authzforce / core Goto Github PK
View Code? Open in Web Editor NEWAuthzForce ABAC/XACML PDP engine
Home Page: https://authzforce.ow2.org
License: Apache License 2.0
core's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
chakra-coder ggercek tornado404 hargathor lstwzd fossabot miladamery maklass zzzadruga greg-violette phongdong riktheunis ssethupathi missumdev amottier leonidsh119 wisetim aaqibahamed dolquach jamison413 beckyyolo dtc-forks claradiesen jyaixrcore's Issues
Integration for spring boot and spring security
I want to use Authzforce in spring boot projects.
for now i did something like this:
@Bean
public BasePdpEngine xacmlEngine() throws Exception {
PdpEngineConfiguration pdpEngineConfig = PdpEngineConfiguration.getInstance("classpath:pdp.xml",
"classpath:catalog.xml", "classpath:pdp-ext.xsd");
BasePdpEngine pdpEngine = new BasePdpEngine(pdpEngineConfig);
return pdpEngine;
}
.xml files exist under resource folder and it works.
i want to know if you can provide a solid spring integration. so we can use java config, using spring resources, configuring pdp as a bean instead of xml , etc.
Failed Permitted Access XACML
Software version (AuthzForce Core)
10.2.0
Platform JRE
1.8.0_162
Platform OS
Windows 7
Error stack trace or logs (if any)
If in doubt include the whole thing; often exceptions get wrapped in other exceptions and the exception right near the bottom explains the actual error, not the first few lines at the top.
Your code and/or AuthzForce-specific configuration file(s)
I am currently trying to implement XACML for an application and just started playing around it using AuthZForce library. I have an example policy such as:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target/>
<Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
So I tried to creat XACML request based on this policy, hoping that it will be permitted by PDP with the code as follow:
System.setProperty("javax.xml.accessExternalSchema", "http");
File a = new File("pdp.xml");
final PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance(a.toURI().toString());
final BasePdpEngine pdp = new BasePdpEngine(pdpEngineConf);
final DecisionRequestBuilder<?> requestBuilder = pdp.newRequestBuilder(-1, -1);
String issuer="Julius Hibbert";
final AttributeFqn subjectIdAttributeId = AttributeFqns.newInstance(XACML_1_0_ACCESS_SUBJECT.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_SUBJECT_ID.value());
final AttributeBag<?> subjectIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("Julius Hibbert"));
requestBuilder.putNamedAttributeIfAbsent(subjectIdAttributeId, subjectIdAttributeValues);
final AttributeFqn resourceIdAttributeId = AttributeFqns.newInstance(XACML_3_0_RESOURCE.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_RESOURCE_ID.value());
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));
requestBuilder.putNamedAttributeIfAbsent(resourceIdAttributeId, resourceIdAttributeValues);
// Add action ID attribute (action category), no issuer, string value "GET"
final AttributeFqn actionIdAttributeId = AttributeFqns.newInstance(XACML_3_0_ACTION.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_ACTION_ID.value());
final AttributeBag<?> actionIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("write"));
requestBuilder.putNamedAttributeIfAbsent(actionIdAttributeId, actionIdAttributeValues);
// No more attribute, let's finalize the request creation
final DecisionRequest request = requestBuilder.build(false);
// Evaluate the request
final DecisionResult result = pdp.evaluate(request);
if(result.getDecision() == DecisionType.PERMIT) {
// This is a Permit :-)
System.out.println("ok");
} else {
// Not a Permit :-( (maybe Deny, NotApplicable or Indeterminate)
System.out.println("not ok");
}
But when I run the code it gave the result of NotApplicable but I am not sure why. Is there any error in my code?
Remove CombiningAlgSet/FunctionSet classes or replace with generic PdpExtensionSet
Remove classes for PDP extensions of the same type, or replace with new PDP extension for packaging multiple PDP extensions of various types (e.g. datatypes and functions), typically corresponding to a XACML profile.
hello, I want to use this for researching XACML. Can you help me to do?
There is some description how to start this engine but it's too simple to me.
Can you provide more more detailed description to start?
i.e.) how to write the configuration file or working_sample.xsd.
I'm a novice but I will try to do my best.
Thanks!
CVE-2018-8088 affecting slf4j <= before 1.8.0-beta2
Software version (AuthzForce Core)
7.4.0
Platform JRE
1.8
Platform OS
all
Error stack trace or logs (if any)
Vulnerability reported by owasp dependency-check on slf4j-api dependency:
jul-to-slf4j-1.7.25.jar (org.slf4j:jul-to-slf4j:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
log4j-over-slf4j-1.7.25.jar (org.slf4j:log4j-over-slf4j:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
slf4j-api-1.7.25.jar (org.slf4j:slf4j-api:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
jcl-over-slf4j-1.7.25.jar (org.slf4j:jcl-over-slf4j:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
Fix it with the next stable release of slf4j-api (as of writing: 1.8.0-beta2).
Deprecate StaticRootPolicyProvider in favor of StaticRefPolicyProvider
StaticRootPolicyProvider is made useless by StaticRefBasedRootPolicyProvider.
Indeed, any rootPolicyProvider configuration could be replaced by a refPolicyProvider configuration, and a root Policy(Set)id and StaticRefBasedRootPolicyProvider.
Removing all RootPolicyProvider code and model will simplify code, API and XML schema.
An Issue in https://github.com/authzforce/core#evaluating-requests-in-authzforce-native-api-most-efficient
Software version (AuthzForce Core)
Platform JRE
jre 1.8.0_121
Platform OS
Windows 10
Error stack trace or logs (if any)
If in doubt include the whole thing; often exceptions get wrapped in other exceptions and the exception right near the bottom explains the actual error, not the first few lines at the top.
Your code and/or AuthzForce-specific configuration file(s)
final AttributeBag<?> roleAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("boss"));
When I used the code of "Evaluating Requests in AuthzForce native API (most efficient)" given in README.md. My eclipse come with "Unresovled complication problems":
The method singletonAttributeBag(Datatype, AV) in the type Bags is not applicable for the arguments (AttributeDatatype, StringValue)
Dear developers,
How can I sovle it?
How to query policies
I wonder if your PDP can offer something similar that axiomatics calls ARQ (Axiomatics Reverse Query). Here is an example from their docs:
A standard XACML request can be answered with a Permit or Deny. “Can user Bob read document number 42 from the database management system?”� Permit or deny.
An ARQ response, by contrast, is a logical expression. The PEP sends an open request to the PDP. “Which actions can Bob perform on documents in this repository?” The response may include criteria such as “Permit read access for documents belonging to Bob’s department, Write access for documents authored by Bob or users for whom he is the manager, namely Anne, Joe or Charlie or for which Bob is the assigned reviewer or editor”.
Question about Evaluating Requests in XACML/JSON format
I can't find the example of PdpEngineXacmlJsonAdapters when I wanted to evaluate requests in JSON format. Can you give me the example of how to use JSON format to evaluate? Thank you!
Compilation failure due to XacmlJsonUtils.canonicalizeResponse method signature issue
Software version (AuthzForce Core)
17.0.1-SNAPSHOT
Platform JRE
OpenJDK11
Platform OS
Debian 10 Buster
Error stack trace or logs (if any)
While trying to compiling core on develop branch it failed with the following error message:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:testCompile (default-testCompile) on project authzforce-ce-core-pdp-testutils: Compilation failure: Compilation failure:
[ERROR] /home/antoine/workspace/projects/authzforce/core/pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/json/XacmlJsonTest.java:[168,69] method canonicalizeResponse in class org.ow2.authzforce.xacml.json.model.XacmlJsonUtils cannot be applied to given types;
[ERROR] required: org.json.JSONObject
[ERROR] found: org.json.JSONObject,boolean
[ERROR] reason: actual and formal argument lists differ in length
[ERROR] /home/antoine/workspace/projects/authzforce/core/pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/json/XacmlJsonTest.java:[169,67] method canonicalizeResponse in class org.ow2.authzforce.xacml.json.model.XacmlJsonUtils cannot be applied to given types;
[ERROR] required: org.json.JSONObject
[ERROR] found: org.json.JSONObject,boolean
[ERROR] reason: actual and formal argument lists differ in length
[ERROR] -> [Help 1]
This issue was introduced by commit 1479319 that an extra parameter to XacmlJsonUtils.canonicalizeResponse method.
Latest version of XacmlJsonUtils available does not include this second parameter.
I guess that solving the issue is probably a matter of publishing latest modification of https://github.com/authzforce/xacml-json-model
Overview on the behavior of a PDP that has been made aware of an Attribute Provider
Hi Cyril,
thanks for replying my question at https://stackoverflow.com/questions/50388935/where-to-double-check-attributes-of-the-xacml-request-against-attribute-provider. You have linked that wiki article in your answer at Stackoverflow: https://github.com/authzforce/core/wiki/Attribute-Providers
This project has a solid base and probably received several thousand hours of work. But as the features and possibilities are so huge, it's hard to access your tremendous work and to get an overview on how it works and on how to put things together.
As for your wiki page of Attribute Providers I'd kindly ask you to elaborate the overview a bit more.
- How exactly does the PDP take use of the Attribute Provider he is made aware of?
- In which situation does the PDP query the Attribute Provider for additional attributes?
-- Does he double check attributes given in a Request?
-- Does he check the attributes only if certain parameters in the xacml-policy are set?
Maybe a data flow chart or just a textual description on the data flow would be useful. Example code (JAVA and XACML) could also be useful.
Java 9 support
Is support for Java 9 planned? Actually I'm getting JAXBException with Java 9.
Create custom attribute provider as in wiki example fails
Software version (AuthzForce Core)
13.3.1
Platform JRE
1.8
Platform OS
Ubuntu
Error stack trace or logs (if any)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<message>Invalid parameters: cvc-elt.4.2: Cannot resolve 'test:TestAttributeProvider' to a type definition for element 'attributeProvider'.</message>
</error>Hello, I am trying to follow from the wiki the attribute providers section in order to add a custom PIP in my authzforce server.
What I did:
-
Downloaded from here the authzforce-ce-core-pdp-testutils.13.3.1.jar since my
authzforce-ce-core-pdp-engineversion is that and placed it in the classpath/opt/authzforce-ce-server/webapp/WEB-INF/lib. -
Imported the attribute provider XML schema in the XML schema file
/opt/authzforce-ce-server/conf/authzforce-ext.xsdcode
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" xmlns:tns="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" elementFormDefault="qualified" attributeFormDefault="unqualified" version="4.0">
<xs:annotation>
<xs:documentation xml:lang="en">
Schemas of enabled AuthZForce extensions, such as attribute providers.
</xs:documentation>
</xs:annotation>
<!-- Extension for file-based PAP DAO root/ref policy providers -->
<xs:import namespace="http://authzforce.github.io/core/xmlns/test/3" />
<xs:import namespace="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" />
</xs:schema>- Added a uri element to XML catalog file
/opt/authzforce-ce-server/conf/catalog.xml
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<systemSuffix systemIdSuffix="xml.xsd" uri="classpath:xml.xsd"/>
<uri name="http://www.w3.org/2005/Atom" uri="classpath:atom.xsd"/>
<uri name="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" uri="classpath:xacml-core-v3-schema-wd-17.xsd"/>
<uri name="http://authzforce.github.io/xmlns/pdp/ext/3" uri="classpath:pdp-ext-base.xsd"/>
<system systemId="authzforce-ext.xsd" uri="classpath:authzforce-ext.xsd"/>
<!-- PDP Extensions -->
<uri name="http://authzforce.github.io/core/xmlns/test/3" uri="classpath:org.ow2.authzforce.core.pdp.testutil.ext.xsd"/>
<uri name="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" uri="classpath:org.ow2.authzforce.pap.dao.flatfile.pdp-ext.xsd"/>
</catalog>
- Restarted tomcat server
Following the example, I thought that I should now be able to get my new attribute provider through GET /domains/{domainId}/pap/attribute/providers but that does not happen.
Response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:attributeProviders xmlns="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://www.w3.org/2005/Atom" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/6.0"/>Tried also to send a request instantiating a specific TestAttributeProvider on my created domain as In your example
`PUT /domains/iMnxv7sDEeWFwqVFFMDLTQ/pap/attribute.providers
HTTP/1.1
Accept: application/xml; charset=UTF-8
Content-Type: application/xml; charset=UTF-8
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<attributeProviders
xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<attributeProvider
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:test="http://authzforce.github.io/core/xmlns/test/3"
xsi:type="test:TestAttributeProvider" id="test">
<xacml:Attributes
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:example:attribute:role"
IncludeInResult="false">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Physician</xacml:AttributeValue>
</xacml:Attribute>
</xacml:Attributes>
</attributeProvider>
</attributeProviders>but I am getting as response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<message>Invalid parameters: cvc-elt.4.2: Cannot resolve 'test:TestAttributeProvider' to a type definition for element 'attributeProvider'.</message>
</error>Why that happens? Doesn't the jar indicating in the example for maven repo have the TestAttributeProvider class?
Problems with Getting started
As you conduct,I follow the "Getting Started".Then I created the JavaProject in my eclipse with authzforce-ce-core-pdp-engine-8.0.0.jar.In the Main.java, I writes following codes:
try {
BasePdpEngine basePdpEngine=BasePdpEngine.getInstance("D:/1.xml");
} catch (IllegalArgumentException | IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("hello world");
}
But I comed accros the following error:
14:01:00.862 [main] DEBUG org.ow2.authzforce.core.pdp.api.HashCollections - System property 'org.ow2.authzforce.core.pdp.api.HashCollectionFactoryClass' not set -> using class org.ow2.authzforce.core.pdp.api.DefaultHashCollectionFactory as (default) implementation of interface org.ow2.authzforce.core.pdp.api.HashCollectionFactory
Exception in thread "main" java.util.ServiceConfigurationError: org.ow2.authzforce.core.pdp.api.PdpExtension: Provider org.ow2.authzforce.core.pdp.testutil.ext.TestXACMLPolicyAttributeValue$Factory could not be instantiated
at java.util.ServiceLoader.fail(Unknown Source)
at java.util.ServiceLoader.access$100(Unknown Source)
at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source)
at java.util.ServiceLoader$LazyIterator.next(Unknown Source)
at java.util.ServiceLoader$1.next(Unknown Source)
at org.ow2.authzforce.core.pdp.impl.PdpExtensionLoader.<clinit>(PdpExtensionLoader.java:80)
at org.ow2.authzforce.core.pdp.impl.PdpModelHandler.<init>(PdpModelHandler.java:130)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.getInstance(BasePdpEngine.java:876)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.getInstance(BasePdpEngine.java:893)
at Main.main(Main.java:9)
Caused by: java.lang.NoClassDefFoundError: com/google/common/reflect/TypeToken
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.lang.Class.getConstructor0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
... 8 more
Caused by: java.lang.ClassNotFoundException: com.google.common.reflect.TypeToken
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 12 more
Can you help me
Thanks
Zhai
InstantiationException when instantiating new Policy Provider
Hello,
Software version (AuthzForce Core)
13.3.1
Platform JRE
Java 8
Platform OS
Ubuntu 18.04
Your code and/or AuthzForce-specific configuration file(s)
My issue seems to be very similar to this one: #22 but this issue has been closed without resolving the first problem. So, here my problem:
I tried to create a new RootPolicyProvider, following the instructions from https://github.com/authzforce/core/wiki/Policy-Providers. Here, my files:
- The new XSD:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://com.mycompany/authzforce"
xmlns="http://com.mycompany/authzforce"
xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
elementFormDefault="qualified" attributeFormDefault="unqualified" version="3.5.9">
<xs:import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
<xs:import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" schemaLocation="classpath:pdp-ext-base.xsd"/>
<xs:complexType name="MyRootPolicyProviderDescriptor">
<xs:complexContent>
<xs:extension base="authz-ext:AbstractPolicyProvider">
<xs:attribute name="totoLocation" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"></xs:minLength>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>
- The Java class from the XSD:
@XmlAccessorType(XmlAccessType.FIELD)
@XmlType(name = "MyRootPolicyProviderDescriptor")
public class MyRootPolicyProviderDescriptor extends AbstractPolicyProvider {
@XmlAttribute(name = "totoLocation", required = true)
protected String totoLocation;
public MyRootPolicyProviderDescriptor() {
super();
}
public String getTotoLocation() {
return totoLocation;
}
public void setTotoLocation(String value) {
this.totoLocation = value;
}
}
- The Policy Provider factory and concrete implementation classe:
public class MyRootPolicyProvider extends CoreRootPolicyProvider {
public MyRootPolicyProvider(final PolicySet jaxbPolicySet, final Map<String, String> namespacePrefixesByURI,
final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgRegistry,
final Optional<StaticRefPolicyProvider> refPolicyProvider) throws IllegalArgumentException {
super(jaxbPolicySet, namespacePrefixesByURI, expressionFactory, combiningAlgRegistry, refPolicyProvider);
}
public static class Factory extends RootPolicyProvider.Factory<MyRootPolicyProviderDescriptor> {
@Override
public RootPolicyProvider getInstance(final MyRootPolicyProviderDescriptor jaxbConf,
...
}
@Override
public Class<MyRootPolicyProviderDescriptor> getJaxbClass() {
return MyRootPolicyProviderDescriptor.class;
}
}
}
The catalog.xml:
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<!-- For AuthZForce SchemaHandler -->
<system systemId="http://www.w3.org/2001/xml.xsd" uri="classpath:xml.xsd" />
<uri name="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" uri="classpath:xacml-core-v3-schema-wd-17.xsd" />
<uri name="http://authzforce.github.io/xmlns/pdp/ext/3" uri="classpath:pdp-ext-base.xsd" />
<uri name="http://com.mycompany/authzforce" uri="file:///<path>/myRootPolicyProvider.xsd" />
</catalog>
The pdp-ext.xsd:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:annotation>
<xs:documentation xml:lang="en">
Import here the schema(s) of any XSD-defined PDP extension that you want to use in a PDP configuration: attribute finders, policy finders, etc.
Indicate only the namespace here and use the XML catalog to resolve the schema location.
</xs:documentation>
</xs:annotation>
<xs:import namespace="http://com.mycompany/authzforce" />
</xs:schema>
The bindings.xjb:
<?xml version="1.0" encoding="UTF-8"?>
<jaxb:bindings xmlns:jaxb="http://java.sun.com/xml/ns/jaxb"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
jaxb:extensionBindingPrefixes="xjc" jaxb:version="2.1">
<jaxb:globalBindings generateMixedExtensions="true" fixedAttributeAsConstantProperty="true">
<xjc:simple />
</jaxb:globalBindings>
</jaxb:bindings>
- The META-INF/services/org.ow2.authzforce.core.pdp.api.PdpExtension
com.mycompany.authzforce.MyRootPolicyProvider$Factory
And finally, my pdp.xml :
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
xmlns:ext="http://com.mycompany/authzforce"
version="6.0.0">
<refPolicyProvider id="refPolicyProvider" xsi:type="StaticRefPolicyProvider" >
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</refPolicyProvider>
<rootPolicyProvider id="myRootPolicyProvider" xsi:type="ext:MyRootPolicyProviderDescriptor" totoLocation="${PARENT_DIR}/policyset.xml" />
</pdp>
My new RootPolicyProvider seems to be loaded, I can find in logs:
13:53:47.143 [main] DEBUG org.ow2.authzforce.core.pdp.impl.PdpModelHandler - Final list of loaded extension models (JAXB classes): [class org.ow2.authzforce.core.xmlns.pdp.StaticRefBasedRootPolicyProvider, class com.mycompany.authzforce.MyRootPolicyProviderDescriptor, class org.ow2.authzforce.core.xmlns.pdp.StaticRootPolicyProvider, class org.ow2.authzforce.core.xmlns.pdp.StaticRefPolicyProvider]
13:53:47.354 [main] DEBUG org.ow2.authzforce.core.pdp.impl.PdpModelHandler - JAXB context for PDP configuration (un)marshalling: jar:file:/usr/lib/jvm/java-8-oracle/jre/lib/rt.jar!/com/sun/xml/internal/bind/v2/runtime/JAXBContextImpl.class Build-Id: 1.8.0_191
Classes known to this context:
[B
boolean
byte
char
com.mycompany.authzforce.MyRootPolicyProviderDescriptor
...
But I still have an issue:
Error stack trace
13:53:47.594 [main] DEBUG org.ow2.authzforce.core.pdp.impl.BasePdpEngine - Property PARENT_DIR = file:/opt/hosting/run/sample/conf/authzforce/
Exception in thread "main" java.lang.IllegalArgumentException: Invalid PDP configuration file
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:469)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:516)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:548)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:682)
at com.mycompany.authzforce.AuthzForce.main(AuthzForce.java:34)
Caused by: javax.xml.bind.UnmarshalException: Unable to create an instance of org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider
- with linked exception:
[java.lang.InstantiationException]
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.handleEvent(UnmarshallingContext.java:726)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:247)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.createInstance(UnmarshallingContext.java:690)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.StructureLoader.startElement(StructureLoader.java:171)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.XsiTypeLoader.startElement(XsiTypeLoader.java:65)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext._startElement(UnmarshallingContext.java:559)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.startElement(UnmarshallingContext.java:538)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.ValidatingUnmarshaller.startElement(ValidatingUnmarshaller.java:87)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.SAXConnector.startElement(SAXConnector.java:153)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:351)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2784)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:243)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:221)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:276)
at org.ow2.authzforce.core.pdp.impl.PdpModelHandler.unmarshal(PdpModelHandler.java:185)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:466)
... 4 more
Caused by: java.lang.InstantiationException
at sun.reflect.InstantiationExceptionConstructorAccessorImpl.newInstance(InstantiationExceptionConstructorAccessorImpl.java:48)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.xml.internal.bind.v2.ClassFactory.create0(ClassFactory.java:118)
at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.createInstance(ClassBeanInfoImpl.java:270)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.createInstance(UnmarshallingContext.java:684)
... 27 more
It seems that JAXB tried to instantiate AbstractPolicyProvider whereas my pdp.xml file describes that my root policy provider must be a instance of MyRootPolicyProviderDescriptor.
Any idea ? Thanks in advance.
BaseNamedAttributeProvider is not of Type AbstractAttributeProvider
org.ow2.authzforce
authzforce-ce-core-pdp-api
15.0.0
java version "1.8.0_131"
Windows 10
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] /F:/IntelijWorkspace/pip/src/main/java/AuthzPipTest/AuthzPipAttributeFactory.java:[11,94] type argument AuthzPipTest.TestAttributeProvider is not within bounds of type-variable CONF_T
[INFO] 1 error
[INFO] -------------------------------------------------------------
Hi. I'm trying to make an AttributeProvider that access database to resolve one attributeValue. i followed the steps in Wiki page to provide one. i finished it and when i wanted to create a package from it the top error occurs.
What my IDE says in the factory class is :
Type Parameter 'AuthzPipTest.TestAttributeProvide' is not within its bounds; should extend 'org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider'
and no matter how much i search i cant find 'CloseableDesignatedAttributeProvider' file (.class or .java)
there is a 'CloseableNamedAttributeProvider' but the other one does not exists. i'm saying this because in wiki its mentioned that we need to implement 'CloseableDesignatedAttributeProvider' if we don't want to use 'BaseNamedAttributeProvider' but it does not exists.
[pdp-testutils] CVE-2017-17485 & CVE-2018-5968 on jackson-databind dependency
Software version (AuthzForce Core)
11.0.0
Platform JRE
OpenJDK 8
Platform OS
any
Error stack trace or logs (if any)
Building pdp-testutils module fails with error:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.0.2:check (default) on project authzforce-ce-core-pdp-testutils:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities:
[ERROR]
[ERROR] jackson-databind-2.7.3.jar: CVE-2017-17485, CVE-2018-5968
Fix
The issue concerns Jongo dependency which uses a version of jackson-databind affected by the mentioned CVE. The fix and pull request has been submitted to Jongo project, but not yet part of a release. The temporary fix is to force version of dependency jackson-databind to 2.9.4 in the POM.
The issue with reference to pull request:
bguerout/jongo#327
This issue is a reminder to make the long-term fix of jongo version when the new Jongo release comes out.
Incorrectly formed JSON responses when StatusCode is other than "ok"
Hi,
When forcing a syntax error the response received from the Restful-PDP, configured with JSON in/out processors, looks as follows ..
{
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:syntax-error"
},
"StatusMessage": "Invalid Attributes/Attribute element"
},
"Decision": "Indeterminate"
}
Shouldn' t the above include the "Response" key ?
Looking at the code indeed both processClientError and processInternalError methods in BaseXacmlJsonResultPostprocessor.java do not seem to add the "Response" key. Is this by design or ia it a defect?
The same scenario when using a XML payload results in a response which includes the "Response" element.
Thanks and Regards,
Software version (AuthzForce Core)
14.0.0
authzforce-ce-jaxrs-utils
1.3.1
Platform JRE
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
Platform OS
Windows 10
Error stack trace or logs (if any)
2019-12-23 22:34:02.163 INFO 31288 --- [nio-8080-exec-7] o.a.c.interceptor.LoggingInInterceptor : Inbound Message
ID: 4
Address: http://localhost:8080/services/pdp
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[/], accept-encoding=[gzip, deflate], cache-control=[no-cache], connection=[keep-alive], Content-Legth=[437], content-type=[application/json], host=[localhost:8080], postman-token=[c7806ab6-892e-4f54-ad8f-78b59aefafa7, user-agent=[PostmanRuntime/7.1.1]}
Payload: {
"Request" : {
"ReturnPolicyIdList" : false,
"CombinedDecision" : false,
"Category" : [ {
"CategoryId" : "names:tc:xacml:1.0:subject-category:access-subject",
"Attribute" : [ {
"AttributeId" : "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"IncludeInResult" : false,
"DataType" : "http://www.w3.org/2001/XMLSchema#in",
"Value" : 1
}
]
}
]
}
}
2019-12-23 22:34:02.169 INFO 31288 --- [nio-8080-exec-7] o.o.a.c.pdp.api.io.BasePdpEngineAdapter : Invalid or unsupprted input XACML Request syntax
org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Invalid Attributes/Attribute element
at org.ow2.authzforce.core.pdp.io.xacml.json.XacmlJsonParsingUtils$BaseXacmlJsonAttributesParser.parseAttributs(XacmlJsonParsingUtils.java:289)
at org.ow2.authzforce.core.pdp.io.xacml.json.XacmlJsonParsingUtils$BaseXacmlJsonAttributesParser.parseAttributs(XacmlJsonParsingUtils.java:197)
at org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor.process(SingleDecisionacmlJsonRequestPreprocessor.java:177)
at org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonRequestPreprocessor.process(BaseXacmlJsonRequestPrepocessor.java:261)
at org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonRequestPreprocessor.process(BaseXacmlJsonRequestPrepocessor.java:55)
at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:117)
at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:149)
at org.ow2.authzforce.rest.pdp.jaxrs.XacmlPdpResource.evaluateJson(XacmlPdpResource.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IllegalArgumentException: Invalid Attribute '[category='names:tc:xacml:1.0:subject-category:acces-subject', issuer=null, id='urn:oasis:names:tc:xacml:1.0:subject:subject-id']': invalid DataType: 'http://www.w3.org/201/XMLSchema#in'
at org.ow2.authzforce.core.pdp.api.io.NamedXacmlAttributeParser.getAttributeValueFactory(NamedXacmlAttributePaser.java:53)
at org.ow2.authzforce.core.pdp.io.xacml.json.XacmlJsonParsingUtils$NamedXacmlJsonAttributeParser.parseNamedAttibute(XacmlJsonParsingUtils.java:185)
at org.ow2.authzforce.core.pdp.io.xacml.json.XacmlJsonParsingUtils$NamedXacmlJsonAttributeParser.parseNamedAttibute(XacmlJsonParsingUtils.java:62)
at org.ow2.authzforce.core.pdp.api.io.XacmlRequestAttributeParser.parseNamedAttribute(XacmlRequestAttributeParer.java:125)
at org.ow2.authzforce.core.pdp.api.io.LaxXacmlAttributeParser.parseNamedAttribute(LaxXacmlAttributeParser.java154)
at org.ow2.authzforce.core.pdp.io.xacml.json.XacmlJsonParsingUtils$BaseXacmlJsonAttributesParser.parseAttributs(XacmlJsonParsingUtils.java:285)
... 65 common frames omitted
2019-12-23 22:34:02.177 INFO 31288 --- [nio-8080-exec-7] o.a.c.interceptor.LoggingOutInterceptor : Outbound Message
ID: 4
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Mon, 23 Dec 2019 20:34:02 GMT]}
Payload: {"Status":{"StatusCode":{"Value":"urn:oasis:names:tc:xacml:1.0:status:syntax-error"},"StatusMessage":"InvalidAttributes/Attribute element"},"Decision":"Indeterminate"}
Your code and/or AuthzForce-specific configuration file(s)
classpath:policy.xml
root
LDAP profile
Romain Ferrari said on the OW2con'16 "We support some of the well known OASIS profiles, such as the LDAP profile which [h]andle[s] the Role Based Access Control within XACML" at https://youtu.be/c6om2J9Wno0?t=5m2s 5:02
That made me curious about the LDAP xacml profile. LDAP is planned in our design for authorization and as a data storage for subject attributes.
What profile is he referring to? Can I make use out of it? All I can find on https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml is "LDAP profile for distribution of XACML policies [...] [is a work item which is] not currently under active development or discussion, but [has] not officially been withdrawn."
PolicySetIdReference within same policyset
I was looking at policy inheritance as defined in https://authzforce-ce-fiware.readthedocs.io/en/latest/UserAndProgrammersGuide.html#re-usable-policies-e-g-for-hierarchical-rbac
and I was wondering if it is possible to refer to a policyset within the same file instead of across 2 different ones as defined in the example
eg.
PolicySet parent
PolicySet toInherit
PolicySet inheriter
PolicySetIdReference:toInherit
I tried it but computer says no (java.lang.IllegalArgumentException: No PolicySet matching reference: id = RPS:BasicUser, Optional[Version=*,EarliestVersion=*,LatestVersion=*])
So my question is: Is that by design?
Software version (AuthzForce Core)
Platform JRE
Platform OS
authzforce/server:release-8.1.0
Error stack trace or logs (if any)
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Matched PolicySet 'rbacroot' (version 0.1.0) is invalid or its content is unavailable
at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule.getPolicySet(FlatFileDAORefPolicyProviderModule.java:214)
at org.ow2.authzforce.core.pdp.api.policy.BaseStaticRefPolicyProvider.get(BaseStaticRefPolicyProvider.java:113)
at org.ow2.authzforce.core.pdp.impl.policy.CoreRefBasedRootPolicyProvider.<init>(CoreRefBasedRootPolicyProvider.java:97)
... 49 common frames omitted
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Invalid PolicySet in file: /opt/authzforce-ce-server/data/domains/HJW2dLuXEemloQJCrBsAAw/policies/cmJhY3Jvb3Q/0.1.0.xml
at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.get(FlatFileDAORefPolicyProviderModule.java:304)
at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.access$100(FlatFileDAORefPolicyProviderModule.java:256)
at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule.getPolicySet(FlatFileDAORefPolicyProviderModule.java:207)
... 51 common frames omitted
Caused by: java.lang.IllegalArgumentException: PolicySet[rbacroot#v0.1.0]: Invalid child #1 (PolicySet)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1889)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1852)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2176)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305)
at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.get(FlatFileDAORefPolicyProviderModule.java:299)
... 53 common frames omitted
Caused by: java.lang.IllegalArgumentException: No PolicySet matching reference: id = RPS:BasicUser, Optional[Version=*,EarliestVersion=*,LatestVersion=*]
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1667)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1640)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:1704)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:1771)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1914)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1852)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2132)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1884)
... 57 common frames omitted
Your code and/or AuthzForce-specific configuration file(s)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="rbacroot" Version="0.1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Root RBAC PolicySet</Description>
<Target/>
<PolicySet PolicySetId="RPS:BasicUser" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>
BasicUser Role PolicySet
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=BasicUser,dc=org1,dc=com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Policy PolicyId="PPS:BasicUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Permissions specific to BasicUser role</Description>
<Target/>
<Rule RuleId="service1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service1</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule RuleId="service2" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service2</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
<PolicySet PolicySetId="RPS:SuperUser" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>
SuperUser Role PolicySet
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=SuperUser,dc=org1,dc=com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Policy PolicyId="PPS:SuperUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Permissions specific to SuperUser role</Description>
<Target/>
<Rule RuleId="service3" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service3</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
<PolicySetIdReference>RPS:BasicUser</PolicySetIdReference>
</PolicySet>
</PolicySet>
Test failed on authzforce-ce-core-pdp-testutils module version 17.0.0
I'm trying to build (mvn package) AuthzForce Core but test execution failed in authzforce-ce-core-pdp-testutils.
I attached build log with stack trace.
I would pleased to do any extra tests and debug as needed.
Software version (AuthzForce Core)
17.0.0
Platform JRE
openjdk version "11.0.9.1" 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-post-Debian-1deb10u2)
OpenJDK 64-Bit Server VM (build 11.0.9.1+1-post-Debian-1deb10u2, mixed mode, sharing)
Platform OS
Debian GNU/Linux 10 (buster)
Error stack trace or logs (if any)
See build log
Your code and/or AuthzForce-specific configuration file(s)
Not relevant
How to get policies from classpath from different jar files.
authzforce-ce-core-pdp-engine
13.2.0
1.8.0_131
Windows 10
Hi, suppose that i have multiple spring projects that have their own authz rules. each of these projects has a authz_policies directory under their resource folder which has *.xml files that stored policies.
all of this projects are going to depend on jar file that i created and implemented authzforce requirements to work. lets call this authzforceAuthz. how can i say in pdp.xml of authzforceAuthz project
too look in classpath for all authz_policies folder and pick every *.xml file under them as policies.
i want somehow same kind of config that dozerMapper use in spring. when i want to config dozer mapper i say :
import org.springframework.core.io.Resouce;
@Configuration
public class DozerConfiguration {
@Value("classpath*:dozerMapping/**/*.xml")
private Resource[] resources;
.
. creating dozer mapper bean with given resources
.
}
after this dozzer uses all *.xml files under dozerMapping folder, this folder is in project dependency jar files and also exist in project resource folder. all of them are given to dozzer.
how can i do the same thing for *_policy.xml files?
what i truly need is i want to secure my controller methods (spring mvc) with spring security @PreAuthorize. i want to create a policy file for each controller and put authorization logic in that file. these policy files are independent. they don't need each other. each project has defined its own policies and put them under authz_policies folder in their respective jar file. i want to load all those files into authzforce engine.
Error parsing pdp.xml (Cannot find the declaration of element 'pdp')
Hi, I am having trouble loading the pdp.xml file.
I created a Java 11 project, loaded authzforce core with maven, and set the JVM variable -Djavax.xml.accessExternalSchema=http
When running, however, I get this error: Caused by: org.xml.sax.SAXParseException; systemId: file:/home/geovane/dev/eclipse-workspace/abac_test/pdp.xml; lineNumber: 3; columnNumber: 131; cvc-elt.1: Cannot find the declaration of element 'pdp'..
Software version (AuthzForce Core)
14.0.0
Platform JRE
Java 11 and Java 8 give same result.
Platform OS
Debian 10 Buster
Error stack trace or logs (if any)
Exception in thread "main" java.lang.IllegalArgumentException: Invalid PDP configuration file
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:481)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:528)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:560)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:696)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:713)
at com.citi.swarm.abac_test.App.main(App.java:36)
Caused by: javax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException; systemId: file:/home/geovane/dev/eclipse-workspace/abac_test/pdp.xml; lineNumber: 3; columnNumber: 131; cvc-elt.1: Cannot find the declaration of element 'pdp'.]
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.createUnmarshalException(AbstractUnmarshallerImpl.java:335)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.createUnmarshalException(UnmarshallerImpl.java:578)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:264)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:236)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:291)
at org.ow2.authzforce.core.pdp.impl.PdpModelHandler.unmarshal(PdpModelHandler.java:185)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:477)
... 5 more
Caused by: org.xml.sax.SAXParseException; systemId: file:/home/geovane/dev/eclipse-workspace/abac_test/pdp.xml; lineNumber: 3; columnNumber: 131; cvc-elt.1: Cannot find the declaration of element 'pdp'.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:396)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1902)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:742)
at com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorHandlerImpl.startElement(ValidatorHandlerImpl.java:568)
at com.sun.xml.bind.v2.runtime.unmarshaller.ValidatingUnmarshaller.startElement(ValidatingUnmarshaller.java:101)
at com.sun.xml.bind.v2.runtime.unmarshaller.SAXConnector.startElement(SAXConnector.java:168)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
at com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDValidator.startElement(XMLDTDValidator.java:745)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:374)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl$NSContentDriver.scanRootElementHook(XMLNSDocumentScannerImpl.java:613)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3132)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:852)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:258)
... 9 more
Your code and/or AuthzForce-specific configuration file(s)
App.java:
public class App
{
public static void main( String[] args ) throws IllegalArgumentException, IOException
{
System.out.println( System.getProperty("javax.xml.accessExternalSchema") ); // http
final PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance("file:///home/geovane/dev/eclipse-workspace/abac_test/pdp.xml");
}
}
pdp.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xml>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/5.0" version="5.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="policy.xml" />
</pdp>
Getting Started Problem
here i am sorry for this simple initial problem:
when i run core following Getting Started, and enter the commandline "java -jar ./authzforce-ce-core-pdp-cli-10.2.0.jar pdp.xml Request.xml ", it show error command.error like this:
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:50)
at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:576)
Caused by: picocli.CommandLine$ExecutionException: Error while calling command (org.ow2.authzforce.core.pdp.cli.PdpCommandLineCallable@6ed3ef1)
at picocli.CommandLine.execute(CommandLine.java:453)
at picocli.CommandLine.access$300(CommandLine.java:130)
at picocli.CommandLine$RunLast.handleParseResult(CommandLine.java:533)
at picocli.CommandLine.parseWithHandlers(CommandLine.java:651)
at picocli.CommandLine.call(CommandLine.java:878)
at picocli.CommandLine.call(CommandLine.java:829)
at org.ow2.authzforce.core.pdp.cli.PdpCommandLineCallable.main(PdpCommandLineCallable.java:150)
... 8 more
Caused by: java.lang.NullPointerException
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:516)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:634)
at org.ow2.authzforce.core.pdp.cli.PdpCommandLineCallable.call(PdpCommandLineCallable.java:92)
at org.ow2.authzforce.core.pdp.cli.PdpCommandLineCallable.call(PdpCommandLineCallable.java:60)
at picocli.CommandLine.execute(CommandLine.java:451)
... 14 more
picocli.CommandLine$ExecutionException: Error while calling command, is it something wrong with my enviroment?
on the other hand, class StandardEnvironmentAttributeSource in org.ow2.authzforce.core.xmlns.pdp (pdp-engine mainTest class) did not exist
Make 'rootPolicyRef' optional in PDP configuration schema
'rootPolicyRef' is optional if policyProvider is known to return a single policy (then it has to be the root policy)
Some questions about AttributeProvider
I want to make it possible, that a developer can use the Spring Expression Language within policies. For example to get the username of the current principal or get parameters of a method invocation.
My first idea was to use attributeId of AttributeDesignator, so the developer e.g. can write attributeId="${principal.username}" or attributeId="${context.parameter[0]}". Therefor I would only need an AttribteProvider. But after a look in the code of their implementations and use in DepthLimitingExpressionFactory I realized that they seemed very static.
Did I understand it right, that DesignatedAttributeProvider doesn't support dynamic AttributeDesignator like in the example above?
Is it possible to pass something like a context object into a request so that an SpEL-AttributeProvider could use it?
Or is there a better way to solve this problem?
Implementation help
Your code and/or AuthzForce-specific configuration file(s)
I am working on a solution where users can define multiple policy sets or Policies, now I want to load only specific policy/policy set in the PDP engine but I am not getting a way to do that in authzforce (PdpEngineConfiguration). Becuse pdp.xml expect to provide a "rootPolicyRef". How to instantiate the PDP engine with some other policy or policy set.
What datatype do you use for http://www.w3.org/2001/XMLSchema#integer?
The docs about http://www.w3.org/2001/XMLSchema#integer says:
The type xsd:integer represents an arbitrarily large integer, from which twelve other built-in integer types are derived (directly or indirectly). An xsd:integer is a sequence of digits, optionally preceded by a + or - sign. Leading zeros are permitted, but decimal points are not.
However, I am sure your PDP cannot handle arbitrarily large integers since JAVA has no endless large integer datatype. So, whats your maximum integer number?
I'm asking, because I have to decide which datatype to use for the ID of a resource (the ID is stored in the DB as a numeric value).
Switch to Java 8
Mostly to reduce code and third-party dependencies, and improve security and performance.
is there a PHP client that can be integrated with Symfony?
Hi, I am looking for a PDP companion for PHP that can be integrated with Symfony? is there a solution ? if not, can you give me some guides on what need to do to write a PHP client like this one ?
Setting "-Djavax.xml.accessExternalSchema=http" in Maven
I am trying to setup an Attribute Provider and have run into an issue.
In the XML Schema, "xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"" and "xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"" do not work as they appear not to have access to the internet.
I believe the problem for this is because I am not able to setup "-Djavax.xml.accessExternalSchema=http" inside Maven. Did you run into such a problem when creating an Attribute Provider?
If so how did you go about fixing it and if not do you have any suggestions.
Thank you for your time.
org.ow2.authzforce.core.pdp.testutil.ext.xsd MongoDBPolicyProvider ServerHost Pattern
Software version (AuthzForce Core)
Platform JRE
Platform OS
All
For MongoDB policy provider, the ServerHost pattern doesn't appear to accept valid IP addresses per the pattern. What is the expectation for this flag as it wouldn't be best practice to place the database and application together on the same instance/container. All the examples use localhost, but I can't seem to find any other examples of how to connect to an external database.
AttributeBag from POJO
Is there a way to create AttributeBags from POJOs?
Example:
Collection<String> values = ... ;
AttributeBag<?> attr = MagicClass.fromObject(values);
(I ask this because I want to switch from AT&T XACML to AuthZForce and they had such a class.)
Edit 1:
I don't want to manually create e.g. a StringValue. At runtime I don't know of which java-type values is. It could be e.g. a String or a LocalDataTime or a Collection<Integer>.
Problem resolving references in CoreRefPolicyProvider and PolicyEvaluator
Software version (AuthzForce Core)
13.3.1
Platform JRE
OpenJDK 11
Platform OS
Windows 10
Error stack trace or logs (if any)
java.lang.IllegalArgumentException: Invalid PolicySet with PolicySetId='urn:dom:policyset:alfa:remus:process:forhandla', Version=1.0 at org.ow2.authzforce.core.pdp.impl.policy.CoreRefPolicyProvider.<init>(CoreRefPolicyProvider.java:403) at org.ow2.authzforce.core.pdp.impl.policy.CoreRefPolicyProvider.getInstance(CoreRefPolicyProvider.java:678) at org.ow2.authzforce.core.pdp.impl.policy.CoreRefPolicyProvider$Factory.getInstance(CoreRefPolicyProvider.java:255) at org.ow2.authzforce.core.pdp.impl.policy.CoreRefPolicyProvider$Factory.getInstance(CoreRefPolicyProvider.java:130) at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.newRefPolicyProvider(PdpEngineConfiguration.java:139) at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.<init>(PdpEngineConfiguration.java:371) at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:472) at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:516) at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:548) Caused by: java.lang.IllegalArgumentException: No Policy matching reference: id = checkRoleRegistrerare, Optional[Version=*,EarliestVersion=*,LatestVersion=*] at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1667) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1640) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:1704) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:1771) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1914) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1852) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2111) at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305) at org.ow2.authzforce.core.pdp.impl.policy.CoreRefPolicyProvider.<init>(CoreRefPolicyProvider.java:398) ... 69 more
Your code and/or AuthzForce-specific configuration file(s)
I've a more complex setup where I have several policysets, each of them defining some policies and/or referencing to others externally defined. I took care to not create a circular dependency.
The root-policyset is just refering to all the other sets. When debugging authzforce-core I detect the folling behaviour:
CoreRefPolicyProvider read all policysets, but does not care about the containing policies. The table updatablePolicyTable remains empty. This mainly because the included policies are not parsed.
As a result non of the references inside the other policysets cannot be resolved.
Attention: @cdanger
@cdanger I would like to talk to you about your PDP engine as an engineer to engineer, what is the best way to contact you?
Cheers,
Alex
Asking questions in stack
hi, i want to ask if i can ask questions related to authzfoce in stackoverflow.
if i can what tags you follow in stack for this project?
if not i shall continue creating issues and ask them here?
StaticTopLevelPolicyElementEvaluator instantiation problem.
Hi. i'm trying to create a custom policy provider. i need to use
@Value("classpath*:**/policies/**.xml)
private Resource[] resources;
and use those resources as files for policy providing. its a spring resource thing.
but meanwhile in the process i'm facing:
protected StaticTopLevelPolicyElementEvaluator getPolicy(String policyId,
Optional<PolicyVersionPatterns> policyPolicyVersionPatterns) throws IndeterminateEvaluationException {
...
}
what i read at mongodb policy provider reference or CorRefPolicyProvider code i see a static class called PolicyEvaluators which is responsible for instantiating this. but this class is in core-pdp-engine and in wiki says that i should have core-pdp-api dependency. so my question is shall i go and implement my own PolicyEvaluator or i should use the one in core-pdp-engine to instantiate it?
Dynamic PDP Configuration and Policy XML files using MongoDB
I would like to implement a PDP engine using the authzforce-ce-core-pdp-engine jar file like you mentioned in the README, but with exception of the policy files in XML should be dynamic. The main idea is similar to file sharing system as one user could share multiple files to other user with each file may have different policy. I was thinking to store the policy files in some sort of DB like MySQL or MongoDB and PDP will refer to it and make a decision to grant or deny the access based on the request.
I found that the pdp core engine supports MongoDB as mentioned here.
Here is my pdp configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:ext="http://authzforce.github.io/core/xmlns/test/3" version="6.0.0">
<refPolicyProvider id="refPolicyProvider" xsi:type="ext:MongoDBBasedPolicyProvider" serverHost="localhost" serverPort="27017" dbName="testXACML" collectionName="policies" />
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRefBasedRootPolicyProvider">
<policyRef>root-rbac-policyset</policyRef>
</rootPolicyProvider>
</pdp>
Here is the pdp extension scheme (pdp-ext.xsd):
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:annotation>
<xs:documentation xml:lang="en">
Import here the schema(s) of any XSD-defined PDP extension that you want to use in a PDP configuration: attribute finders, policy finders, etc.
Indicate only the namespace here and use the XML catalog to resolve the schema location.
</xs:documentation>
</xs:annotation>
<!-- Do not specify schema locations here. Define the schema locations in the XML catalog instead (see file 'catalog.xml'). -->
<!-- Adding TestAttributeProvider extension -->
<xs:import namespace="http://authzforce.github.io/core/xmlns/test/3" />
</xs:schema>
and the catalog file:
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<!-- For AuthZForce SchemaHandler -->
<system systemId="http://www.w3.org/2001/xml.xsd" uri="classpath:xml.xsd" />
<uri name="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" uri="classpath:xacml-core-v3-schema-wd-17.xsd" />
<uri name="http://authzforce.github.io/xmlns/pdp/ext/3" uri="classpath:pdp-ext-base.xsd" />
<!-- PDP Extensions (<uri>'s 'name' attribute value must match the namespace indicated for the schema import
in the PDP extensions schema (pdp-ext.xsd), do not specify any schemaLocation in this schema, only the namespace.
-->
<uri name="http://authzforce.github.io/core/xmlns/test/3" uri="classpath:org.ow2.authzforce.core.pdp.testutil.ext.xsd" />
</catalog>
My pom.xml looks like this:
<dependency>
<groupId>org.mongodb</groupId>
<artifactId>mongo-java-driver</artifactId>
<version>2.14.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.jongo/jongo -->
<dependency>
<groupId>org.jongo</groupId>
<artifactId>jongo</artifactId>
<version>1.3.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>13.0.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.ow2.authzforce/authzforce-ce-core-pdp-io-xacml-json -->
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>13.0.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/de.undercouch/bson4jackson -->
<dependency>
<groupId>de.undercouch</groupId>
<artifactId>bson4jackson</artifactId>
<version>2.7.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>2.9.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.9.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.ow2.authzforce/authzforce-ce-core-pdp-testutils -->
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>13.0.0</version>
</dependency>
All three configurations are then used to instantiate PdPEngineConfiguration as follow:
File pdp2 = new File("pdp2.xml");
File catalog = new File("catalog.xml");
File xsd = new File("pdp-ext2.xsd");
PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance(pdp2.toURI().toString(), catalog.toURI().toString(), xsd.toURI().toString());
final BasePdpEngine pdp = new BasePdpEngine(pdpEngineConf);
But this gave me error something like this:
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Exception in thread "main" java.lang.IllegalArgumentException: Invalid PDP configuration file
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:469)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:516)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:548)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:682)
at TestPDP.main(TestPDP.java:70)
Caused by: javax.xml.bind.UnmarshalException: Unable to create an instance of org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider
- with linked exception:
[java.lang.InstantiationException]
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.handleEvent(UnmarshallingContext.java:726)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:247)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.createInstance(UnmarshallingContext.java:690)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.StructureLoader.startElement(StructureLoader.java:171)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.XsiTypeLoader.startElement(XsiTypeLoader.java:65)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext._startElement(UnmarshallingContext.java:559)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.startElement(UnmarshallingContext.java:538)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.ValidatingUnmarshaller.startElement(ValidatingUnmarshaller.java:87)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.SAXConnector.startElement(SAXConnector.java:153)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:351)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2784)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:243)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:221)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:276)
at org.ow2.authzforce.core.pdp.impl.PdpModelHandler.unmarshal(PdpModelHandler.java:185)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:466)
... 4 more
Caused by: java.lang.InstantiationException
at sun.reflect.InstantiationExceptionConstructorAccessorImpl.newInstance(InstantiationExceptionConstructorAccessorImpl.java:48)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.xml.internal.bind.v2.ClassFactory.create0(ClassFactory.java:118)
at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.createInstance(ClassBeanInfoImpl.java:270)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.createInstance(UnmarshallingContext.java:684)
... 27 more
Did I do something wrong with this?
Upgrade to Java 11
We still want to maintain a version 100% compatible with Java 8.
Since Java 9, we can use multi-release JARs (MRJAR) which is now supported by Maven Compiler plugin, but a Gradle developer gives convincing arguments against using this feature.
Alternative: switch to Gradle and take advantage of Gradle's variant-aware dependency management. See also https://docs.gradle.org/current/userguide/cross_project_publications.html#targeting-different-platforms, where it says (current version is 6.7.1):
Future versions of Gradle will provide ways to automatically build for different Java platforms.
Actual JAR of the versions > 7.1.0 are not yet on search.maven.org
Software version (AuthzForce Core)
11.0.0
Platform JRE
1.8.0_151
Platform OS
Windows
Error stack trace or logs (if any)
Failure to find org.ow2.authzforce:authzforce-ce-core:jar:11.0.0 in https://repo.maven.apache.org/maven2
If in doubt include the whole thing; often exceptions get wrapped in other exceptions and the exception right near the bottom explains the actual error, not the first few lines at the top.
Your code and/or AuthzForce-specific configuration file(s)
none
Attribute Providing Tutorial in Wiki does not work.
authzforce-ce-core-pdp-api 15.0.0
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Windows 10
[ERROR] Error while parsing schema(s).Location [ file:/F:/IntelijWorkspace/pip/src/main/resources/org.baharan.PolicyInfoProvider.xsd{40,67}].
org.xml.sax.SAXParseException; systemId: file:/F:/IntelijWorkspace/pip/src/main/resources/org.baharan.PolicyInfoProvider.xsd; lineNumber: 40; columnNumber: 67; undefined simple or complex type 'authz-ext:AbstractPolicyProvider'
at com.sun.xml.xsom.impl.parser.ParserContext$1.reportError(ParserContext.java:180)
at com.sun.xml.xsom.impl.parser.NGCCRuntimeEx.reportError(NGCCRuntimeEx.java:175)
at com.sun.xml.xsom.impl.parser.DelayedRef.resolve(DelayedRef.java:110)
at com.sun.xml.xsom.impl.parser.DelayedRef.run(DelayedRef.java:85)
at com.sun.xml.xsom.impl.parser.ParserContext.getResult(ParserContext.java:135)
at com.sun.xml.xsom.parser.XSOMParser.getResult(XSOMParser.java:214)
at com.sun.tools.xjc.ModelLoader.createXSOM(ModelLoader.java:538)
at com.sun.tools.xjc.ModelLoader.loadXMLSchema(ModelLoader.java:378)
at com.sun.tools.xjc.ModelLoader.load(ModelLoader.java:174)
at com.sun.tools.xjc.ModelLoader.load(ModelLoader.java:119)
at org.jvnet.mjiip.v_2_2.XJC22Mojo.loadModel(XJC22Mojo.java:50)
at org.jvnet.mjiip.v_2_2.XJC22Mojo.doExecute(XJC22Mojo.java:40)
at org.jvnet.mjiip.v_2_2.XJC22Mojo.doExecute(XJC22Mojo.java:28)
at org.jvnet.jaxb2.maven2.RawXJC2Mojo.doExecute(RawXJC2Mojo.java:505)
at org.jvnet.jaxb2.maven2.RawXJC2Mojo.execute(RawXJC2Mojo.java:328)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
at org.codehaus.classworlds.Launcher.main(Launcher.java:47)
I Followed Exact Steps in https://github.com/authzforce/core/wiki/Attribute-Providers
i even copied the same content from pdptestutils to just make it work but when i try to run
generate-sources command from maven the top error comes.
Confused due to redundant repositories including redundant documentation
Hi,
first of all, thank you for all the hard work you and Ferrari have contributed to that project!
Now, here is my question: Could you please make a statement regarding your two repositories? Which one is active/deprecated? Where is the documentation complete? Maybe you could mark one of them as deprecated in its README.md?
Every PDP request results in permit
Hello, I recently got started using the AuthZForce PDP/PAP API's, and for some reason every request is resulting in a permit. As an example, here is a policy I created:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="P1"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Test Policy Set</Description>
<Target />
<Policy
PolicyId="FileAccessApp"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Policy for FileAccessApp</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">FileAccessApp</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="Must_Be_US" Effect="Permit">
<Description>Only US Citizens may access files.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">file</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">US_Citizen</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
And yet, the request below results in a Permit
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
IncludeInResult="false">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Dave</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
IncludeInResult="false"> <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Not_Us_Citizen</AttributeValue>
</Attribute>
</Attributes>
<Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="false">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">FileAccessApp</AttributeValue>
</Attribute>
<Attribute
AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">file</AttributeValue>
</Attribute>
</Attributes>
<Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
IncludeInResult="false">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
</Attribute>
</Attributes>
<Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>
If I enable ReturnPolicyIfList I see the line <PolicyIdReference Version="0.1.0">permit-all</PolicyIdReference>
How to disable this? Will just manually removing the 0.1.0.xml file and restarting Tomcat do it or is there a specific API call I need to make?
Support for ALFA language
As the engine already works with XACML, I wonder why ALFA is not supported. Isn't it supposed to be translatable to XACML? It would be far easier to write compared to XML.
With ALFA I mean the Abbreviated Language For Authorization as described on https://en.wikipedia.org/wiki/ALFA_(XACML) which seems to be an OASIS standard by now.
Simplify nullActionsDecisionResult variable assignment in RuleEvaluator reusing constants from DecisionResults class
Make sure there is no constructor accepting that all non-enum arguments are null (use DecisionResults constants instead)
An Issue When run the code in README.md
Software version (AuthzForce Core)
Platform JRE
jre 1.8.0_121
Platform OS
Windows 10
Error stack trace or logs (if any)
If in doubt include the whole thing; often exceptions get wrapped in other exceptions and the exception right near the bottom explains the actual error, not the first few lines at the top.
Your code and/or AuthzForce-specific configuration file(s)
final AttributeBag<?> roleAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("boss"));
When I used the code of "Evaluating Requests in AuthzForce native API (most efficient)" given in README.md. My eclipse come with "Unresovled complication problems":
The method singletonAttributeBag(Datatype, AV) in the type Bags is not applicable for the arguments (AttributeDatatype, StringValue)
Dear developers,
How can I sovle it?
Use latest parent version to benefit from dependency-check-maven fix
In order to benefit from the fix introduced by authzforce/parent@deb5249 Is it possible to either:
- update core pom.xml parent from version
8.0.0to8.0.1-SNAPSHOT - or create a new release of parent (e.g.
8.0.1) and update core pom.xml parent from version8.0.0to8.0.1
After reading CONTRIBUTING.md ("No SNAPSHOT dependencies on "develop" and obviously "master" branches") I guess that the second option is probably the most appropriate one.
Dynamic Root Policy depending on the authorization request
Software version (AuthzForce Core)
15.1.1-SNAPSHOT (or latest as of writing)
Problem
My particular use case is that for every authorization request, i have a corresponding policyset (either directly contains policies or links to other policysets) that i want to validate it against. Currently i have a root policy that links to everything, for example -->
Root
PS_1
P_1_1
P_1_2
PS_2
P_2_1
So that for one authz request (depending on some variable), i might only want to load everything under PS_1 (and not PS_2) . I think i effectively want a dynamic root policy provider as mentioned here? But this seems to be outdated since in the new way of writing pdp.xml, we only pass in one policy provider and then pass in the ID for the root.
How should I approach this problem? I don't know at runtime how many "root" policies i might have.
how to provide attributeProvider element in pdp.xml
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>13.2.0</version>
</dependency>
java version "1.8.0_131"
Windoes 10
Hi, in last part of wiki for creating an attributeProvider i need to provide pdp the attribute provider. this is definitely my lack of knowledge but i don't know how to do that and the only way i can resolve that is asking here. attributeProvider element has only an id and seems that it only requires to be unique. i don't know how to provide my attribute provider in pdp.xml. there is no example in testUtils either.
My policyprovider.xsd
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://org.baharan/core/xmlns/attributeprovider" xmlns="http://org.baharan/core/xmlns/attributeprovider" xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" elementFormDefault="qualified" attributeFormDefault="unqualified" version="3.5.9">
<xs:import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
<xs:import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" />
<xs:annotation>
<xs:documentation xml:lang="en">
Data Model for PDP test extensions, e.g. the Test Attribute Provider module
</xs:documentation>
</xs:annotation>
<xs:complexType name="TestAttributeProvider">
<xs:annotation>
<xs:documentation>
Test Attribute Provider. This Provider is used for test purposes only. It can be
configured to support any attribute but returns always an empty bag as attribute value.
</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="authz-ext:AbstractAttributeProvider">
<xs:sequence>
<xs:element ref="xacml:Attributes" minOccurs="1" maxOccurs="10" />
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>
My custom attributeprovider
public class DbAttributeProvider extends BaseNamedAttributeProvider {
private AttributeValueFactoryRegistry attributeValueFactoryRegistry;
private AttributeProvider attributeProvider;
public DbAttributeProvider(String instanceID) throws IllegalArgumentException {
super(instanceID);
}
public DbAttributeProvider(AttributeValueFactoryRegistry attributeValueFactoryRegistry, AttributeProvider attributeProvider) throws IllegalArgumentException {
super(String.valueOf(new Random().nextLong()));
this.attributeProvider = attributeProvider;
this.attributeValueFactoryRegistry = attributeValueFactoryRegistry;
}
@Override
public void close() throws IOException {
}
@Override
public Set<AttributeDesignatorType> getProvidedAttributes() {
return null;
}
@Override
public <AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFqn, Datatype<AV> datatype, EvaluationContext evaluationContext) throws IndeterminateEvaluationException {
MysqlAccess dbAccess = new MysqlAccess();
AttributeFqn subjectIdAttr = AttributeFqns.newInstance(XacmlAttributeCategory.XACML_1_0_ACCESS_SUBJECT.value(), Optional.empty(), XacmlAttributeId.XACML_1_0_SUBJECT_ID.value());
AttributeBag<?> authUserPowerIdAttrValue = null;
if(attributeFqn.getCategory().equalsIgnoreCase(XacmlAttributeCategory.XACML_1_0_ACCESS_SUBJECT.value())) {
if(datatype.equals(StandardDatatypes.STRING)) {
if (attributeFqn.getId().equalsIgnoreCase("auth-User-Power-id")) {
AttributeBag<StringValue> authUserIdBag = evaluationContext.getNamedAttributeValue(subjectIdAttr, StandardDatatypes.STRING);
String authUserId = authUserIdBag.getSingleElement().getUnderlyingValue();
try {
Long authUserPowerId = dbAccess.getUserPowerId(Long.valueOf(authUserId));
authUserPowerIdAttrValue = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue(String.valueOf(authUserPowerId)));
} catch (SQLException e) {
e.printStackTrace();
}
return (AttributeBag<AV>) authUserPowerIdAttrValue;
}
}
}
return null;
}
}
My Factory (TestAttributeProvider is generated by jaxb)
import baharan.org.core.xmlns.attributeprovider.TestAttributeProvider;
public class DbAttributeProviderFactory extends public class DbAttributeProviderFactory extends CloseableNamedAttributeProvider.FactoryBuilder<TestAttributeProvider> {
@Override
public CloseableNamedAttributeProvider.DependencyAwareFactory getInstance(TestAttributeProvider testAttributeProvider, EnvironmentProperties environmentProperties) throws IllegalArgumentException {
return new CloseableNamedAttributeProvider.DependencyAwareFactory() {
@Override
public Set<AttributeDesignatorType> getDependencies() {
return null;
}
@Override
public CloseableNamedAttributeProvider getInstance(AttributeValueFactoryRegistry attributeValueFactoryRegistry, AttributeProvider attributeProvider) {
return new DbAttributeProvider(attributeValueFactoryRegistry, attributeProvider);
}
};
}
@Override
public Class<TestAttributeProvider> getJaxbClass() {
return TestAttributeProvider.class;
}
}
My catalog.xml
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<system systemId="http://www.w3.org/2001/xml.xsd" uri="classpath:xml.xsd" />
<uri name="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" uri="classpath:xacml-core-v3-schema-wd-17.xsd"/>
<uri name="http://authzforce.github.io/xmlns/pdp/ext/3" uri="classpath:pdp-ext-base.xsd"/>
<!-- PDP Extensions (<uri>'s 'name' attribute value must match the namespace indicated for the schema import
in the PDP extensions schema (pdp-ext.xsd), do not specify any schemaLocation in this schema, only the namespace.
-->
<uri name="http://org.baharan/core/xmlns/attributeprovider" uri="classpath:org.baharan.PolicyInfoProvider.xsd" />
</catalog>
My pdp-ext.xsd
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<xs:annotation>
<xs:documentation xml:lang="en">
Schemas of enabled AuthzForce PDP engine extensions, such as attribute providers.
</xs:documentation>
</xs:annotation>
<!-- Do not specify schema locations here. Define the schema locations in the XML catalog instead (see file 'catalog.xml'). -->
<xs:import namespace="http://org.baharan/core/xmlns/attributeprovider" />
</xs:schema>
what should i do in pdp.xml
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
version="6.0.0" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="classpath:policy.xml" />
</pdp>
accessExternalSchema property can not be accessed in weblogic
org.ow2.authzforce
authzforce-ce-core-pdp-engine
13.2.0
java version "1.8.0_131"
Windows 10
Caused By: org.xml.sax.SAXParseException; lineNumber: 9; columnNumber: 52; schema_reference: Failed to read schema document 'xml.xsd', because 'http' access is not allowed due to restriction set by the accessExternalSchema property.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:177)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)
at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaErr(XSDHandler.java:4156)
at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaFatalError(XSDHandler.java:4135)
Truncated. see log file for complete stacktrace
I created a spring boot project and made effort to create authzForce engine in that, then creating requests in java api form. when i run this project on the embeded tomcat the line:
System.setProperty("javax.xml.accessExternalSchema", "http,file");
no error happens but when i run this project on weblogic the top error persists. i even tried
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<jvmArguments>
-Djavax.xml.accessExternalSchema=all -Dfile.encoding=UTF8 -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005
</jvmArguments>
</configuration>
</plugin>
but didn't work.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.