Hi
all,
as
promised in the last tecon below some insights in a way how to use
xacml’s obligation mechanism in SOA:
·
the pep intercepts the communication between
the subject und the service – e.g an Web Service request or
response r in format x (ie. r.x)
·
the ctx handler transforms the r.x and
includes it a xacml decision request in format y (ie. r.y)
·
to enforce most of the access rights based on
the Web service request there is a need to rewrite the request. additionally
some rights need to be enforced through rewrite of the response. in both cases
the aim behind the rewrite is to allow the intersection of the indented
interaction and the permitted interactions
·
the rewrite can be done by rewrite functions
defined in obligations that refer to r.y
·
a ctx handler receiving rewrite rules
transforms r.y (i.e. the representation of the request in the evaluation
context) correspondingly. this will result in r.y’
·
after the ac process the ctx transforms
r.y’ back to the original format x so you get r.x’
·
the pep can choose between different options
how to proceed
§ no rewrite
--> forward original request | response
§ rewrite
-> forward rewritten Web Service request|response
§ rewrite
-> deny request, send error msg to user (optinally show him r.x’ to
show him the permitted subset of his request)
Example:
request
form user in string format:
r.x
:=
select
*
from
Building
where
owner = ’state’
request
form user in xml format as included under <content> in xacml access
decision request
r.y
:=
<select>
<proj>*</proj>
<from>
<table>Building</table>
</from>
<where>owner = ’state’</where>
</select>
obligation
in a rule that matches:
-
subject.name = alice
-
xpath-node-equal(content-selector, /select[ from/table/text() = Building])
-obligation:
- functionToCall =
addToWhereClauseByAnd
- argument1 =
‘price < 1,000,000’
- optional:
functionDefInEgJava = public string addToWhereClauseByAnd(string
s){….} //this could allow for flexible obligation-function definition and
will still keep interop)
result
in ctx handler after ac process:
r.y’
:=
<select>
<proj>*</proj>
<from>
<table>Building</table>
</from>
<where>owner
= ’state’ AND price < 1,000,000 </where>
</select>
rewritten
request in original sql string format:
r.x’
:=
select
*
from
Building
where
owner = ’state’ AND price < 1,000,000
The
rewritten request implies that the user can only access building data
with a price less than one million. According to this solution it is very
useful to allow obligation processing in the ctx handler (which could run on a
different machine than the pep). for those that know oracles virtual private
database tech. this approach is similar but more flexible, external from the service/dbms
implementation and could be standardised
Looking
forward to hear your thoughts on this solution.
best
regards
jan
________________________________________
Jan Herrmann
Dipl.-Inform., Dipl.-Geogr.
wissenschaftlicher Mitarbeiter
Technische Universität München
Institut für Informatik
Lehrstuhl für Angewandte Informatik
/ Kooperative Systeme
Boltzmannstr. 3
85748 Garching
Tel:
+49 (0)89 289-18692
Fax: +49 (0)89 289-18657
Raum:
www11.informatik.tu-muenchen.de
________________________________________