Resource filtering with XACML Multiple Decision Profile

Resource filtering is one of useful and powerful feature that comes with XACML. Basically this would become more popular with XACML 3.0 due to multiple decision profile. With multiple decision profile, PEP can ask authorization for multiple resources for the PDP, Where your PEP can only filter out the permit results. Let try filtering sample with WSO2 Balana from  svn  or snapshot Balana distribution from here…

In a web page, there can be various static contents. Lets assume web page contains various type of static images. These images are not authorized to view for all users. There are specific permissions for each image. Therefore before web page is viewed by user, authorization must be done for each images and dynamically filter the authorized content for user. Authorization rules can be based on user attributes or roles that user has been assigned.

Lets create following use case.

1. There is a index.jsp page that can be accessed after the user is login to the web application.

2. There three user groups called “publicUsers“, “internalUsers” and “adminUsers

3. publicUsers are the users who has registered to view the contain of the web site. And they can are only allowed to see view.gif and help.gif images.

4. internalUsers are the internal users of the organization, They area only allowed to what publicUsers can see and also see copy.gif, move.gif and cancel.gif images

5. adminUsers are internal admin users of the organization, They can view any images.

Attribute finder module is shipped with this sample. Actually this module must call to a user store and must retrieve the user attributes such as role data, But this sample attribute finder has been hard corded few names and corresponding roles as following

bob has assigned to publicUsers group
alice has assigned to internalUsers group
peter has assigned to adminUsers group

You can simply extend this sample according to the your requirement…