XACML is the powerful way to build access control systems in your application. Here we are going to talk about how we can build a XACML driven authorization for on-line trading application called “K-Martket” This sample is shipped with Balana XACML implementation which can be found at here.
Scenario would be as follows….
1. K-Market is online trading company.
2. You can create a user account with K-Market and user profile data store in their own JDBC user store.
3. K-Market does some control over online trading based on the customer’s privilege and attribute of customers such as age, email and so on…
4. So They have implemented some access control over the online trading.
5. When customer is finished with his shopping cart and after entered the credit card details, K-Market access control system is triggered to check whether
this is an authorized online purchase.
6. K-Market has following access control scenarios in the initial phase of their access control system
7. K-Market have separate customers in to three groups and has put limit on online buying items.
i.e. Blue, Sliver and Gold.
Blue customers :
Can not by any liquor or medicine.
Maximum amount that they can purchase, is $ 100.
Maximum no of Drinks they can purchase is 10
Silver customers :
Can not by any liquor
Maximum amount that they can purchase, is $ 500.
Maximum no of Drinks they can purchase is 50
Maximum no of Medicine they can purchase is 50
Gold customers :
Maximum amount that they can purchase, is $ 500.
Maximum no of Liquor they can purchase is 10
You can find the sample from svn or from snapshot Balana distribution here and use “run” script to try out this…
Attribute finder module is shipped with the sample. Actually this must call to a user store and retrieve the user attributes and role data, But this attribute finder has hard corded few names and corresponding groups as following
bob has blue membership
alice has sliver membership
peter has gold membership
This sample has been used new features in XACML 3.0, i.e custom category (called “http://kmarket.com/category”) and advices (they are used with rule elements. Therefore customer can be known how purchase has been failed)
You can extend this sample further by just editing and adding new policies… let discuss them later…..