XACMLight is an Axis2 [1] web service that implements a Policy Decision Point (PDP) and a Policy Administration Point (PAP) that are defined in XACML 2.0 [2] specification. This implementation covers all functions that are defined by XAMCL 2.0 (including optional), all mandatory elements and almost all optional features. The current implementation has been successfully tested against XACML 2.0 conformance test suite [10] : all applicable tests have been completed successfully.
The following mandatory features defined in XACML 2.0 have been implemented:
The following optional XACML features have been implemented:
The first optional feature above is very useful from practical point of view because it allows evaluating multiple resources in a single XACML request, the next three are very helpful for understanding what is wrong with authorization request and/or policy when the engine returns a 'Indeterminate' result.
XACMLight uses JDK 1.5 XPath implementation for implementing the following optional functions and elements:
It means that the version of XPath is determined by the version of this particular implementation and the version provided in <PolicyDefaults> and <PolicySetDefaults> will be ignored.
XACML 2.0 doesn't define how references to policies and policy sets should be resolved. It says only that if reference is a URL a reference MAY be resolved. XACMLight uses the following strategy to resolve references:
Local repository must be set in <Repo> section of PDP's initial configuration file. Unbounded sequences of the following elements are allowed in <Repo> section:
The syntax of the first two elements in the list are defined by policy XSD [8], the syntax of the third element is defined by context XSD [9]. Policies and Policy Sets in <Repo> section are used for resolving references. Attributes are used for resolving missing attributes in request.
The name of default configuration file is gryb_info_xacml_config.xml. It must be placed to an Axis2 CLASSPATH (e.g. to AXIS2_HOME directory) to be available for XACMLight service. The XSD schema for this file is defined in xacml.wsdl file and contains the following elements:
Since XACMLight is implemented as an Axis2 service, it can run on native Axis2 Apache server or on any other J2EE compliant container using Axix2 war file that allows deploying aar files to other application servers. The current implementation has been tested with the native Axis2 server only.
WSDL for XACMLight was built using XML schema definitions provided by OASIS ([8]-[9]). The latter schema definitions use abstract XML types and substitution groups that are not handled well by Apache Data Binding Frameworks ([5]-[6]). The following WSDL operations have been defined in XACMLight's WSDL and implemented in the scope of this project:
Wsdl Operation | Input | Output | Description | Service | |
---|---|---|---|---|---|
setPolicyRoot | <xl:SetPolicyRoot> | <xl:Result> | Can be used to set up a root policy or policy set | PAP | |
setRepo | <xl:Repo> | <xl:Result> | Can be used to set up PDP's policy and attribute local repository (see section 2.1) | PAP | |
getRepo | <xl:GetRepo> | <xl:Repo> | Returns the current local repository | PAP | |
setPolicyRoot | <xl:SetPolicyRoot> | <xl:Result> | Can be used to set up a root policy or policy set | PAP | |
getDecision | <ctx:Request> | <ctx:Response> | Gets an authorization decision from PDP engine | PDP | |
setPolicies | <pol:PolicySet> | <xl:Result> | Overrides the root policy set. Deprecated in version 2.2: use setPolicyRoot instead | PAP | |
getPolicies | <xl:GetPolicies> | <pol:PolicySet> | Returns the current root policy set | PAP | |
setPolicy | <pol:Policy> | <xl:Result> | Overrides a policy with a given policy ID | PAP | |
getPolicy | <xl:GetPolicy> | <pol:Policy> | Returns a policy with a given policy ID | PAP | |
addPolicy | <xl:AddPolicy>, PolicySetId - parent | <xl:Result> | Adds a policy with a given policy ID to a policy set with a given policy set ID | PAP | |
deletePolicy | <xl:DeletePolicy> | <xl:Result> | Deletes a policy with a given policy ID | PAP |
where XML namespaces are defined as follows:
Short Name | Full Name | Description | |
---|---|---|---|
ctx | urn:oasis:names:tc:xacml:2.0:context:schema:os | XACML's 'context' namespace: used for defining authorization request | |
pol | urn:oasis:names:tc:xacml:2.0:policy:schema:os | XACML's 'policy' namespace: used for defining authorization policies | |
xl | http://gryb.info/schemas/xacml/common | XACMLight's 'common' namespace: used for defining XACMLight-specific types |
It would be sufficient to copy the authz.aar file to $AXIS2_HOME/repository/services directory to make the service working. However, it's recommended to validate the deployment by running a test that is included to the installation. The following steps will conduct a shake-up test and validate the service:
send.sh <file> http://localhost:8080/axis2/services/PapService <wsdl-operation> or perl test.pl <XACML-conformance-test-dir> 2>test.txt (see "Test Cases" for details)
XACMLight is a Maven2 [3] project and Maven2 must be installed before the service could be built. The building machine should have access to Internet because Maven will download dependency from online repositories. The following steps will allow to build the project:
The following useful scripts could be found in <xacmllight>/bin directory of source distribution. Please check the source to find out what the parameters and their default values are.
Script | Decsription | Purpose | |
---|---|---|---|
build | Cleans and rebuilds everything including Eclipse [4] projects and settings | Build | |
clean | Cleans temporary files including files generated by w2j | Build | |
copy_aar | Builds and deploys authz.aar to $AXIS2_HOME | Build, Deploy | |
send | Restarts Axis2 service and sends a message (on Windows only sends without restart) | Test | |
simple_send | Sends a message without restarting Axis2 server | Test | |
test.pl | Runs tests from XACML 2.0 Conformance Suite [10] | Test | |
w2j | Generates proxy classes from WSDL | Build |
The following problems have been found in Axis2 framework in the process of XACMLight implementation:
Problem | Decsription | Work around | |
---|---|---|---|
axis2-wsdl2code plugin can not be used | It looks like this plugin generates ADB [5] classes only that don't handle XML abstract types well | Use wsdl2java with -d xmlbeans option instead | |
SystemTypeHolder.class | wsdl2java generates the class and puts it to src dir | The class needs to be moved to target dir. It's done by 'build' script | |
ADB classes can't be used | Substitution groups and abstract XML types implementations have bugs | Use xmlbeans | |
xmlbeans bug | Axis2 server creates 'XmlAnyTypeImpl' instead of XACML XSD type 'ExpressionType' | See XElementImpl.java for workaround | |
Hot deploy doesn't work | It looks like Axis2 needs to be restarted after each deploy | send script takes care of it | |
XmlObject.validate throws exceptions | validate throws exception` for valid XMLs | see Helper.validate | |
XmlObject.validate "no wildcards" error | Validate throws "no wildcards" error for 'anyAttribute'/lax elements | see Helper.validate |
'SNAPSHOT' is the latest XACMLight code that could be found in SVN [7] repository only at the following URL: https://xacmllight.svn.sourceforge.net/svnroot/xacmllight/trunk
The following versions are available: 2.0, 2.1, 2.2. The latest and recommended stable version is 2.2. The table below provides locations for SVN, source and binary distributions:
Distro Type | Location | Description | |
---|---|---|---|
Binaries | http://downloads.sourceforge.net/xacmllight/xacmllight-<ver>.tar.gz | Binary tarball | |
Sources | http://downloads.sourceforge.net/xacmllight/xacmllight-src-<ver>.tar.gz | Source tarball | |
Sources | https://xacmllight.svn.sourceforge.net/svnroot/xacmllight/tags/<ver> | SVN [7] repository |
* Replace <ver> with a version number to get a real URL.
The main test can be performed by calling send.sh authz1.xml (or send.bat authz1.xml) script from <xacmllight>/bin directory. It will send the authorization request for 10 resources to PDP engine. On UNIX/Linux it will also restart the Axis2 server. On Windows starting/stopping of Axis2 server should be done manually.
To test PAP/PDP engines use following commands:
send.sh <path-to-file> <service-url> <wsdl-operation>
The valid <path-to-file> and <wsdl-operation> values are provided in table below:
File | Wsdl Operation | Description | Service | |
---|---|---|---|---|
authz1.xml | getDecision | Gets an authorization decision from PDP engine | PDP | |
policyset.set.xml | setPolicies | Overrides the root policy set | PAP | |
policyset.get.xml | getPolicies | Returns the current root policy set to a client | PAP | |
policy.set.xml | setPolicyy | Overrides a policy with a given policy ID | PAP | |
policy.get.xml | getPolicyy | Returns a policy with a given policy ID to a client | PAP | |
policy.del.xml | deletePolicy | Deletes a policy with a given policy ID | PAP | |
policy.add.xml | addPolicy | Adds a policy with a given policy ID to a policy set with a given policy set ID | PAP |
The location of XML sample files:
The URLs for PAP/PDP engines are provided below (assuming that Axis2 server runs on the local machine):
To test PAP/PDP engines against official XACML conformance tests [10] use the following command:
perl test.pl <XACML-conformance-test-dir> 2>test.txt where <XACML-conformance-test-dir> - a directory with conformance tests text.tx - the results of tests
The total number of tests was: 333, out of which 328 where successful, 5 were not applicable. The notes on some mandatory tests are provided below:
Test | Status | Note | |
---|---|---|---|
IIA004 | Not Applicable | XACMLight doesn't allow policy or policy set that is not compliant with XSD [8] | |
IID029.1-2 | Not Applicable | XACMLight has only one root policy set or policy | |
IID030.1-2 | Not Applicable | XACMLight has only one root policy set or policy | |
IIE001 | Passed | The Policy document was changed to use XACMLight local repository (see info_gryb_xacml_config.xml for details) | |
IIE002 | Passed | The Policy document was changed to use XACMLight local repository (see info_gryb_xacml_config.xml for details) | |
IIE003 | Passed | The Policy document was changed to use XACMLight local repository (see info_gryb_xacml_config.xml for details) |
The total number of optional tests was: 44. All of them have been completed successfully using test.pl utility described above.