XACML restriction policies - xacml

I'm very new to XACML (eXtensible Access Control Markup Language), i'm studying what TSPM (it's a commercial product that makes use of XACML) can do for some business needs.
So i was looking for an answer to this question:
Let's assume i have a website page with 3 links accessed by a user with a certain application profile.
Is that possible to create a policy which restricts and manage the "links" (let's say till midnight a certain profile user can see just 2 links instead of three) according some rules?
The main problem is that I can't figure out what a resource is in a XACML assertion, I just found in some documentation this definition:
A resource is anything to which access can be controlled. Examples include XQuery modules and Java methods.
Anyone can help on better understanding with real examples XACML?
Thank you all!

(I'm the technical lead for TSPM, or Tivoli Security Policy Manager for others that aren't familiar with the product).
The use case you're describing is definitely possible. You probably don't need to focus on the raw XACML though - we go to a lot of effort to provide a higher-level user interface for authoring policies.
One way to model this would be to have each link be represented by a different structure point in TSPM's UI, with appropriate policy attached to each. For example, two links could have policy that represents "permit all users at any time" and one link could have "permit when current-time is before midnight".
You would then call our runtime before rendering each link to see if the currently authenticated user should be able to view it. You could also make one call to get a list of currently viewable links if you prefer.
You could use the WebSphere Portal tag library or our Authorization API if you're running on WebSphere. If you're not, it's really easy to build a web service client for most platforms that can call over authorization service using XACML over SOAP. For more information on calling the authorization service, see our public wiki.
Edit:
I realized I didn't really address your question, which is about what a resource is in terms of XACML. As you may know, XACML breaks the request context into four sections: Subject, Resource, Action and Environment. Each of these sections contains zero or more Attributes, each with an identifier and a type. A resource in XACML is simply an attribute, or a combination of attributes, from the Resource section that together uniquely identifies whatever you're protecting.
The spec defines the identifier urn:oasis:names:tc:xacml:1.0:resource:resource-id for this purpose, and it can be of any type but is usually a string or a URI.
In your use case, each link might have a string identifier like "link-1", "link-2" and "link-3". Your policy would use these identifiers, and your application would pass these in when requesting a decision for each link.

In XACML you can write policies that take into account any attributes. Attributes are essentially labels that describe a situation. For instance role, citizenship, age, and clearance are all user attributes. Page URL, classification, and location are attributes of the resource (i.e. what the user is trying to access). You can have attributes about the action (edit, view, delete...) and even about the environment.
In your example, you mention that you want to control access to webpages and that you want to take into account the time of the day. To do that you'd write a XACML policy where you would check the URL page of the page and the time of the day.
In pseudocode, that would be:
Permit if resource-id=='/pages/MyPage.jsp' AND current-time>09:00AM AND current-time<05:00PM
In ALFA, a shorthand notation for XACML, this would be:
namespace com.stackoverflow.xacml{
import Attributes.*
policy accessPages{
apply firstApplicable
rule accessPage1{
target clause resourceId=="/pages/MyPage.jspx"
and currentTime>"09:00:00":time
and currentTime<"17:00:00":time
permit
}
}
}
The ALFA plugin for Eclipse - a free tool - will generate this into XACML 3.0 code:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages.accessPage1">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">/pages/MyPage.jspx</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
Then all you need to do is send the right authorization question/request from your application to the XACML PDP. Essentially what you will ask is:
Can user Alice access page /pages/MyPage.jsp?
The PDP will then reply with either of a Permit, Deny or NotApplicable.

Related

How to restrict publishing of RDF graphs on the Semantic Web?

I am trying to create a sample ontology with some dummy data using protege 5.5. But in the owl file it generated, it is showing something like this:
<?xml version="1.0"?>
<rdf:RDF xmlns="http://www.semanticweb.org/hs/ontologies/2019/3/untitled-ontology-3#"
xml:base="http://www.semanticweb.org/hs/ontologies/2019/3/untitled-ontology-3"
xmlns:owl="http://www.w3.org/2002/07/owl#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
xmlns:xsd="http://www.w3.org/2001/XMLSchema#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#">
<owl:Ontology rdf:about="http://www.semanticweb.org/hs/ontologies/2019/3/untitled-ontology-3"/>
Seems like this data can be accessed publicly (http://www.semanticweb.org/hs/ontologies/2019/3/untitled-ontology-3). I dont wish to publish my data on the Semantic Web. Is there any way to privatise these datas? Could not find the answer on the web.
No, just because a URI shows up in an OWL or RDF file doesn't mean the data is publicly accessible. A local file on your computer is just a local file, until you upload it to a server somewhere.
OWL and RDF use URIs mainly just as identifiers—that is, as names that allows different programs and people to work out whether they are talking about the same thing. So, if your ontology and my ontology use the same URI for some entity, we know that we are talking about the same entity. This doesn't mean your ontology or my ontology are publicly accessible, and works even if we keep both ontologies private.
By convention, the owner of a URI gets to decide what entity to use a URI for. This ensures that there are no accidental clashes. Ownership of URIs is based on domain names. For example, the owner of the domain dbpedia.org (the DBpedia project) has decided that http://dbpedia.org/resource/London is a URI that names the city of London. They also happen to publish some data about London at that URI, which is a good way of letting the world know what the URI identifies.
Protégé is actually a bad citizen of the web by encouraging people to use URIs on a domain they don't own (www.semanticweb.org).
If you don't own a domain, you can use http://example.org/ for local experiments and private use, because that domain is explicitly allowed to be used by anyone. But if you actually decide to publish your ontology/data at some point, then you should change to a real domain.

Apache NiFi: Bootstrap UserGroups and Policies with a file based provider

Is it possible to bootstrap UserGroups and Policies with a file based provider?
Currently we use org.apache.nifi.authorization.FileUserGroupProvider to bootstrap an Initial User Identity and org.apache.nifi.authorization.FileAccessPolicyProvider to bootstrap the Initial Admin Identity when setting up a NiFi instance.
I inspected the code of the FileUserGroupProvider as well as the Authorizers.xml Setup in the Administration Guide and I couldn't find anything about bootstrapping UserGroups. I guess the same goes with bootstrapping AccessPolicies using the FileAccessPolicyProvider. I know that it is possible using LDAP, but we don't use that right now.
I already found a similar question her on StackOverflow but the solution is not satisfactory, as we don't want to use the nifi-api for that task, if not absolutely necessary. So what I would do is writing a new file based UserGroupProvider and AccessPolicyProvider to fulfill that task.
Is that the only possibility?
Would I use the CompositeUserGroupProvider or the CompositeConfigurableUserGroupProvider for that, so instead of re-implementing the functionality of the FileUserGroupProvider and adding my custom implementation could I use this to combine the functionality?
Meaning something like this:
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">org.apache.nifi.authorization.FileUserGroupProvider</property>
<property name="User Group Provider 2">MyFileUserGroupProvider</property>
</userGroupProvider>
How would the configuration look like in the authorizers.xml file?
If my assumption about how to use a CompositeProvider is correct, is there something similar for bootstrapping Policies?
If I understand correctly, you want to automate setting users, groups, and policies to fixed, predefined values.
I would recommend using the FileUserGroupProvider and the FileAccessPolicyProvider, as those both give you the ability to configure users, groups, and policies directly in NiFi itself. You should not have to create custom implementations of a UserGroupProvider or AccessPolicyProvider unless you need to customize the functionality beyond what the included filed-based providers can supply.
You said you did not want to use the nifi-api, by which I assume you mean the HTTP REST API. (I am not trying to be pedantic, there is actually a library called nifi-api that is a collection of Java interfaces for nifi developers to use in writing extensions.) The REST APi is a good option I would normally recommend, as there are guarantees on backwards compatibility on for NiFI 1.x going forward, but it is not the only way to achieve what you want to do.
You can create users.xml and authorizations.xml files manually (or scripted), outside of NiFi, and you just have to configure the FileUserGroupProvider and AccessUserGroupProvider to use those files (or copy them to the default location for those files in the conf directory). On startup, NiFi reads the contents of these files into memory to create users, groups, and access policies. The Initial User and Initial Admin properties are only used to automate populating these files when they are absent or empty, so if you provide your own copies of these files, they will be used.
The structure of these XML files is fairly simple to create. You can use a NiFi instance to create users, groups, and policies through the UI, and see what is written to these files. You can then create them however you like: the NiFi UI, by hand, or scripted from another source file. Once you have the files created, you can do the "bootstrapping" part by placing them in the NiFi conf dir and (re)starting it. NiFi does not regenerate or modify these files unless users, groups, and policies are modified in the UI.
The only downside with these approach is that these files are not guaranteed to have a stable schema going forward. So new fields could be added or changed over time. That said, they have been stable for the last several versions of NiFi.

Deploying Outlook Add-in by region

I can't seem to find an answer to this one in the MS docs, but I have an MS Outlook add-in, that due to some regulations, we would like to deploy across multiple web servers in different regions (US, EU, APAC, etc).
Is it possible, through the manifest.xml file, to target a specific web host based on the client's region. If not, is it possible to create multiple XML files and have the Office Store distribute them on a per region basis.
I'm trying to avoid having multiple per region add-ins available in the store and assuming the user will choose the correct one.
Yes, it is possible. You simply use Override element on your Url, as in example:
<bt:String id="insertGistLabel" DefaultValue="Insert Gist">
<bt:Override Locale="es-ES" Value="Inserte el Gist"/>
</bt:String>
So in your case it would be something like:
<bt:Urls>
<bt:Url id="messageReadTaskPaneUrl" DefaultValue="https://[hostname]/index.html">
<bt:Override Locale="es-ES" Value="https://[hostname]/el-indexo.html"/>
</bt:Url>
</bt:Urls>
You can add as many locale as you want.

What is Localizing SQL Repository Definitions in ATG?

I read the documents but i don't clearly understand what is explained in this link.
Can somebody explain in detail what it is and What the author tries to explain in that little explanation?
here is the link:
http://docs.oracle.com/cd/E23095_01/Platform.93/RepositoryGuide/html/s0901localizingsqlrepositorydefinitio01.html
When a user uses the BCC it picks up the language locale from their RequestLocale. This will then, using the standard Java Resource Bundle functionality, allow you to customise the labels next to each one of the elements inside the BCC.
As an example the following definition:
<table name="XXX_MEDIA_CATEGORY" type="auxiliary" id-column-name="MEDIA_ID">
<property name="buttonText" data-type="string" column-name="BUTTON_TEXT" display-name-resource="buttonText" category-resource="categoryBasics" default="GO BUTTON">
<attribute name="propertySortPriority" value="8" />
<attribute name="resourceBundle" value="atg.projects.store.StoreCatalogTemplateResources" />
</property>
</table>
If you have a StoreCatalogTemplateResources.properties file with the following property:
buttonText=Media Category Button
It will show up in the BCC editor for the Media Category Item as Media Category Button.
The localisation of the SQLRepository items only apply to the BCC editor and does not translate any of the value properties within the repository. To do this you will need to implement some sort of translation solution yourself (ATG 9.x does not come with a data localisation strategy out-of-the-box) though there were some available to purchase from 3rd party vendors. ATG 10.x has now implemented a working version localising repository data.
A resource bundle is a Java .properties file that contains locale-specific data (Resource bundles contain locale-specific objects.)
http://en.wikipedia.org/wiki/Java_resource_bundle
http://docs.oracle.com/javas/6/docs/api/java/util/ResourceBundle.html
In short, you can create a file with translation phrases that will be show when someone uses the repository when someone uses the Control Center’s Repository Editors.

RESTful api design, HATEOAS and resource discovery

One of the core ideas behind HATEOAS is that clients should be able to start from single entry point URL and discover all exposed resources and state transitions available for those. While I can perfectly see how that works with HTML and a human behind a browser clicking on links and "Submit" buttons, I'm quizzed about how this principle can be applied to problems I'm (un)lucky to deal with.
I like how RESTful design principle is presented in papers and educational articles where it all makes sense, How to GET a Cup of Coffee is a good example of such. I'll try to follow convention and come up with an example which is simple and free from tedious details. Let's look at zip codes and cities.
Problem 1
Let's say I want to design RESTful api for finding cities by zip codes. I come up with resources called 'cities' nested into zip codes, so that GET on http://api.addressbook.com/zip_codes/02125/cities returns document containing, say, two records which represent Dorchester and Boston.
My question is: how such url can be discovered through HATEOAS? It's probably impractical to expose index of all ~40K zip codes under http://api.addressbook.com/zip_codes. Even if it's not a problem to have 40K item index, remember that I've made this example up and there are collections of much greater magnitude out there.
So essentially, I would want to expose not link, but link template, rather, like this: http://api.addressbook.com/zip_codes/{:zip_code}/cities, and that goes against principles and relies on out-of-band knowledge possessed by a client.
Problem 2
Let's say I want to expose cities index with certain filtering capabilities:
GET on http://api.addressbook.com/cities?name=X would return only cities with names matching X.
GET on http://api.addressbook.com/cities?min_population=Y would only return cities with population equal or greater than Y.
Of course these two filters can be used together: http://api.addressbook.com/cities?name=X&min_population=Y.
Here I'd like to expose not only url, but also these two possible query options and the fact that they can be combined. This seems to be simply impossible without client's out-of-band knowledge of semantics of those filters and principles behind combining them into dynamic URLs.
So how principles behind HATEOAS can help making such trivial API really RESTful?
I suggest using XHTML forms:
GET /
HTTP/1.1 OK
<form method="get" action="/zip_code_search" rel="http://api.addressbook.com/rels/zip_code_search">
<p>Zip code search</p>
<input name="zip_code"/>
</form>
GET /zip_code_search?zip_code=02125
HTTP/1.1 303 See Other
Location: /zip_code/02125
What's missing in HTML is a rel attribute for form.
Check out this article:
To summarize, there are several reasons to consider XHTML as the
default representation for your RESTful services. First, you can
leverage the syntax and semantics for important elements like <a>,
<form>, and <input> instead of inventing your own. Second, you'll end
up with services that feel a lot like sites because they'll be
browsable by both users and applications. The XHTML is still
interpreted by a human—it's just a programmer during development
instead of a user at runtime. This simplifies things throughout the
development process and makes it easier for consumers to learn how
your service works. And finally, you can leverage standard Web
development frameworks to build your RESTful services.
Also check out OpenSearch.
To reduce the number of request consider this response:
HTTP/1.1 200 OK
Content-Location: /zip_code/02125
<html>
<head>
<link href="/zip_code/02125/cities" rel="related http://api.addressbook.com/rels/zip_code/cities"/>
</head>
...
</html>
This solution comes to mind, but I'm not sure that I'd actually recommend it: instead of returning a resource URL, return a WADL URL that describes the endpoint. Example:
<application xmlns="http://wadl.dev.java.net/2009/02" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<grammars/>
<resources base="http://localhost:8080/cities">
<resource path="/">
<method name="GET">
<request>
<param name="name" style="query" type="xs:string"/>
<param name="min-population" style="query" type="xs:int"/>
</request>
<response>
<representation mediaType="application/octet-stream"/>
</response>
</method>
</resource>
</resources>
</application>
That example was autogenerated by CXF from this Java code:
import javax.ws.rs.GET;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
public class Cities {
#GET
public Response get(#QueryParam("name") String name, #QueryParam("min-population") int min_poulation) {
// TODO: build the real response
return Response.ok().build();
}
}
In answer to question 1, I'm assuming your single entry point is http://api.addressbook.com/zip_codes, and the intention, is to enable the client to traverse the entire collection of zip codes and ultimately retrieve the cities related to them.
In which case i would make the http://api.addressbook.com/zip_codes resource return a redirect to the first page of zip codes, for example:
http://api.addressbook.com/zip_codes?start=0&end=xxxx
This would contain a "page" worth of zip code links (whatever number is suitable for the system to handle, plus a link to the next page (and previous page if there is one).
This would enable a client to crawl the entire list of zip codes if it so desired.
The urls returned in each page would look similar to this:
http://api.addressbook.com/zip_codes/02125
And then it would be a matter of deciding whether to include the city information in the representation returned by a zip code URL, or the link to it depending on the need.
Now the client has a choice whether to traverse the entire list of zip codes and then request the zipcode (and then cities) for each, or request a page of zip codes, and then request drill down to a parti
I was running into these same questions - so I worked through a practical example that solves both of these problems (and a few you haven't thought of yet). http://thereisnorightway.blogspot.com/2012/05/api-example-using-rest.html?m=1
Basically, the solution to problem 1 is that you change your representation (as Roy says, spend your time on the resource). You don't have to return all zips, just make your resource contain paging. As an example, when you request news pages from a news site - it gives you todays news, and links to more, even though all the articles may live under the same url structure, I.e. ...article/123, etc
Problem 2 is a little ackward - there is a little used command in http called OPTIONS that I used in the example to basically reflect the url's capability - although you could solve this in the representation too, it would just be more complicated. Basically, it gives back a custom structure that shows the capabilities of the resource (including optional parameters).
Let me know what you think!
I feel like you skipped over the bookmark URL. That is the first url, not the ones to get cities or zip codes.
So you start at ab:=http://api.addressbook.com
This first link returns back a list of available links. This is how the web works. You go to www.yahoo.com and then you start clicking links not knowing where they go.
So from the original link ab: you would get back the other links and they could have REL links that explain how those resources should be accessed or what parameters can be submitted.
The first think we did when designing our systems is to start from the bookmark page and determine all the different links that could be accessed.
I do agree with you about the 'client's out-of-band knowledge of semantics of those filters' it's hard for me to buy that a machine can just adapt to what is there unless it had some preconceived specification like HTML. It's more likely that the client is built by a developer who knows all the possibilities and then codes the application to 'potentially' expect those links to be available. If the link is available then the program can use the logic the developer implemented prior to act the resource. If it's not there then it just doesn't execute the link. In the end possible paths are laid out prior to beginning to traverse the application.