DEVHIDE
Login Or Sign up

Authoring XACML 3.0 obligations with the ALFA plugin for Eclipse

467 Views Asked by At

I have an XACML request with two (resource:type) attributes and one (resource:id) attribute: 

    <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" >  
    <Resource>
        <Attribute AttributeId="resource:type" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>status</AttributeValue>
        </Attribute>  
        <Attribute AttributeId="resource:type" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>pressure</AttributeValue>
        </Attribute>  
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">  
            <AttributeValue>status:of:nariman</AttributeValue>
        </Attribute>
    </Resource>  
    <Subject>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>1111</AttributeValue> 
        </Attribute>
    </Subject>  
    <Action>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
            <AttributeValue>view</AttributeValue>
        </Attribute>
    </Action>
</Request>

I would like to define an obligation with three obligation expressions corresponding to each of the above resource attributes. How do I do that with ALFA?

authorization access-control xacml xacml3 alfa
Original Q&A
1

There are 1 best solutions below

3
On

First of all, do note your XACML request is actually a XACML 2.0 request whereas ALFA outputs a XACML 3.0 set of policies. So you'll have a version mismatch.

Secondly, in ALFA to build an obligation that would contain your two attributes, you would do the following:

namespace stackoverflow{

    attribute subjectId{
        category = subjectCat
        id = "urn:oasis:names:tc:xacml:1.0:subject:subject-id"
        type = string
    }

    attribute resourceId{
        category = resourceCat
        id = "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
        type = string

    }

    attribute resourceType{
        category = resourceCat
        id = "resource:type"
        type = string

    }

    attribute actionId{
        category = actionCat
        id = "urn:oasis:names:tc:xacml:1.0:action:action-id"
        type = string
    }

    obligation displayAttributes = "obligation.displayAttributes"

    policy example{
        apply firstApplicable
        rule example{
            permit
            on permit{
                obligation displayAttributes{
                    subjectId = subjectId
                    resourceId = resourceId
                    resourceType = resourceType
                    actionId = actionId
                }
            }
        }
    }
}

On a side note, it seems your XACML request has a semantic error. What is the English equivalent? Right now you're asking:

Can user 1111 do the action view on either of status or pressure for resource with id status:of:nariman?

You would typically want to ask for pressure and then for status independently or as a multiple request.

Related Questions in AUTHORIZATION

Related Questions in ACCESS-CONTROL

Related Questions in XACML

Related Questions in XACML3

Related Questions in ALFA

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.