1

I tried the first sample from http://www.webfarmr.eu/2011/08/xacml-102-xpath-and-xacml/, section "XPath used in a single XACML request". Just in case here is the XACML policy:

<?xml version="1.0" encoding="UTF-8"?><xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1">
  <xacml3:Description/>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
  <xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Gulliver's travels</xacml3:AttributeValue>
          <xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/book/title/text()"/>
        </xacml3:Match>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
  </xacml3:Target>
  <xacml3:Rule Effect="Permit" RuleId="allow-read">
    <xacml3:Description/>
    <xacml3:Target/>
  </xacml3:Rule>
</xacml3:Policy>

When I use the "Try" option from the Policy Administration page and evaluate my XACML request - the response returns the Permit decision. Notice that the policy has not been published yet.

After that I publish the policy, enable it and use the "Try" option from the Tools->XACML menu. Result is "NotApplicable".

I have no any other policies neither in the Policy Administration nor in Policy View.

Do XACML policies that contain XPath expressions need some additional configuration? What is wrong with the provided scenario?

EDIT: Found this message in logs:

[2014-07-03 11:13:25,021]  INFO {org.wso2.balana.finder.AttributeFinder} -  Failed to resolve any values for /book/title/text()
Community
  • 1
  • 1
Yuriy
  • 1,384
  • 1
  • 11
  • 17

2 Answers2

2

Yes. This is a bug in the Identity Server. Please refer to the public jira. However, This is not because that XPAth is not implemented in Balana and not an issue with Balana. It is related to Identity Server and Identity Server is not properly initializing the Balana engine.

You can even find the fix that is attached to public jira and you can try with that fix. You can find more details about XPath example with Identity Server from here

Asela
  • 5,781
  • 1
  • 15
  • 23
  • Thanks Asela. If anybody else is fighting with the same issue - better put the provided jar file to a separate patch (e.g. patch0009). – Yuriy Nov 25 '14 at 09:25
1

When I wrote the example, I overlooked adding namespaces. You need to add namespaces and then it should work fine. For instance, the XACML policy becomes:

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
     <xacml3:Target>
          <xacml3:AnyOf>
               <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                         <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Gulliver&apos;s travels</xacml3:AttributeValue>
                         <xacml3:AttributeSelector Path="/ns1:book/ns1:title/text()" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" xmlns:ns1="http://example.com"/>
                    </xacml3:Match>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
                         <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</xacml3:AttributeValue>
                         <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="age" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                    </xacml3:Match>
               </xacml3:AllOf>
          </xacml3:AnyOf>
     </xacml3:Target>
     <xacml3:Rule RuleId="allow-read" Effect="Permit">
          <xacml3:Target/>
     </xacml3:Rule>
</xacml3:Policy>

And the XACML request becomes

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Joe</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="age" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">14</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Content><book xmlns="http://example.com">
<title>Gulliver's travels</title>
<isbn>xx-yy-zz</isbn>
<publisher>Axiomatics</publisher>
</book>      </xacml-ctx:Content>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

Note that I added a namespace definition (ns1, http://example.com). It is important to fully qualify your XPath expression.

If it still doesn't work for you, it may be Balana (WSO2IS) doesn't fully implement attribute selectors. I tested it in the Axiomatics Policy Server and it works fine.

HTH, David.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • Unfortunately this does not work even via "Policy Administration". Response Description: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: ns1 xmlns:ns1 definition is removed from policy after save. In any case thank you David for your great response and full working (at least in other Server) sample. – Yuriy Jul 03 '14 at 11:24
  • Then it looks like a bug in the WSO2 IS product. You can always request APS for download from http://www.axiomatics.com – David Brossard Jul 03 '14 at 11:25