XACML 102 – Pimp my XACML – Part I: with CSS

Have you recently looked at the XACML 2.0 schema? Or perhaps the newborn, XACML 3.0? Well as far as babies go, it ain’t the cutest. Sure, it’s not XACML’s fault. It’s just that XML and in particular schemas have never really been that friendly to read. But don’t worry, we can help. When it comes to cosmetic surgery, there are quite a few ways to enhance XML representation. Read on to learn how to visualize XACML with CSS.

There are two ways – grossly speaking – to make XML more user-friendly:

  • use a bit of CSS magic to add a bit of colors to XACML
  • use XSLT to transform XACML into any other language or format (you can even use XSL-FO to transform XACML into a PDF for instance)

These techniques are by no means specific to XACML. You could apply them to any XML language e.g. WS-Policy, SAML, etc… Let’s have a look at a sample XACML policy I recently wrote, and let’s see how we can cutify it.

The original policy

Note that both the sample policy and a sample request can be downloaded here and here.

The policy is as follows:

<?xml version="1.0" encoding="UTF-8"?><xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="eat-fruit" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1">
  <xacml3:Description/>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
  <xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">eat</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

        </xacml3:Match>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
  </xacml3:Target>

  <xacml3:Rule Effect="Permit" RuleId="citrus">
    <xacml3:Description>allow</xacml3:Description>
    <xacml3:Target>
      <xacml3:AnyOf>
        <xacml3:AllOf>
          <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">orange</xacml3:AttributeValue>
            <xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/fruits/fruit"/>

          </xacml3:Match>
        </xacml3:AllOf>
        <xacml3:AllOf>
          <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">lemon</xacml3:AttributeValue>
            <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml3:Match>
        </xacml3:AllOf>

      </xacml3:AnyOf>
    </xacml3:Target>
  </xacml3:Rule>
  <xacml3:Rule Effect="Deny" RuleId="berry">
    <xacml3:Description>do not allow</xacml3:Description>
    <xacml3:Target>
      <xacml3:AnyOf>
        <xacml3:AllOf>

          <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">raspberry</xacml3:AttributeValue>
            <xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/fruits/fruit"/>
          </xacml3:Match>
        </xacml3:AllOf>
        <xacml3:AllOf>
          <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">strawberry</xacml3:AttributeValue>

            <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml3:Match>
        </xacml3:AllOf>
      </xacml3:AnyOf>
    </xacml3:Target>
  <xacml3:AdviceExpressions>
      <xacml3:AdviceExpression AdviceId="allergy" AppliesTo="Deny">
      </xacml3:AdviceExpression>
  </xacml3:AdviceExpressions>

  </xacml3:Rule>
</xacml3:Policy>

Using CSS to beautify XACML

The Basics

CSS is a standard defined by the W3 consortium. It is currently in its 3rd version (draft). The idea behind CSS is to provide a formatting language for content languages typically (X)HTML but more generally XML (including SVG and in our case XACML).

The idea is that you structure your data with XML then you apply formatting (size, color, shape, font…) using CSS.

Getting started

First of all, you need to insert the CSS definition inside the XML document you want to style. Let’s take a look at our XACML policy and insert the line that will bind the XACML policy to the CSS file.

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/css" href="xacml.css"?>

These 2 lines go at the very top of the XACML file before any element (the first element will come right after and will be either of a Policy or PolicySet element).

Before we continue, it’s worth knowing some basic elements of XACML. The language specifies 3 structural levels:

  • PolicySet,
  • Policy, and
  • Rule.

Each of these elements can contain a Target element. Lastly, Rule contains an Effect attribute(either of Permit or Deny). With this in mind, let’s start doing some CSS modelling. Let’s consider that the structural elements along with the Target should all be boxes:

PolicySet, Policy, Rule, Target
{
   display : block;
   border  : solid 1px black;
}

Then, we may want to add some ‘breathing’ space around the boxes.

PolicySet, Policy, Rule, Target
{
   display : block;
   border  : solid 1px black;
   padding : 5px;
   margin   : 5px;
}

Then we may want to add conditional formatting. In other words, let’s make the background of a rule red if its effect is deny, green if it’s permit.

Rule[Effect=Permit]
{
	background : green;
}

Rule[Effect=Deny]
{
	background : red;
}

At this point, we end up with the XACML policy looking pretty much like the following picture (differences may come from the browser you are using since it contains the engine which renders CSS).

A simple XACML policy pimped up with CSS
A simple XACML policy pimped up with CSS

Sprucing it up

Unfortunately, by now, it seems the policy is letting fruit eat customers which is not quite what we meant to convey graphically so we’re not really done yet. We need to consider the target sub-elements. These are AnyOf, AllOf, and Match elements. Let’s make those boxes too and to make it a bit more appealing, let’s add different shades of colors.

AnyOf, AllOf, Match
{
   display : block;
   border  : dotted 1px black;
   padding : 5px;
   margin  : 5px;
   background : rgb(230,230,230);
}

AllOf
{
   background : rgb(240,240,240);
}

Match
{
   background : rgb(250,250,250);
}

But we also want to display attribute ids and the value they are given. To do this, we use another feature of CSS which is the ability to tell when we want rendering via the :after or :before statements. We can also use the function attr(AttributeId) to select the value of an XML attribute called AttributeId. We can then inject it in the formatting using the content element.

Match AttributeDesignator:after
{
	display : inline;
	content : attr(AttributeId) ;
	font-weight : normal;
}
Match AttributeDesignator:before
{
	content : "= " ;
}

Results

Pimp my XACML with CSS - the targets
Visualize XACML with CSS – the targets

Conclusion

Of course, you can visualize XACML with CSS with images, icons, backgrounds, and more content. But as w3schools points out, CSS is not the optimal tool to format XML and thus XACML. If you’re serious about that XACML beauty contest, you’re going to need another set of tools, much more powerful this time: XSLT.

In the next installment of “Pimp my XACML”, we’ll look at XSLT and how it can get your XACML a real fashion victim.

In the meantime, feel free to send your creations down my way.