XACML Policy Evaluation Error

0
votes

I followed the link to run pdp using SAML envelope on XACML. Then I created webservice ( pdp and pdpclient - in other words XACML Request Generator ). Here every thing run fine i.e. generate request and get result perfect with the given (test policies given by the followed link) policies.

Now I test pdp with my policies !! But ( in my point of view ) pdp isn't evaluate policies correctly. For Example here is my policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    PolicyId="ServerDataDeletion" Version="2.0"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
    <Description>Server Data Deletion by Student</Description>
    <Target>
        <Subjects>
            <Subject>
                <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Visitor</AttributeValue>
                    <SubjectAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:outside-university"
                        DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                </SubjectMatch>
            </Subject>
        </Subjects>
        <Resources>
            <Resource>
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Server File</AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:file123"
                        DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                </ResourceMatch>
            </Resource>
        </Resources>
        <Actions>
            <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Delete</AttributeValue>
                    <ActionAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:action:delete123"
                        DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                </ActionMatch>
            </Action>
        </Actions>
    </Target>
    <Rule RuleId="ServerDataDeletion" Effect="Permit">
        <Description>Server Data Deletion</Description>
        <Target>
            <Subjects>
                <Subject>
                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Student</AttributeValue>
                        <SubjectAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:inside-university123"
                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </SubjectMatch>
                </Subject>
            </Subjects>
            <Resources>
                <Resource>
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Server File</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:file"
                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
                    </ResourceMatch>
                </Resource>
            </Resources>
            <Actions>
                <Action>
                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Delete</AttributeValue>
                        <ActionAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:delete"
                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
                    </ActionMatch>
                </Action>
            </Actions>
        </Target>
    </Rule>
    <Rule RuleId="Default" Effect="Deny" />
</Policy>

And here is my request

Subject-Id: urn:oasis:names:tc:xacml:1.0:subject:outside-university, Subject-Value: Staff

Arttibute-Id: urn:oasis:names:tc:xacml:1.0:resource:file123, Attribute-Value: Server File

Action-Id: urn:oasis:names:tc:xacml:1.0:action:delete123, Action-Value: Delete

And Response I get is Deny. As you see that MustBePresent = true in Subject, Resource and Action of Policy-Target and Request contains none's Id. According to the XACML 2.0 if MustBePresent is true and IDs are NOT present in the request then the target will be Indeterminate. And if the target is policy-target then the whole policy will be indeterminate. But in this case after indeterminate policy-target, PDP still evaluate the Rule and making result according to the Rule combining algorithm.

Let me know if I am wrong.

1
javaweb-servicesxacmlxacml2pdp
Are you implementing your own PDP? Are you using Sun XACML?David Brossard
I am Using JBoss implementation of PDP.Junaid

1 Answers

0
votes

Actually, at a quick glance, you should be getting NotApplicable.

You have the following structure:

  • Policy
    • Rule 1: ServerDataDeletion yields Permit
    • Rule 2: Default yields Deny.

Your Policy has a Target as follows:

<Target>
    <Subjects>
        <Subject>
            <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Visitor</AttributeValue>
                <SubjectAttributeDesignator
                    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:outside-university"
                    DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </SubjectMatch>
        </Subject>
    </Subjects>
    <Resources>
        <Resource>
            <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Server File</AttributeValue>
                <ResourceAttributeDesignator
                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:file123"
                    DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </ResourceMatch>
        </Resource>
    </Resources>
    <Actions>
        <Action>
            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Delete</AttributeValue>
                <ActionAttributeDesignator
                    AttributeId="urn:oasis:names:tc:xacml:1.0:action:delete123"
                    DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </ActionMatch>
        </Action>
    </Actions>
</Target>

It will only apply if you are a Visitor trying to Delete a Server File.

In your request, you send Staff instead of Visitor. You should therefore get NotApplicable.

If you get a chance, move to XACML 3.0. Check out the ALFA plugin for Eclipse to write your policies easily.