XACML Request creation - 7.1

Talend ESB Infrastructure Services Configuration Guide

EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
EnrichPlatform
Talend ESB
Talend Runtime
task
Design and Development
Installation and Upgrade

An interface is provided in CXF with a method to return an XACML request given a number of parameters. Only XACML 2.0 is considered for Talend ESB, as XACML 3.0 is not supported. It is designed in such a way that the parameters encapsulate all useful information for making an authorization request on either the client or endpoint side. The method parameters are as follows:

  • A Principal corresponding to the Subject of the request
  • A list of roles corresponding to the roles of the principal
  • A CXF Message object describing the current request

The method implementation creates a XACML request using these parameters and marshals it into an OpenSAML RequestType object. OpenSAML contains some functionality to handle XACML Requests, Responses and Policies, which can be marshalled to DOM Elements, and so it makes sense to re-use this functionality.

A default implementation is also provided of the interface defined above, that provides a XACML request that will be accepted by the TESB PDP, as well as standard third-party PDPs. The implementation constructs the request from the given parameters by associating the following values with the following (standard) XACML attributes:

  • Principal name is mapped to urn:oasis:names:tc:xacml:1.0:subject:subject-id
  • Each Principal role is mapped to urn:oasis:names:tc:xacml:2.0:subject:role
  • An Action String is mapped to urn:oasis:names:tc:xacml:1.0:action:action-id
  • A Resource String is mapped to urn:oasis:names:tc:xacml:1.0:resource:resource-id
  • The current DateTime is mapped to urn:oasis:names:tc:xacml:1.0:environment:current-dateTime

The Principal name and role attributes additionally have an Issuer attribute corresponding to the Issuer of the SAML Assertion, as it may be that the PDP requires the knowledge of who provided the roles of the authenticated principal.

The Action String describes the Action being performed, which the XACML specification defines as “an Operation on a Resource”. It is configured differently for both a JAX-RS and JAX-WS service:

  • JAX-WS: The action is a statically configured String, defaulting to execute.
  • JAX-RS: The action is the HTTP verb, e.g. “GET".

The “Resource” String which describes the JAX-RS or JAX-WS endpoint is extracted from the CXF Message object. The default is as follows:

  • JAX-WS: {Service namespace}Operation (via CXF's Message.WSDL_OPERATION)
  • JAX-RS: The REST URI (via CXF's Message.REQUEST_URI)

Note that for JAX-RS, the REST URI obtained via Message.REQUEST_URI does not include the “https://<ip-address>” prefix. In general, the policy will not care about how the service is deployed. However, this is configurable via a boolean property on the XACMLRequestBuilder. If set to true (the default is false), the full Request URL will be sent for both a JAX-WS and JAX-RS service.

Typically, a JAX-RS request includes a variable parameter, which you might not care about for authorization. XACML is flexible enough to handle this using regular expressions. For example, the following is a resource in an XACML request as sent by CXF:

<xacml-context:Attribute 
   AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <xacml-context:AttributeValue>
      /numberservice/doubleit/20
   </xacml-context:AttributeValue>
</xacml-context:Attribute>

A policy that will successfully match this resource is as follows:

<Resources>
   <Resource>
       <ResourceMatch MatchId=
          "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
           <AttributeValue DataType=
           "http://www.w3.org/2001/XMLSchema#string">
           /numberservice/doubleit/(\d)*
           </AttributeValue>
           <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string"
              AttributeId=
                 "urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
        </ResourceMatch>
    </Resource>
</Resources>

An example of a XACML request for a JAX-WS service using the definitions given above is listed below.

<xacml-context:Request   
   xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
   <xacml-context:Subject SubjectCategory=
      "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
      <xacml-context:Attribute
          AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
          DataType="http://www.w3.org/2001/XMLSchema#string"
          Issuer="STSIssuer">
         <xacml-context:AttributeValue>
            alice
         </xacml-context:AttributeValue>
      </xacml-context:Attribute>
      <xacml-context:Attribute
          AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
          DataType="http://www.w3.org/2001/XMLSchema#anyURI”
          Issuer="STSIssuer">
         <xacml-context:AttributeValue>
            manager
         </xacml-context:AttributeValue>
      </xacml-context:Attribute>
   </xacml-context:Subject>
   <xacml-context:Resource>
       <xacml-context:Attribute
           AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
           DataType="http://www.w3.org/2001/XMLSchema#string">
          <xacml-context:AttributeValue>
              {http://www.example.org/contract/DoubleIt}DoubleIt
          </xacml-context:AttributeValue>
       </xacml-context:Attribute>
   </xacml-context:Resource>
   <xacml-context:Action>
       <xacml-context:Attribute
           AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"  
           DataType="http://www.w3.org/2001/XMLSchema#string">
          <xacml-context:AttributeValue>
             execute
          </xacml-context:AttributeValue>
       </xacml-context:Attribute>
   </xacml-context:Action>
   <xacml-context:Environment>
       <xacml-context:Attribute AttributeId=
          "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime"
          DataType="http://www.w3.org/2001/XMLSchema#dateTime">
          <xacml-context:AttributeValue>
             2012-10-09T14:36:07.003Z
          </xacml-context:AttributeValue>
       </xacml-context:Attribute>
   </xacml-context:Environment>
</xacml-context:Request>