XACML 102 – Pimp my XACML – Part III: XSLT, Ajax, and stats
In a previous installment of ‘Pimp My XACML’, we illustrated how a bit of XSLT magic could actually change the structure of a XACML policy to convert into another document such as an HTML page be it XML-compliant or not.
Today, we will push the tricks further and add a bit of AJAX magic as well as some basic statistics regarding our policy.
For those of you who missed on the previous episode, check it out here. It describes how to run the samples using ant and xalan.
Adding some stats to the XSLT
This is the easy bit. All we need to do is count the number of items that match a certain pattern and display that neatly in a list inside a div for instance. The XSLT to do this is as follows:
<div class="stats"> <ul> <li> Number of policy sets: <xsl:value-of select="count(//xacml3:PolicySet)" /> </li> <li> Number of policies: <xsl:value-of select="count(//xacml3:Policy)" /> </li> <li> Number of rules: <ul> <li> Rules yielding PERMIT: <xsl:value-of select="count(//xacml3:Rule[@Effect='Permit'])" /> </li> <li> Rules yielding DENY: <xsl:value-of select="count(//xacml3:Rule[@Effect='Deny'])" /> </li> <li> Total: <xsl:value-of select="count(//xacml3:Rule)" /> </li> </ul> </li> </ul> </div>
This example is of course valid for XACML 3.0 policies but can be easily adapted for XACML 2.0 policies and for that matter any other XML document. The key element here is
<xsl:value-of select="count(//xacml3:Rule[@Effect='Deny'])" />
We use the count function of XSLT as defined here and apply it to the pattern we are interested in, here the number of Rules, no matter their level of nesting, which contain an Effect attribute with the exact text value of ‘Deny’.
Visualizing XACML in an AJAX tree
Credits go to willCode4Beer whose tutorial I followed to get the AJAX example online. To get a similar tree, simply follow instructions here.
Before you continue, you will need to download some DOJO libraries. In particular, this example was built using the now antiquated Dojo 0.4.1 kitchen sink which is still fortunately downloadable from the DOJO archives. You will need to follow instructions on where to copy the JS files. Ultimately you should end up with a structure similar to the following:
|-- axiostrator.xml |-- in.xml |-- scripts | |-- dojo.js | `-- src | |-- AdapterRegistry.js | |-- Deferred.js | |-- DeferredList.js | |-- ... additional files skipped for brevity's sake |-- style.css `-- xout.html
You now need to add the JS definitions to use the DOJO tree widget. To do so, edit your XSLT file in order to include the following:
And that’s it. Now all that need be done is to add the relevant class information to ‘bind’ the HTML div elements to the actual JS that will render the tree:
<div class="tree"> <dl class="dojo-TreeContextMenu" id="treeContextMenu"> <dt class="dojo-TreeMenuItem" id="ctxMenuAdd" caption="View XACML" /> </dl> <div class="dojo-Tree" menu="treeContextMenu"> <xsl:apply-templates /> </div> </div>
The entire resources needed for this exercise can be downloaded here:
- Sample XACML policy: eat-fruit
- The XSLT file
- DOJO kitchen sink: dojo-0.4.1p1-kitchen_sink.zip
A working example can be seen here.