XACML 102: XPath and XACML

Some definitions

  • XPath: (see the W3C definition) query language for selecting nodes from an XML document. In addition, XPath may be used to compute values (e.g., strings, numbers, or Boolean values) from the content of an XML document. (source: wikipedia).
  • XACML: (see the OASIS definition) access control markup language defined to provided a standardized means to express fine-grained access control. XACML includes a reference architecture, a policy language, and a request / response protocol.

Uses of XPath in XACML

XPath is used in attribute selectors in XACML. Attribute selectors are defined in the specification in section 5.30. Attribute selectors contain XPath expressions that are run on the XML content that is sent within a XACML request.

XPath used in a single XACML request

In this use case, we want to use XPath in a policy / rule target or condition in order to use a value contained in the XML payload sent in the element of the XACML request (NB: there can be such an element in any of the attribute categories in the XACML request).
In the example here, we are sending an XML book record which contains a book title, publisher, and ISBN number. We want to be able to make an access control request based on the book title and the age of the reader. If the reader is less than 18 and if the title is equal to Gulliver’s travels, then the decision is a Permit.

<?xml version="1.0" encoding="UTF-8"?><xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1">
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Gulliver's travels</xacml3:AttributeValue>
          <xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/book/title/text()"/>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
  <xacml3:Rule Effect="Permit" RuleId="allow-read">

And the corresponding XACML request:

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Joe</xacml-ctx:AttributeValue>
      <xacml-ctx:Attribute AttributeId="age" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">14</xacml-ctx:AttributeValue>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<title>Gulliver's travels</title>
</book>      </xacml-ctx:Content>

XPath used in a multiple decision request

One of the key features of XACML is to be able to define profiles for specific uses (either best practices e.g. in export control or actual technical extensions such as the delegation profile). One such profile is the Multiple Decision Profile which explains how to create a single XACML request that will in fact represent multiple access control requests. The profile gives 4 ways of expressing such requests one of which makes use of XPath. Here is how:
Let’s assume the incoming XACML request is about reading books. There will be 2 attributes: the subject id, and the action ‘read’. The resource category’s XML content element will contain an XML element with multiple book children as follows:

      <title>The Lord of the Rings</title><author>JRR Tolkien</author>
      <title>Pride and Prejudice</title><author>Jane Austen</author>
      <title>His Dark Materials</title><author>Philip Pullman</author>

The XML document aforementioned lends itself well to a multiple question of the form “Can Joe read A? Can Joe read B? Can Joe read C?”. This is exactly the purpose of the use of XPath in the Multiple Decision Profile, but one has to be extremely careful in its use in order to avoid a few pitfalls.

In a follow-up, I will give sample policies and requests illustrating a correct use of the MDP.