[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] XACML RequestContext proposal based on flatten structure
Here is my proposal on XACML Context and attribute selector. I tried to
make the spec symmetric, simpler, and generic. I borrowed many notions from
Simon's proposal (predicate expression). Since my proposal is based on
Anne's proposal (based on J2SE policy), I list only differences below:
1. Comments on element names
2. To more flatten XACML Context structure
3. Unabbreviated XACML Context and abbreviated XACML Context
4. Attribute selector
[1] Comments on element names
I propose to change the element names as follows:
<SimplePrincipal> ==> <Principal>
<ResourceSpecifier> ==> <Resource>
[2] To more flatten XACML Context structure
The following shows an overview of XACML Context that is based on more
flatten structure.
<xacml:RequestContext>
<xacml:ContextPrincipals>
+<xacml:Principal PrincipalType="AAA">
+<xacml:Attribute AttributeName="BBB">CCC</xacml:Attribute>
</xacml:Principal>
</xacml:ContextPrincipals>
<xacml:ContextResource>
+<xacml:Resource ResourceType="DDD">
+<xacml:Attribute AttributeName="EEE">FFF</xacml:Attribute>
</xacml:Resource>
</xacml:ContextResource>
<xacml:ContextAction>
+<xacml:Action ActionType="GGG">
+<xacml:Attribute AttributeName="HHH">III</xacml:Attribute>
</xacml:Action>
</xacml:ContextAction>
<xacml:ContextOther>
+<xacml:Other OtherType="JJJ">
+<xacml:Attribute AttributeName="KKK">LLL</xacml:Attribute>
</xacml:Other>
</xacml:ContextOther>
</xacml:RequestContext>
Notes:
(1) In each attribute element, there are optional attributes called
"AttributeNamespace", "Format", "Issuer", and "IssueInstant". If they are
not used in the policy specification, they can be omitted.
(2) "+" indicates one or more occurrences.
(3) This XACML Context is generic. It does not need any external schema
definitions other than XACML Context schema. A context example is described
in the following part.
(4) This XACML Context supports SAML Authorization Decision Query
statement. The following mappings show the basic transformation from SAML
Authorization Decision Query to XACML Request Context:
SAML element name XACML Context attribute name
--------------------------------------------------------
<NameIdentifier> <Attribute AttributeName="NameIdentifier">
<NameQualifier> <Attribute AttributeNamespace="xxx">
<Format> <Attribute Format="xxx">
<ConfirmationMethod> <Attribute AttributeName="ComfirmationMethod">
<SubjectConfirmationData> <Attribute AttributeName
="SubjectConfirmationData">
<IPAddress> <Attribute AttributeName="IPAddress">
<DNSAddress> <Attribute AttributeName="DNSAddress">
<AuthorityKind> <Attribute AttributeName="AuthorityKind">
<Location> <Attribute AttributeName="Location">
<Binding> <Attribute AttributeName="Binding">
<AuthenticationInstant> <Attribute AttributeName="AuthenticationInstant">
<AuthenticationMethod> <Attribute AttributeName="authenticationMethod">
I will post the XSLT-based transformation specification later.
[3] Unabbreviated XACML Context and abbreviated XACML Context
When I saw the XACML Context above, I was a little concerned about the
repeated specifications such as Attribute and AttributeName. It might not
be a problem since XACML Policy is dealt by the system, not by a human.
Since I was interested in how to solve this repeated specification, I came
up with the idea of "abbreviated XACML Context" that is more
application-specific XACML context. The current XACML Context corresponds
to "an UNabbreviated XACML Context" that defines an unabbreviated (or
distinguished) XACML Context format and attribute selector (maybe based on
XPath). In the abbreviated XACML Context, it uses an abbreviated
representation of XACML Context. (the syntax and the semantics of the
attribute selector is the same). The abbreviated syntax is used to express
the context in more concise manner. The following abbreviated context is
equivalent to the context in the previous section.
<xacml:RequestContext>
<xacml:ContextPrincipals>
+<x:AAA>
+<x:BBB>CCC</x:BBB>
</x:AAA>
</xacml:ContextPrincipals>
<xacml:ContextResource>
+<x:DDD>
+<x:EEE>FFF</x:EEE>
</xacml:Resource>
</xacml:ContextResource>
<xacml:ContextAction>
+<x:GGG>
+<x:HHH>III</x:HHH>
</x:GGG>
</xacml:ContextAction>
<xacml:ContextOther>
+<x:JJJ>
+<x:KKK>LLL</x:KKK>
</x:JJJ>
</xacml:ContextOther>
</xacml:RequestContext>
Notes:
(1) The namespace prefix "x:" indicates an application-specific namespace.
The abbreviated XACML Context allows the context schema extension by
incorporating local elements such as <AAA>. On the other hand, the
unabbreviated XACML Context does not allow such extension. When the policy
is exported, the unabbreviated syntax should be used which does not require
any local schema. The abbreviated syntax and the unabbreviated syntax
should be exchangeable without ambiguity, which can be defined using XSLT
transformation.
For example, the following unabbreviated syntax is transformed to the
abbreviated syntax below.
<xacml:RequestContext>
<xacml:ContextPrincipals>
<xacml:Principal PrincipalType="RequestingUser">
<xacml:Attribute AttributeName="NameIdentifier">
Julius Hibbert
</xacml:Attribute>
<xacml:Attribute AttributeName="Role">
Physician
</xacml:Attribute>
</xacml:Principal>
</xacml:ContextPrincipals>
<xacml:ContextResource>
<xacml:Resource ResourceType="XML">
<xacml:Attribute AttributeName="ResourceURI">
//medico.com/med.xml
</xacml:Attribute>
<xacml:Attribute AttributeName="XPath">
record/patient/patientDoB
</xacml:Attribute>
</xacml:Resource>
</xacml:ContextResource>
<xacml:ContextAction>
<xacml:Action ActionType="XMLAction">
<xacml:Attribute AttributeName="read"/>
</xacml:Action>
</xacml:ContextAction>
</xacml:RequestContext>
- Abbreviated Syntax (target XML is referred by "ResourceURI")
<xacml:RequestContext>
<xacml:ContextPrincipals>
<x:RequestingUser>
<x:NameIdentifier>Julius Hibbert</x:NameIdentifier>
<x:Role>Physician</x:Role>
</x:RequestingUser>
</xacml:ContextPrincipals>
<xacml:ContextResource>
<x:XML>
<x:ResourceURI>//medico.com/med.xml</x:ResourceURI>
<x:XPath>record/patient/patientDoB</x:XPath>
<x:XMLSchema>medico.com/records.xsd</x:XMLSchema>
</x:XML>
</xacml:ContextResource>
<xacml:ContextAction>
<x:XMLAction>
<x:read/>
</x:XMLAction>
</xacml:ContextAction>
</xacml:RequestContext>
<x:RequestingUser> is a substitution element for @PrincipalType in
<SimplePrincipal>. <x:NameIdentifier> and <x:Role> correspond to a
substitution element for <Attribute>. For the context reference syntax, the
original context reference:
"xacml:Principal[@PrincipalType
='RequestingUser']/xacml:Attribute/@NameIdentifier"
is transformed to
"xacml:Principal/x:RequestingUser/x:NameIdentifier"
For example, XACML policy based (user is Zoe@Sun.Com and the role is
Physician) on the unabbreviated XACML context is:
<rule>
<target>
<subjects>
<subjectEq AttributeSelector =
"Principal[@PrincipalType
='RequestingUser']/Attribute/@NameIdentifier">
Zoe@Sun.COM
</subjectEq>
<subjectEq AttributeSelector =
"Principal[@PrincipalType='RequestingUser']/Attribute/@Role">
Physician
</subjectEq>
</subjects>
</target>
</rule>
It is transformed to:
<rule>
<target>
<subjects>
<subjectEq AttributeSelector
="RequestingUser/NameIdentifier">Zoe@Sun.COM</subjectEq>
<subjectEq AttributeSelector
="RequestingUser/Role">Physician</subjectEq>
</subjects>
</target>
</rule>
Note that it has a minimum repetition. (I omit the namespace specification
here.) This also addresses the observation on "context" by Tim. Since the
context reference syntax is very simple, the system may not have to use
"XPath" processor to handle these specification. The resultant XACML policy
would look like:
[4] Attribute Selector
As the example above shows, the attribute selector is used to select an
element (or an attribute) on XACML Context using XPath.
QUESTIONS:
1. Current abbreviated context allows a couple of attribute in the
Attribute element such as @AttributeNamespace, @Format, @Issuer, and
@IssueInstant. Are these necessary attributes?
2. How should we deal with <ds:KeyInfo> in XACML Context? Do we have to
deal with the whole structure in the XACML Context?
3. When we create the unabbreviated context, it needs a set of values for
PrincipalType, ResourceType, etc. How should we determine these values?
4. In <subjects> under <target>, I used <subjectEq> element to specify an
equality expression. Should this be changed to <equal> to be in line with
terms defined in <condition>?
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC