML Context and abbreviated XACML Context 4. Attribute selector [1] Comments on element names I propose to change the element names as follows: <SimplePrincipal> ==> <Principal> <ResourceSpecifier> ==> <Resource> [2] To more flatten XACML Context structure The following shows an overview of XACML Context that is based on more flatten structure. <xacml:RequestContext> <xacml:ContextPrincipals> +<xacml:Principal PrincipalType="AAA"> +<xacml:Attribute AttributeName="BBB">CCC</xacml:Attribute> </xacml:Principal> </xacml:ContextPrincipals> <xacml:ContextResource> +<xacml:Resource ResourceType="DDD"> +<xacml:Attribute AttributeName="EEE">FFF</xacml:Attribute> </xacml:Resource> </xacml:ContextResource> <xacml:ContextAction> +<xacml:Action ActionType="GGG"> +<xacml:Attribute AttributeName="HHH">III</xacml:Attribute> </xacml:Action> </xacml:ContextAction> <xacml:ContextOther> +<xacml:Other OtherType="JJJ"> +<xacml:Attribute AttributeName="KKK">LLL</xacml:Attribute> </xacml:Other> </xacml:ContextOther> </xacml:RequestContext> Notes: (1) In each attribute element, there are optional attributes called "AttributeNamespace", "Format", "Issuer", and "IssueInstant". If they are not used in the policy specification, they can be omitted. (2) "+" indicates one or more occurrences. (3) This XACML Context is generic. It does not need any external schema definitions other than XACML Context schema. A context example is described in the following part. (4) This XACML Context supports SAML Authorization Decision Query statement. The following mappings show the basic transformation from SAML Authorization Decision Query to XACML Request Context: SAML element name XACML Context attribute name -------------------------------------------------------- <NameIdentifier> <Attribute AttributeName="NameIdentifier"> <NameQualifier> <Attribute AttributeNamespace="xxx"> <Format> <Attribute Format="xxx"> <ConfirmationMethod> <Attribute AttributeName="ComfirmationMethod"> <SubjectConfirmationData> <Attribute AttributeName ="SubjectConfirmationData"> <IPAddress> <Attribute AttributeName="IPAddress"> <DNSAddress> <Attribute AttributeName="DNSAddress"> <AuthorityKind> <Attribute AttributeName="AuthorityKind"> <Location> <Attribute AttributeName="Location"> <Binding> <Attribute AttributeName="Binding"> <AuthenticationInstant> <Attribute AttributeName="AuthenticationInstant"> <AuthenticationMethod> <Attribute AttributeName="authenticationMethod"> I will post the XSLT-based transformation specification later. [3] Unabbreviated XACML Context and abbreviated XACML Context When I saw the XACML Context above, I was a little concerned about the repeated specifications such as Attribute and AttributeName. It might not be a problem since XACML Policy is dealt by the system, not by a human. Since I was interested in how to solve this repeated specification, I came up with the idea of "abbreviated XACML Context" that is more application-specific XACML context. The current XACML Context corresponds to "an UNabbreviated XACML Context" that defines an unabbreviated (or distinguished) XACML Context format and attribute selector (maybe based on XPath). In the abbreviated XACML Context, it uses an abbreviated representation of XACML Context. (the syntax and the semantics of the attribute selector is the same). The abbreviated syntax is used to express the context in more concise manner. The following abbreviated context is equivalent to the context in the previous section. <xacml:RequestContext> <xacml:ContextPrincipals> +<x:AAA> +<x:BBB>CCC</x:BBB> </x:AAA> </xacml:ContextPrincipals> <xacml:ContextResource> +<x:DDD> +<x:EEE>FFF</x:EEE> </xacml:Resource> </xacml:ContextResource> <xacml:ContextAction> +<x:GGG> +<x:HHH>III</x:HHH> </x:GGG> </xacml:ContextAction> <xacml:ContextOther> +<x:JJJ> +<x:KKK>LLL</x:KKK> </x:JJJ> </xacml:ContextOther> </xacml:RequestContext> Notes: (1) The namespace prefix "x:" indicates an application-specific namespace. The abbreviated XACML Context allows the context schema extension by incorporating local elements such as <AAA>. On the other hand, the unabbreviated XACML Context does not allow such extension. When the policy is exported, the unabbreviated syntax should be used which does not require any local schema. The abbreviated syntax and the unabbreviated syntax should be exchangeable without ambiguity, which can be defined using XSLT transformation. For example, the following unabbreviated syntax is transformed to the abbreviated syntax below. <xacml:RequestContext> <xacml:ContextPrincipals> <xacml:Principal PrincipalType="RequestingUser"> <xacml:Attribute AttributeName="NameIdentifier"> Julius Hibbert </xacml:Attribute> <xacml:Attribute AttributeName="Role"> Physician </xacml:Attribute> </xacml:Principal> </xacml:ContextPrincipals> <xacml:ContextResource> <xacml:Resource ResourceType="XML"> <xacml:Attribute AttributeName="ResourceURI"> //medico.com/med.xml </xacml:Attribute> <xacml:Attribute AttributeName="XPath"> record/patient/patientDoB </xacml:Attribute> </xacml:Resource> </xacml:ContextResource> <xacml:ContextAction> <xacml:Action ActionType="XMLAction"> <xacml:Attribute AttributeName="read"/> </xacml:Action> </xacml:ContextAction> </xacml:RequestContext> - Abbreviated Syntax (target XML is referred by "ResourceURI") <xacml:RequestContext> <xacml:ContextPrincipals> <x:RequestingUser> <x:NameIdentifier>Julius Hibbert</x:NameIdentifier> <x:Role>Physician</x:Role> </x:RequestingUser> </xacml:ContextPrincipals> <xacml:ContextResource> <x:XML> <x:ResourceURI>//medico.com/med.xml</x:ResourceURI> <x:XPath>record/patient/patientDoB</x:XPath> <x:XMLSchema>medico.com/records.xsd</x:XMLSchema> </x:XML> </xacml:ContextResource> <xacml:ContextAction> <x:XMLAction> <x:read/> </x:XMLAction> </xacml:ContextAction> </xacml:RequestContext> <x:RequestingUser> is a substitution element for @PrincipalType in <SimplePrincipal>. <x:NameIdentifier> and <x:Role> correspond to a substitution element for <Attribute>. For the context reference syntax, the original context reference: "xacml:Principal[@PrincipalType ='RequestingUser']/xacml:Attribute/@NameIdentifier" is transformed to "xacml:Principal/x:RequestingUser/x:NameIdentifier" For example, XACML policy based (user is Zoe@Sun.Com and the role is Physician) on the unabbreviated XACML context is: <rule> <target> <subjects> <subjectEq AttributeSelector = "Principal[@PrincipalType ='RequestingUser']/Attribute/@NameIdentifier"> Zoe@Sun.COM </subjectEq> <subjectEq AttributeSelector = "Principal[@PrincipalType='RequestingUser']/Attribute/@Role"> Physician </subjectEq> </subjects> </target> </rule> It is transformed to: <rule> <target> <subjects> <subjectEq AttributeSelector ="RequestingUser/NameIdentifier">Zoe@Sun.COM</subjectEq> <subjectEq AttributeSelector ="RequestingUser/Role">Physician</subjectEq> </subjects> </target> </rule> Note that it has a minimum repetition. (I omit the namespace specification here.) This also addresses the observation on "context" by Tim. Since the context reference syntax is very simple, the system may not have to use "XPath" processor to handle these specification. The resultant XACML policy would look like: [4] Attribute Selector As the example above shows, the attribute selector is used to select an element (or an attribute) on XACML Context using XPath. QUESTIONS: 1. Current abbreviated context allows a couple of attribute in the Attribute element such as @AttributeNamespace, @Format, @Issuer, and @IssueInstant. Are these necessary attributes? 2. How should we deal with <ds:KeyInfo> in XACML Context? Do we have to deal with the whole structure in the XACML Context? 3. When we create the unabbreviated context, it needs a set of values for PrincipalType, ResourceType, etc. How should we determine these values? 4. In <subjects> under <target>, I used <subjectEq> element to specify an equality expression. Should this be changed to <equal> to be in line with terms defined in <condition>? Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC