XPath in XACML – Part 1

XPath is playing an import role in XACML when policies are evaluated for XML based data. When XML data is passed across nodes, PEP can be an interception point that calls the PDP with passing XML data. Based on the XML data, PDP can take decisions.  Let see how we can develop simple policy that can be used to evaluate a XML data.

Lets take very simple use case.

  • There is medi.com health care application where online registered user (patient, doctors and so on) can examine patient data.
  • Patient data store returns any data that is requested for given patient id regardless of the login user to application.
  • Medi.com has authorization interceptor (PEP) between their web application and patient data store.  PEP would authorizes the requested data by calling to a PDP.
  • One authorization rule is “Users can only read his own patient data”

Lets build a policy for this

XACML Policy

Policy says “User can only read his own patient data”.  As an example,  you login to the medi.com web application with patient id “bob” then you can only read patient data that is store for “bob”


<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="medi-xpath-test-policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>XPath evaluation is done with respect to content elementand check for a matching value. Here content element has been bounded with custom namespace and prefix</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="rule1" Effect="Permit">
<Description>Rule to match value in content element using XPath</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Apply>
<AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="//ak:record/ak:patient/ak:patientId/text()" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeSelector>
</Apply>
</Condition>
</Rule>
<Rule RuleId="rule2" Effect="Deny">
<Description>Deny rule</Description>
</Rule>
</Policy>

For try out this policy,  I am using WSO2 Identity Server which is open source XACML server. You can upload this policy in to the PAP of WSO2 Identity Server

xpath0

xpath1

XACML  Request

In the XACML request XML data is send to the PDP by the PEP interceptor.  XACML request contains the XML data under the content element

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Content>
<ak:record xmlns:ak="http://akpower.org">
<ak:patient>
<ak:patientId>bob</ak:patientId>
<ak:patientName>
<ak:first>Bob</ak:first>
<ak:last>Allan</ak:last>
</ak:patientName>
<ak:patientContact>
<ak:street>51 Main road</ak:street>
<ak:city>Gampaha</ak:city>
<ak:state>Western</ak:state>
<ak:zip>11730</ak:zip>
<ak:phone>94332189873</ak:phone>
<ak:email>asela@gmail.com</ak:email>
</ak:patientContact>
<ak:patientDoB>1991-05-11</ak:patientDoB>
<ak:patientGender>male</ak:patientGender>
</ak:patient>
</ak:record>
</Content>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
</Request>

You can try out this request with the policy that is uploaded in to WSO2 Identity Server.

xpath2

xpath3

xpath4

XACML Response

PEP can get the decision based the result of the PDP

<Response>
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>

Lets build some complex scenario later…. :)

About these ads

2 thoughts on “XPath in XACML – Part 1

  1. Hi Asela, i tried to upload the policy but the server turns to me that error “Entitlement policy is not updated. Error is :Unsupported Entitlement Policy. Policy can not be parsed”
    taking account that my server is working normally and i can upload simple policy

    • Did you upload above XPath policy? If could you try again. Because I did some update with it.. (there was some end of the line issue with it.) Or if not, Could you please let us know the policy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s