Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

11.6.3.2. Configure XACML for Fine Grained Authorization

The following is the procedure to configure XACML.

Procedure 11.10. Configure XACML

  1. Download the library which is a single jar file.

  2. Create one or more policy files for XACML

    • Under the WEB-INF/classes, create a policies directory to save all your policies.
    • Create a policyConfig.xml under WEB-INF/classes directory.
      The following are the two types of policy sets can be defined:
      • Role Permission Policy Sets (RPS)
      • Permission Policy Sets (PPS)

    Example 11.9. Role Permission Policy Sets (RPS)

    Employee

        <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
    PolicySetId="RPS:employee:role"  
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
    <Target>  
    <Subjects>  
    <Subject>  
    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">  
    <AttributeValue  
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>  
    <SubjectAttributeDesignator  
    AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
    DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>  
    </SubjectMatch>  
    </Subject>  
    </Subjects>  
    </Target>  
    <!-- Use permissions associated with the employee role -->  
    <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>  
    </PolicySet>

    Manager

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
PolicySetId="RPS:manager:role"  
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
<Target>  
<Subjects>  
<Subject>  
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">  
<AttributeValue  
DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>  
<SubjectAttributeDesignator  
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>  
</SubjectMatch>  
</Subject>  
</Subjects>  
</Target>  
<!-- Use permissions associated with the manager role -->  
<PolicySetIdReference>PPS:manager:role</PolicySetIdReference>  
</PolicySet>

    Example 11.10. Permission Policy Sets (PPS)

    Employee

        <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
        PolicySetId="PPS:employee:role"  
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permissions specifically for the employee role -->  
        <Policy PolicyId="Permissions:specifically:for:the:employee:role"  
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
            <Target />  
            <!-- Permission to create a purchase order -->  
            <Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">  
                <Target>  
                    <Resources>  
                        <Resource>  
                            <ResourceMatch  
                                MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order  
                                </AttributeValue>  
                                <ResourceAttributeDesignator  
                                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ResourceMatch>  
                        </Resource>  
                    </Resources>  
                    <Actions>  
                        <Action>  
                            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>  
                                <ActionAttributeDesignator AttributeId="urn:action-id"  
                                    DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ActionMatch>  
                        </Action>  
                    </Actions>  
                </Target>  
            </Rule>  
        </Policy>  
        <!-- HasPrivilegesOfRole Policy for employee role -->  
    <Policy PolicyId="Permission:to:have:employee:role:permissions"  
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permission to have employee role permissions -->  
        <Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">  
            <Condition>  
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>  
                        <ResourceAttributeDesignator  
                            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole  
                        </AttributeValue>  
                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                </Apply>  
            </Condition>  
        </Rule>  
    </Policy>  
    </PolicySet>

    Manager

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  
        PolicySetId="PPS:manager:role"  
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permissions specifically for the manager role -->  
        <Policy PolicyId="Permissions:specifically:for:the:manager:role"  
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
            <Target />  
            <!-- Permission to sign a purchase order -->  
            <Rule RuleId="Permission:to:sign:a:purchase:order" Effect="Permit">  
                <Target>  
                    <Resources>  
                        <Resource>  
                            <ResourceMatch  
                                MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order  
                                </AttributeValue>  
                                <ResourceAttributeDesignator  
                                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ResourceMatch>  
                        </Resource>  
                    </Resources>  
                    <Actions>  
                        <Action>  
                            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>  
                                <ActionAttributeDesignator AttributeId="urn:action-id"  
                                    DataType="http://www.w3.org/2001/XMLSchema#string" />  
                            </ActionMatch>  
                        </Action>  
                    </Actions>  
                </Target>  
            </Rule>  
        </Policy>  
        <!-- HasPrivilegesOfRole Policy for manager role -->  
    <Policy PolicyId="Permission:to:have:manager:role:permissions"  
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  
        <Target />  
        <!-- Permission to have manager role permissions -->  
        <Rule RuleId="Permission:to:have:manager:permissions" Effect="Permit">  
            <Condition>  
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>  
                        <ResourceAttributeDesignator  
                            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">  
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole  
                        </AttributeValue>  
                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />  
                    </Apply>  
                </Apply>  
            </Condition>  
        </Rule>  
    </Policy>  
        <!-- Include permissions associated with employee role -->  
        <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>  
    </PolicySet>

  3. Create a configuration file for the XACML engine.

    A configuration file is created to configure the locators and mention the directories where the policies are saved.

    Example 11.11. Configuration File

    Configuration File Only Indicating The Directory Of The Policy Files.

        <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">  
      <ns:Policies>   
       <ns:PolicySet>  
          <ns:Location>test/policies/rbac/</ns:Location>   
        </ns:PolicySet>  
      </ns:Policies>  
      <ns:Locators>  
        <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>  
      </ns:Locators>  
    </ns:jbosspdp>

    Configuration File Defining the Policy Set

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">  
  <ns:Policies>    
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/employee-PPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/manager-PPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/employee-RPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
    <ns:PolicySet>  
      <ns:Location>test/policies/rbac/manager-RPS-policyset.xml</ns:Location>   
    </ns:PolicySet>  
  </ns:Policies>  
  <ns:Locators>  
    <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>  
  </ns:Locators>  
</ns:jbosspdp>

  4. Create a Policy Decision Point (PDP) and pass it in the Configuration File.
  5. In the Policy Enforcement Point (PEP), create an XACML request based on the context. Pass the XACML request to the PDP to get one of the following access decisions:
    • Permit
    • Deny
    • Indeterminate
    • Not Applicable

    Example 11.12. Access Decisions

    Permit condition

        <Request   
          xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
          xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os  
             access_control-xacml-2.0-context-schema-os.xsd">  
    <Subject>  
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"  
     DataType="http://www.w3.org/2001/XMLSchema#string">  
    <AttributeValue>Anne</AttributeValue>  
    </Attribute>  
      
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
     DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
    <AttributeValue>manager</AttributeValue>  
    </Attribute>  
    </Subject>   
      
    <Resource>  
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
    <AttributeValue>manager</AttributeValue>  
    </Attribute>  
    </Resource>  
      
    <Action>  
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
     DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
     <AttributeValue>urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole</AttributeValue>  
    </Attribute>  
    </Action>  
    </Request>

    Deny Permission

        <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os  
             access_control-xacml-2.0-context-schema-os.xsd">  
        <Subject>  
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"  
                DataType="http://www.w3.org/2001/XMLSchema#string">  
                <AttributeValue>Anne</AttributeValue>  
            </Attribute>  
      
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
                <AttributeValue>manager</AttributeValue>  
            </Attribute>  
        </Subject>  
      
        <Resource>  
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"  
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
                <AttributeValue>manager</AttributeValue>  
            </Attribute>  
        </Resource>  
      
        <Action>  
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">  
                <AttributeValue>urn:nobody</AttributeValue>  
            </Attribute>  
        </Action>  
    </Request>

Report a bug
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.