Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

11.6.3.2. Configure XACML for Fine Grained Authorization

The following is the procedure to configure XACML.

Procedure 11.10. Configure XACML

  1. Download the library which is a single jar file.

  2. Create one or more policy files for XACML

    • Under the WEB-INF/classes, create a policies directory to save all your policies.
    • Create a policyConfig.xml under WEB-INF/classes directory.
      The following are the two types of policy sets can be defined:
      • Role Permission Policy Sets (RPS)
      • Permission Policy Sets (PPS)

    Example 11.9. Role Permission Policy Sets (RPS)

    Employee

        <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
    PolicySetId="RPS:employee:role"  
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
    <Target>  
    <Subjects>  
    <Subject>  
    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">  
    <AttributeValue  
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>  
    <SubjectAttributeDesignator  
    AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
    DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>  
    </SubjectMatch>  
    </Subject>  
    </Subjects>  
    </Target>  
    <!-- Use permissions associated with the employee role -->  
    <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>  
    </PolicySet>
    Copy to Clipboard Toggle word wrap

    Manager

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
PolicySetId="RPS:manager:role"  
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
<Target>  
<Subjects>  
<Subject>  
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">  
<AttributeValue  
DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>  
<SubjectAttributeDesignator  
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>  
</SubjectMatch>  
</Subject>  
</Subjects>  
</Target>  
<!-- Use permissions associated with the manager role -->  
<PolicySetIdReference>PPS:manager:role</PolicySetIdReference>  
</PolicySet>
    Copy to Clipboard Toggle word wrap

    Example 11.10. Permission Policy Sets (PPS)

    Employee

        <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
        PolicySetId="PPS:employee:role"  
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permissions specifically for the employee role -->  
        <Policy PolicyId="Permissions:specifically:for:the:employee:role"  
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
            <Target />  
            <!-- Permission to create a purchase order -->  
            <Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">  
                <Target>  
                    <Resources>  
                        <Resource>  
                            <ResourceMatch  
                                MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order  
                                </AttributeValue>  
                                <ResourceAttributeDesignator  
                                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ResourceMatch>  
                        </Resource>  
                    </Resources>  
                    <Actions>  
                        <Action>  
                            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>  
                                <ActionAttributeDesignator AttributeId="urn:action-id"  
                                    DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ActionMatch>  
                        </Action>  
                    </Actions>  
                </Target>  
            </Rule>  
        </Policy>  
        <!-- HasPrivilegesOfRole Policy for employee role -->  
    <Policy PolicyId="Permission:to:have:employee:role:permissions"  
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permission to have employee role permissions -->  
        <Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">  
            <Condition>  
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>  
                        <ResourceAttributeDesignator  
                            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole  
                        </AttributeValue>  
                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                </Apply>  
            </Condition>  
        </Rule>  
    </Policy>  
    </PolicySet>
    Copy to Clipboard Toggle word wrap

    Manager

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
        PolicySetId="PPS:manager:role"  
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permissions specifically for the manager role -->  
        <Policy PolicyId="Permissions:specifically:for:the:manager:role"  
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
            <Target />  
            <!-- Permission to sign a purchase order -->  
            <Rule RuleId="Permission:to:sign:a:purchase:order" Effect="Permit">  
                <Target>  
                    <Resources>  
                        <Resource>  
                            <ResourceMatch  
                                MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order  
                                </AttributeValue>  
                                <ResourceAttributeDesignator  
                                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ResourceMatch>  
                        </Resource>  
                    </Resources>  
                    <Actions>  
                        <Action>  
                            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>  
                                <ActionAttributeDesignator AttributeId="urn:action-id"  
                                    DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ActionMatch>  
                        </Action>  
                    </Actions>  
                </Target>  
            </Rule>  
        </Policy>  
        <!-- HasPrivilegesOfRole Policy for manager role -->  
    <Policy PolicyId="Permission:to:have:manager:role:permissions"  
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permission to have manager role permissions -->  
        <Rule RuleId="Permission:to:have:manager:permissions" Effect="Permit">  
            <Condition>  
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>  
                        <ResourceAttributeDesignator  
                            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole  
                        </AttributeValue>  
                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                </Apply>  
            </Condition>  
        </Rule>  
    </Policy>  
        <!-- Include permissions associated with employee role -->  
        <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>  
    </PolicySet>
    Copy to Clipboard Toggle word wrap

  3. Create a configuration file for the XACML engine.

    A configuration file is created to configure the locators and mention the directories where the policies are saved.

    Example 11.11. Configuration File

    Configuration File Only Indicating The Directory Of The Policy Files.

        <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">  
      <ns:Policies>   
       <ns:PolicySet>  
          <ns:Location>test/policies/rbac/</ns:Location>   
        </ns:PolicySet>  
      </ns:Policies>  
      <ns:Locators>  
        <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>  
      </ns:Locators>  
    </ns:jbosspdp>
    Copy to Clipboard Toggle word wrap

    Configuration File Defining the Policy Set

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">  
  <ns:Policies>    
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/employee-PPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/manager-PPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/employee-RPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/manager-RPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
  </ns:Policies>  
  <ns:Locators>  
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>  
  </ns:Locators>  
</ns:jbosspdp>
    Copy to Clipboard Toggle word wrap

  4. Create a Policy Decision Point (PDP) and pass it in the Configuration File.
  5. In the Policy Enforcement Point (PEP), create an XACML request based on the context. Pass the XACML request to the PDP to get one of the following access decisions:
    • Permit
    • Deny
    • Indeterminate
    • Not Applicable

    Example 11.12. Access Decisions

    Permit condition

        <Request   
          xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
          xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os  
             access_control-xacml-2.0-context-schema-os.xsd">  
    <Subject>  
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"  
     DataType="http://www.w3.org/2001/XMLSchema#string">  
    <AttributeValue>Anne</AttributeValue>  
    </Attribute>  
      
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
     DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
    <AttributeValue>manager</AttributeValue>  
    </Attribute>  
    </Subject>   
      
    <Resource>  
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
    <AttributeValue>manager</AttributeValue>  
    </Attribute>  
    </Resource>  
      
    <Action>  
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
     DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
     <AttributeValue>urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole</AttributeValue>  
    </Attribute>  
    </Action>  
    </Request>
    Copy to Clipboard Toggle word wrap

    Deny Permission

        <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os  
             access_control-xacml-2.0-context-schema-os.xsd">  
        <Subject>  
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"  
                DataType="http://www.w3.org/2001/XMLSchema#string">  
                <AttributeValue>Anne</AttributeValue>  
            </Attribute>  
      
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
                <AttributeValue>manager</AttributeValue>  
            </Attribute>  
        </Subject>  
      
        <Resource>  
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
                <AttributeValue>manager</AttributeValue>  
            </Attribute>  
        </Resource>  
      
        <Action>  
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
                <AttributeValue>urn:nobody</AttributeValue>  
            </Attribute>  
        </Action>  
    </Request>
    Copy to Clipboard Toggle word wrap

Report a bug
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat