How to send a XACML request using cURL – the world’s smallest Policy Enforcement Point
Recently, I’ve been asked to write a policy enforcement point (PEP) in Perl. I haven’t touched Perl in a long while but I remember having had fun using it to parse documents on a file system back in 2003 when working at the Natural Languages Lab at BT Adastral Park.
I started looking around at different resources. The obvious ones are:
- http://www.perl.org/: the home of all Perl resources.
- ActiveState Perl: possibly the de facto Perl distribution
- Perlmonks: a great Perl forum where I used to hang out, and
- Perl for Eclipse: EPIC, the Perl Editor and IDE for Eclipse – pretty much all I do these days is in and around Eclipse (from SQL and LDAP to ALFA, the Axiomatics Language for Authorization) so it seemed natural to add Perl to my Eclipse Swiss army knife.
Then, of course, it didn’t take me long to stumble upon cURL. cURL is one of those tools you just know, a bit like wget or basic Linux / Unix commands.
I then realized I could simply use cURL to post a XACML request to a Policy Decision Point. And that’s exactly what I tried. I had to fiddle around with the different options before I got it right. Here’s the outcome:
C:\temp>curl -X POST -H 'Content-type:text/xml' -T soap-xacml-request.xml https://localhost:8443/asm-pdp/pdp --cacert pdp.b64.cer --user pep:password
Let’s have a look at the different options:
- -X : use this to indicate the HTTP method, i.e. POST in this case.
- -H : use this to indicate custom headers, in this case Content-type:text/xml.
- -T : use this to point to the file containing the payload to be sent, i.e. the XACML request optionally wrapped in a SOAP request if the targeted service is SOAP-based.
- –cacert : use this to indicate the trusted certificate. Download the target server’s public key and use that in PEM format (base 64-encoded).
- –user : use this to indicate the username and password to be used, if any, e.g. in the case of HTTP Basic Authentication.
Great, I can now send a XACML request in less characters than a tweet requires. Sure enough, playing around with cURL diverted me from my original intent – writing a PEP in Perl. I guess PPEP will have to wait…
Here’s the sample XACML request I sent:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <irc:AccessQuery3 xmlns:irc="http://axiomatics.com/delegent/pdpsimple/v5/AccessQuery3"> <xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> view </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> book </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <xacml-ctx:Attribute AttributeId="username" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Alice </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> </irc:AccessQuery3> </soap:Body>
and the response:
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns6:AccessQuery3Response xmlns:ns2="http://axiomatics.com/delegent/pdpsimple/v5/TraceAccessQuery3" xmlns:ns3="http://axiomatics.com/delegent/pdpsimple/v5/InvalidateAttributeCache" xmlns:ns4="http://axiomatics.com/delegent/pdpsimple/v5/TraceAccessQuery2" xmlns:ns5="http://axiomatics.com/delegent/pdpsimple/v5/AccessQuery2" xmlns:ns6="http://axiomatics.com/delegent/pdpsimple/v5/AccessQuery3" xmlns:ns7="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns8="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:ns9="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns10="http://axiomatics.com/delegent/pdpsimple/v5/faults"><xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Result> <xacml-ctx:Decision>Deny</xacml-ctx:Decision> <xacml-ctx:Status> <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </xacml-ctx:Status> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> view </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> book </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <xacml-ctx:Attribute AttributeId="username" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Alice </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Result> </xacml-ctx:Response></ns6:AccessQuery3Response></S:Body></S:Envelope>
Does your PDP also allow non-SOAP calls with the proposed XACML media type?
Not in the default package but as I mentioned before, I did do a simple test where I exposed our PDP using REST-like interface. I’ve got to check whether it’s conformant to the XACML media type but it should be.
BTW I’d love to see your implementation some day.