The eXtensible Access Control Markup Language (XACML) is an XML language for expressing authorization policies and role assignments. XACML offers extension points so that vendors such as BEA can express vendor-specific resources, data types, and functions in XACML.
The WebLogic Server XACML Authorization Provider and XACML Role Mapping Provider implement and extend the XACML 2.0 Core Specification (see XACML 2.0 Core Specification). These providers partially implement the Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML 2.0 (see RBAC specification).
The following sections describe the extensions that you can use when writing XACML 2.0 documents to protect resources on WebLogic Server and the restrictions that WebLogic Server places on XACML:
This document describes only the WebLogic Server extensions and restrictions for XACML. For a complete reference of the XACML 2.0 language, see XACML 2.0 Core Specification and the RBAC specification.
The WebLogic Server model for representing resources and policies follows the model of J2EE deployment descriptors. This J2EE model creates a hierarchy of resources in which roles and authorization policies at the top of the hierarchy protect resources that are lower in the hierarchy. (See Protecting a Hierarchy of Resources.) Policies lower in a hierarchy always override policies higher in the hierarchy. The higher levels of the resource hierarchy contain enterprise applications, Web applications, and EJBs. The lowest levels of the resource hierarchy contain EJB methods, HTTP methods on specific URL patterns, and MBean getters and setters.
The XACML model also recognizes a hierarchy of resources. Unlike the native WebLogic Server model, your XACML policies must specify how to interpret cases in which a resource is protected by its own policy and by a policy on the resource's parent or ancestor.
In addition, a XACML document typically distinguishes between a resource and the actions of a resource. For example, a XACML document defines a resource such as an EJB, and then defines an action within the EJB resource to represent a method in the EJB. The native WebLogic Server model considers an EJB and each EJB method to be resources. See Figure 7-1.
While it is possible to describe an action such as an EJB method as a XACML resource, a more natural expression in XACML would define an EJB as a resource and an EJB method as an action within the resource.
The WebLogic Server terminology for describing resources and policies follows the model of J2EE deployment descriptors. This J2EE model uses the following terms to describe key concepts:
In XACML, a set of rules comprise a policy, and policies can be used to determine who is in a role or who can access a resource. In general, a XACML policy is equivalent to a role statement or policy statement in WebLogic Server.
BEA implements support for all of the data types that are required by the XACML core specification. It supports additional, standard XML data types and provides a group of custom data types. This document uses the bea:
prefix to indicate that a data type is a custom BEA type.
For a description of all data types that the BEA XACML providers recognize, see
com.bea.common.security.xacml.Type
in WebLogic Server API Reference.
XACML uses an Action
element to identify an operation in a resource or a hierarchy of resources.
WebLogic Server supports all of the XACML Action
identifiers (see
XACML 2.0 Core Specification) and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear.
To identify operations in WebLogic Server resources (for example, to identify a specific EJB method), use action identifiers as described in Table A-1.
Note: | While it is possible to use a resource identifier to describe an operation such as an EJB method, a more natural expression in XACML would use an action identifier. See Comparison of WebLogic Server and XACML Security Models. |
Depends on the type of resource that contains the operation. See Table A-2.
|
|||
The WebLogic Security SPI contains an optional feature that enables containers to specify when a provider performs a security check on a request:
You can use this
direction identifier to match requests that have been checked ONCE , PRIOR , or POST .
For more information, see
weblogic.security.spi.Direction in the WebLogic Server API Reference, which is the object type that is used to pass ONCE , PRIOR , or POST to the security provider.
|
Table A-2 describes the value that you specify for the action-id
identifier.
The name of an administrative activity that is protected by an Admin resource. For example,
UserLockout .
For a list of valid values, see the
action parameter for the
weblogic.security.service.AdminResource constructor in the WebLogic Server API Reference.
|
|
For a list of valid values, see the
action parameter for the
weblogic.security.service.JDBCResource constructor in the WebLogic Server API Reference.
|
|
For a list of valid values, see the
action parameter for the
weblogic.security.service.JMSResource constructor in the WebLogic Server API Reference.
|
|
For a list of valid values, see the
action parameter for the
weblogic.security.service.JNDIResource constructor in the WebLogic Server API Reference.
|
|
For a list of valid values, see Server Resources.
|
|
For a list of valid values, see the
action parameter for the
weblogic.security.service.WorkContextResource constructor in the WebLogic Server API Reference.
|
|
The following example uses an Action
element to specify that the target is mymethod
within the SimpleSoap Web Service:
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
type=<webservices>, application=webservicesJwsSimpleEar,
contextPath=/jws_basic_simple, webService=SimpleSoapPort
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ResourceMatch>
</Resource>
</Resources>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
mymethod
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id
"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ActionMatch>
</Target>
XACML uses an optional Environment
element to describe conditions in the operating environment that must be met before providing access to a target. For example, an Environment
element can specify a time and date range within which access is allowed.
WebLogic Server supports all of the XACML Environment
identifiers (see
XACML 2.0 Core Specification) and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear. See Table A-3.
where
key specifies a ContextHandler element name as defined in
ContextHandlers and WebLogic Resources in Developing Security Providers for WebLogic Server. A ContextHandler is a WebLogic class that obtains additional context and container-specific information from the resource container and represents the information as a list of name/value pairs.
|
||
The following example uses an Environment
element to match value of a WebLogic Server listen port. Such an element could create a policy that requires a request to come through listen port 9001:
<Environment>
<EnvironmentMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal">
<EnvironmentAttributeDesignator
AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.cont
extelement.channel.Port"
DataType="http://www.w3.org/2001/XMLSchema#double"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">
9001
</AttributeValue>
</EnvironmentMatch>
</Environment>
XACML uses a Policy
element to contain one or more rules and a PolicySet
element to contain one or more policies. Each element must include the PolicySetId
attribute to provide a unique identification. The XACML specification requires PolicySetId
identifiers to be legal URI values.
XACML documents use the PolicySetId
to include a specific Policy
or PolicySet
element within another PolicySet
element. WebLogic Server uses the PolicySetId
as the key in the Authorization provider or Role Mapping provider's policy store.
WebLogic Server reserves URI values beginning with urn:bea:
for its internal use. While you cannot create your own policies with URIs that begin with urn:bea:
, you can use these values to include BEA's policies in your policy sets.
The following example is a valid identifier for a Policy
element:
<Policy
PolicyId="urn:mycompany:myapplication:policyid:1"
...>
The following example is a valid reference to the Policy
element above:
<PolicyIdReference>
urn:mycompany:myapplication:policyid:1</PolicyIdReference>
XACML uses a Resource
element to represent data, a service, or a system component.
WebLogic Server supports all of the XACML Resource
identifiers (see
XACML 2.0 Core Specification).
To identify a WebLogic Server resource, use resource identifiers as described in Table A-4. For information about WebLogic Server resources, see Resource Types You Can Secure with Policies.
The following example Resource
element matches a Web Service named SimpleSoapPort and all methods within that Web Service:
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
type=<webservices>, application=webservicesJwsSimpleEar,
contextPath=/jws_basic_simple, webService=SimpleSoapPort
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ResourceMatch>
</Resource>
XACML uses a Subject
element to represent an actor whose attributes may be referenced by a predicate.
WebLogic Server supports all of the XACML Subject
identifiers (see
XACML 2.0 Core Specification).
To identify a WebLogic Server user, group, or role as defined in a WebLogic Server realm, use subject identifiers as described Table A-5.
|
|||
For an example of a XACML document that uses identifiers from Table A-5 to define a security role that can be used to protect access to a Web Service, see Listing 7-1.
The following sections describe the functions that the WebLogic Server XACML providers support in addition to the functions described in the XACML Core Specification:
The following function identifiers specify functions that are direct ports of standard XACML functions and operate on XML and WebLogic Server data types long
, float
, decimal
and bea:Character
. For a description of these data types, see
com.bea.common.security.xacml.Type
in WebLogic Server API Reference.
In this list, type
refers to the names of the data types (long
, float
, decimal
or character
):
urn:bea:xacml:2.0:function:type
-equal
urn:bea:xacml:2.0:function:type
-greater-than
urn:bea:xacml:2.0:function:type
-greater-than-or-equal
urn:bea:xacml:2.0:function:type
-less-than
urn:bea:xacml:2.0:function:type
-less-than-or-equal
urn:bea:xacml:2.0:function:type
-one-and-only
urn:bea:xacml:2.0:function:type
-bag-size
urn:bea:xacml:2.0:function:type
-is-in
urn:bea:xacml:2.0:function:type
-bag
urn:bea:xacml:2.0:function:type
-intersection
urn:bea:xacml:2.0:function:type
-union
urn:bea:xacml:2.0:function:type
-at-least-one-member-of
urn:bea:xacml:2.0:function:type
-subset
urn:bea:xacml:2.0:function:type
-set-equals
For information on functions that compare bea:Object
s, see Object Comparisons.
The following example is a Condition
that uses urn:bea:xacml:2.0:function:character-equal
to compare two bea:character
s:
<Condition>
<Apply FunctionId="urn:bea:xacml:2.0:function:character-equal">
<AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">
Q
</AttributeValue>
<AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">
Q
</AttributeValue>
</Apply>
</Condition>
Table A-6 lists the miscellaneous functions that WebLogic Server provides in addition to the standard XACML functions.
This function takes no arguments and returns
true if the WebLogic Server instance that hosts the realm is in development mode.
See
Difference Between Domain Startup Modes in Creating WebLogic Domains Using the Configuration Wizard.
|
||
This function invokes a method on a
bea:Object that the container makes available in the current context.
|
||
This function invokes a method on a
bea:Object that the container makes available in the current context.
|
||
This function invokes a method on a
bea:Object that the container makes available in the current context.
|
||
This function uses the class type of the
bea:Object , method name, and the class types of the parameter bea:Object s to find the appropriate method in the target bea:Object . If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate.
|
||
This function invokes uses the Java reflection API to invoke a method on a specified
bea:Object . The function takes the following arguments:
This function uses the class name of the
bea:Object , method name, and the class types of the parameter bea:Object s to find the appropriate method in the target bea:Object . If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate.
|
The following policy uses the instance-method
function to invoke the HttpServletRequest.getAuthType()
method on requests that match a specific URL pattern (see
javax.servlet.http.HttpServletRequest.getAuthType()
in J2EE 1.4 API Specification). The WebLogic Server ContextHandler
makes this HttpServletRequest
object available to the Authorization and Role Mapping providers for all requests that come through the servlet container. Any policy for a URL resource can invoke this or other HttpServletRequest
methods.
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
PolicyId="urn:sample:xacml:2.0:function:instance-method"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:
first-applicable">
<Description>function:instance-method</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
type=<url>, application=MedRecEAR, contextPath=,uri=/docs/*
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:
resource-ancestor-or-self"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<!-- Declaring the instance-method function as a variable because this policy
invokes it multiple times.
-->
<VariableDefinition VariableId="authType">
<Apply FunctionId="urn:bea:xacml:2.0:function:instance-method">
<!-- Passing the HttpServletRequest object to the function, which the
BEA ContextHandler makes available to the security framework.
-->
<Apply FunctionId="urn:bea:xacml:2.0:function:object-one-and-only">
<EnvironmentAttributeDesignator
DataType="urn:bea:xacml:2.0:data-type:object"
AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.
contextelement.servlet.HttpServletRequest" />
</Apply>
<!-- Passing "getAuthType()" as the name of the HttpServletRequest
method to invoke
-->
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
getAuthType
</AttributeValue>
<!-- Because the getAuthType() method signature contains no parameters,
pass an empty bag of Class.
-->
<Apply FunctionId="urn:bea:xacml:2.0:function:class-bag" />
</Apply>
</VariableDefinition>
<!-- Creating a rule that allows access to the resource only if
the getAuthType() returns a non-null value and if the non-null
value is "CLIENT_CERT"
-->
<Rule RuleId="primary-rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:bea:xacml:2.0:function:object-is-null">
<VariableReference VariableId="authType" />
</Apply>
</Apply>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<!-- Because the instance-method function returns a bea:Object,
this policy wraps the function in an object-to-string function,
which enables comparison a of the function output with another
string.
-->
<Apply FunctionId="urn:bea:xacml:2.0:function:object-to-string">
<VariableReference VariableId="authType" />
</Apply>
<!-- Declaring a String object to compare to the
HttpServletRequest.getAuthType() return value.
-->
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
CLIENT_CERT
</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="deny-rule" Effect="Deny" />
</Policy>
Table A-7 lists the functions that BEA provides to convert XACML times and dates to different data types.
Table A-8 lists the functions that BEA provides to convert arithmetic values to different Input Types and to extend the basic set of arithmetic functions specified by XACML.
This function takes two arguments of type
double and returns a double value that is the remainder operation result of the two arguments as described in the IEEE 754 standard. See
http://grouper.ieee.org/groups/754/.
|
||
WebLogic Server provides a collection of functions for converting XACML data into Java objects. The URI for each function in this collection is as follows:urn:bea:xacml:2.0:function:
type
-to-object
where type
is the name of a XACML data type. Table A-9 lists all data types and the Java object that the corresponding function returns.
For example, this function returns "test" as a java.lang.String
object:<Apply
FunctionId="urn:bea:xacml:2.0:function:string-to-object">test</Apply>
Table A-10 lists the functions that BEA provides to convert strings or Java objects to different data or object types. To pass objects that the container makes available to the current context, use the urn:bea:xacml:2.0:environment:context:
key
environment identifier to specify the bea:Object
. See Environment Identifiers.
Table A-11 lists the functions that BEA provides to compare Java objects.
This function takes two arguments of type
bea:Object , invokes
java.lang.Object.equals() , and returns a boolean value indicating whether the two Object s are equal.
|
||
This function takes two arguments of type
bea:Object and returns a boolean that indicates whether the first bea:Object contains the second bea:Object as determined by
Collection.contains() . The first bea:Object must implement java.util.Collection , else the evaluation is indeterminate.
|
||
This function takes two arguments of type
bea:Object and returns a boolean that indicates whether the first bea:Object contains all of the second bea:Object as determined by
Collection.containsAll() . Both bea:Object s must implement java.util.Collection , else the evaluation is indeterminate.
|
Table A-12 lists the functions that BEA provides to compare Java objects.
This function takes two arguments of type
string and returns an integer that indicates how the two string arguments compare:
|
||
If multiple PolicySet
s apply to a decision, their results are combined using the following algorithm:
urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides