XACML 102: XPath and XACML

Some definitions

XPath: (see the W3C definition) query language for selecting nodes from an XML document. In addition, XPath may be used to compute values (e.g., strings, numbers, or Boolean values) from the content of an XML document. (source: wikipedia).
XACML: (see the OASIS definition) access control markup language defined to provided a standardized means to express fine-grained access control. XACML includes a reference architecture, a policy language, and a request / response protocol.

Uses of XPath in XACML

XPath is used in attribute selectors in XACML. Attribute selectors are defined in the specification in section 5.30. Attribute selectors contain XPath expressions that are run on the XML content that is sent within a XACML request.

XPath used in a single XACML request

In this use case, we want to use XPath in a policy / rule target or condition in order to use a value contained in the XML payload sent in the element of the XACML request (NB: there can be such an element in any of the attribute categories in the XACML request).
In the example here, we are sending an XML book record which contains a book title, publisher, and ISBN number. We want to be able to make an access control request based on the book title and the age of the reader. If the reader is less than 18 and if the title is equal to Gulliver’s travels, then the decision is a Permit.

<?xml version="1.0" encoding="UTF-8"?><xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1">
  <xacml3:Description/>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
  <xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Gulliver's travels</xacml3:AttributeValue>
          <xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/book/title/text()"/>
        </xacml3:Match>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
  </xacml3:Target>
  <xacml3:Rule Effect="Permit" RuleId="allow-read">
    <xacml3:Description/>
    <xacml3:Target/>
  </xacml3:Rule>
</xacml3:Policy>

And the corresponding XACML request:

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Joe</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="age" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">14</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Content><book>
<title>Gulliver's travels</title>
<isbn>xx-yy-zz</isbn>
<publisher>Axiomatics</publisher>
</book>      </xacml-ctx:Content>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

XPath used in a multiple decision request

One of the key features of XACML is to be able to define profiles for specific uses (either best practices e.g. in export control or actual technical extensions such as the delegation profile). One such profile is the Multiple Decision Profile which explains how to create a single XACML request that will in fact represent multiple access control requests. The profile gives 4 ways of expressing such requests one of which makes use of XPath. Here is how:
Let’s assume the incoming XACML request is about reading books. There will be 2 attributes: the subject id, and the action ‘read’. The resource category’s XML content element will contain an XML element with multiple book children as follows:

<books>
   <book>
      <title>The Lord of the Rings</title><author>JRR Tolkien</author>
   </book>
   <book>
      <title>Pride and Prejudice</title><author>Jane Austen</author>
   </book>
   <book>
      <title>His Dark Materials</title><author>Philip Pullman</author>
   </book>
</books>

The XML document aforementioned lends itself well to a multiple question of the form “Can Joe read A? Can Joe read B? Can Joe read C?”. This is exactly the purpose of the use of XPath in the Multiple Decision Profile, but one has to be extremely careful in its use in order to avoid a few pitfalls.

In a follow-up, I will give sample policies and requests illustrating a correct use of the MDP.

5 Comments

tina

September 21, 2011 at 1:54 pm

hi, i’m so much happy of finding you here,
my master field of study in university is information security, and i’ve defined my final project on giving an architecture for applying access control model: UCON. now i want to give a prototype for my architecture. and for policy language i choosed XACMl, i need your urgent help PLEASE, if is that possible for you give me some hints about “XACML open source implementations”, better XACML v.3 or v.2. i dont know which open source implementation is more complete and easy to use. thank you very much again for your writings.
tina

September 21, 2011 at 1:55 pm

hello again,
i wanted to explain my question more:
i have searched and found these xacml implementation:
-Sun’s implementation (but it’s xacml v1 which is too old)
-SICSACML: XACML v.3 draft
-HERAS-AF XACML (XACML v2 implementation)
-PicketBox XACML (JBossXACML) (XACML v2 implementation)
-WSO2 product platform
-xEngine
-EnterpriseXACML( Enterprise-java-xacml)
-…
but i don’t know which one fit for me from your point of view and experience.
I’m confused and need your help ,thanks alot.
David Brossard

September 29, 2011 at 7:20 pm

SunXACML and PicketBox are going to be your best free and open source options. Axiomatics provides a commercial XACML 2.0 and XACML 3.0 implementation.
sridhar

August 5, 2012 at 8:45 am

hi.. I saw your profile in Stackoverflow and followed up here. Hope you had a practical experience with XACML implementation. It would be more better if you write a detailed tutorial of implementation of XACML using some tool and all the pre-requests for it. There is no proper information / step-by-step procedure of “how to setup the sample scenario” too. So kindly redirect me if any link is available to your knowledge or suggest me some options. Thanks in advance.:)
David Brossard

August 5, 2012 at 9:49 am

Hi, yes I do have hands-on XACML experience as I work for Axiomatics and go on-site to deliver XACML implementations. I will keep your idea in mind for a future post. We will also launch a developer’s section soon. By the way I noticed you registered for the Alfa plugin. We’ll get you a copy ASAP.

Cheers,
David.

Harvesting web technologies