XACML Authorization - skrusche63/OASIS-ebXML-RegRep-v4.0 GitHub Wiki
XACML is short for eXtensible Access Control Markup Language and is an OASIS standard, that defines both a
- declarative access control policy language (XML), and
- processing model describing how to evaluate authorization requests according to the rules defined in policies.
XACML is primarily an Attribute Based Access Control system (ABAC), where attributes associated with
- a user or
- action or
- resource or
- environment
are inputs into the decision of whether a given user may access a given resource in a particular way. Note, that Role-based access control (RBAC) is a specialization of ABAC and may also be described by XACML. This blog entry provides additional information about the XACML standard and its building blocks.
As XACML is a declarative or policy based access control, authorization decisions may be changed and enforced immediately without any change in software.
The Graph-based OASIS ebXML RegRep v4.0 implements the XACML version 2.0 and uses Enterprise Java XACML. Due to the modular architecture, it is also possible to use other XACML products, e.g. from AXIOMATICS.
The main component of the XACML-based authorization is the AuthorizationManager. This component distinguishes between the different requests supported by an OASIS ebXML RegRep and delegates the request to the XACML Policy Enforcement Point (PEP).
public class AuthorizationManager {
private static AuthorizationManager instance = new AuthorizationManager();
// XACML based policy enforcement point
private PolicyEnforcementPoint pep = PolicyEnforcementPoint.getInstance();
private AuthorizationManager() {
}
public static AuthorizationManager getInstance() {
if (instance == null) instance = new AuthorizationManager();
return instance;
}
// authorize an incoming CatalogObjectsRequest
public AuthorizationResult authorizeCatalogRequest(CatalogRequestContext request) {
AuthorizationResult authRes = new AuthorizationResult(AuthorizationConstants.CATALOG_REQUEST);
authRes.setUser(request.getUser());
return pep.authorizeRequest(request, authRes);
}
// authorize an incoming SubmitObjectsRequest
public AuthorizationResult authorizeSubmitRequest(SubmitRequestContext request) {
AuthorizationResult authRes = new AuthorizationResult(AuthorizationConstants.SUBMIT_REQUEST);
authRes.setUser(request.getUser());
return pep.authorizeRequest(request, authRes);
}
// authorize an incoming UpdateObjectsRequest
public AuthorizationResult authorizeUpdateRequest(UpdateRequestContext request) {
AuthorizationResult authRes = new AuthorizationResult(AuthorizationConstants.UPDATE_REQUEST);
authRes.setUser(request.getUser());
return pep.authorizeRequest(request, authRes);
}
// authorize an incoming RemoveObjectsRequest
public AuthorizationResult authorizeRemoveRequest(RemoveRequestContext request) {
AuthorizationResult authRes = new AuthorizationResult(AuthorizationConstants.REMOVE_REQUEST);
authRes.setUser(request.getUser());
return pep.authorizeRequest(request, authRes);
}
// authorize an outgoing QueryResponse
public AuthorizationResult authorizeQueryResponse(QueryRequestContext request, QueryResponseContext response) {
AuthorizationResult authRes = new AuthorizationResult(AuthorizationConstants.QUERY_REQUEST);
authRes.setUser(request.getUser());
return pep.authorizeResponse(response, authRes);
}
}
Back to Home.