0

Can anyone point me to information on how a XACML interceptor could be defined for WCF Data Services?

Peter Kelley
  • 2,350
  • 8
  • 26
  • 46

1 Answers1

1

Interceptors for WCF Data Services are essentially lambda expressions of type Expression<Func<T, bool>> for each entity you have in your data source(more about interceptors), this limits you to quite simple and almost static authorization rules. On the other hand XACML is very flexible and dynamic authorization solution. I cannot think of possible generic way of integration. At the same time non generic integrations are quite simple:

[QueryInterceptor ("Customers")]
public Expression<Func<Customer, bool>> FilterCustomers() 
{

    // First of all you need to get all request attributes
    // information could come from session, from cookies
    // from request, in this example I will only use subjectId
    // In XACML subjectId could be user name  
    var subjectId = GetSubjectId();

    // After you have all data, build XACML request
    // this code is specific to our XACML implementation
    var xacmlRequest = new XacmlDecisionRequestContext()
        .AddRequest(r => r
            .AddResource(a => a.Add(XacmlConstants.ResourceAttributes.ResourceId, new Uri("Customer", UriKind.RelativeOrAbsolute)))               
            .AddSubject(a => a.Add(XacmlConstants.SubjectAttributes.SubjectId, subjectId ))
        );

    // Evaluate request
    var result = PolicyDecisionPoint.Evaluate(xacmlRequest);

    // Based on XACML decision result you can construct expression
    // this example is simple true or false, but based on 
    // XACML Advices or XACML Attributes you can build much more
    // sophisticated expression

    if (result.Decisions.Single().Decision == XacmlDecision.Permit)
    {
        return () => true;
    }
    return () => false;
}

This example assumes that you intercept access to Customer entity. And it works only for query. You should place this method to you DataService class.

Example is based on Axiomatics PEP SDK for .NET (I am working on this product) , but idea will apply to any XACML implementation.

Mike Chaliy
  • 25,801
  • 18
  • 67
  • 105
  • Interceptors at this level don't offer Attribute Based Access Control (ABAC). This means you can restrict access to a particular collection but not to entities within that collection. – Peter Kelley May 02 '13 at 06:07
  • You are correct, there is no extension point in WCF that provides single place to check if access permitted for single entry. This is good reason for this. It will be just slow (select n+1 problem). So at the end you should have `Expression>` that actually represents XACML Policy. For such scenarios we propose intercepting [on lower level](http://www.axiomatics.com/component/rsevents/event/17-webinar-xacml-meets-sql.html). In short it changes SQL query to include conditions. Theoretically same idea is applicable for `Expression>`. – Mike Chaliy May 06 '13 at 15:01