Skip to content

XACML Data Types

Jump to bottom Edit New page
Cyril Dangerville edited this page Sep 28, 2023 · 15 revisions

AuthzForce supports all the XACML data-types defined in XACML 3.0 core specification and dnsName-value from XACML DLP/NAC Profile. Besides, the XACML 3.0 Core standard allows to use extra attribute data types not defined in the standard, and AuthzForce can support them, provided that you implement and provide it as an Attribute Datatype extension, or get it from a third party as such. The AuthzForce project also provides a separate Datatype extension example for documentation and testing purposes. If you wish to make your own Attribute Datatype extension to use a non-standard data-type in your policies, read on the next section.

Making an Attribute Datatype extension

The steps to make your own Attribute Datatype extension for AuthzForce go as follows:

  1. Create a Maven project with jar packaging type and following Maven dependency:

     ...
 <dependencies>
 ...
  <dependency>
   <groupId>org.ow2.authzforce</groupId>
   <artifactId>authzforce-ce-core-pdp-api</artifactId>
   <!-- Make sure the version matches the one used by the `authzforce-ce-core-pdp-engine` version you are using.-->
   <version>20.0.0</version>
   <scope>provided<scope>
  </dependency>
 ...
 </dependencies> 
 ...

    Make sure the version matches the one used by the `authzforce-ce-core-pdp-engine` version you are using.

  2. Create your attribute datatype factory and value instance class (as in the Factory design pattern). The factory class must be public, and implement interface org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory<AV>, where AV stands for your AttributeValue Implementation Class, i.e. the concrete attribute value implementation class; and the factory class must have a public no-argument constructor or no constructor.

    To facilitate the implementation process, instead of implementing this AttributeValueFactory interface directly, you should extend one of the following AttributeValueFactory sub-classes when it applies:

    • org.ow2.authzforce.core.pdp.api.value.SimpleValue.StringContentOnlyFactory<AV>: to be extended for implementing text-only primitive datatypes (equivalent to simple XML types). You may use AuthzForce TestDNSNameWithPortValue class (used for AuthzForce unit tests) as an example. This example provides a test implementation of datatype dnsName-value defined in XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0. In this example, the static nested class Factory is the one extending org.ow2.authzforce.core.pdp.api.value.SimpleValue.StringContentOnlyFactory<TestDNSNameWithPortValue>. Such a class has a factory method (TestDNSNameWithPortValue getInstance(String val)) that takes a string argument corresponding to the text in the XACML AttributeValue (which must not contain any XML element or attribute).
    • org.ow2.authzforce.core.pdp.api.value.SimpleValue.Factory<AV>: to be extended for implementing primitive XACML datatypes with XML attributes (equivalent to complex XML types with simple content). An example of such datatype is xpathExpression which requires an XML attribute named XPathCategory. Note that the datatype xpathExpression is natively supported but enabled only if feature urn:ow2:authzforce:feature:pdp:core:xpath-eval is enabled in the PDP configuration.
    • org.ow2.authzforce.core.pdp.api.value.BaseAttributeValueFactory<AV>: to be extended for implementing structured attributes (XACML 3.0 Core, §8.2) (equivalent to complex XML types with complex content). You may use AuthzForce TestXACMLPolicyAttributeValue class (used for AuthzForce unit tests) as an example. In this example, the static nested class Factory is the one extending org.ow2.authzforce.core.pdp.api.value.BaseDatatypeFactory<TestXACMLPolicyAttributeValue>. Such a class has a factory method TestXACMLPolicyAttributeValue getInstance(List<Serializable> content, Map<QName, String> otherAttributes, ...) that creates an instance of your AttributeValue Implementation Class, i.e. TestXACMLPolicyAttributeValue in this case. where the argument otherAttributes represents the XML attributes and argument content the mixed content of a XACML AttributeValue parsed by JAXB.

  3. When your implementation class is ready, create a text file org.ow2.authzforce.core.pdp.api.PdpExtension in folder src/main/resources/META-INF/services (you have to create the folder first) and put the fully qualified name of your implementation class on the first line of this file, like in the example from AuthzForce source code.

  4. Run Maven package to produce a JAR from the Maven project.

Now you have an Attribute Datatype extension ready for integration into AuthzForce Core, as explained in the next section.

Integrating an Attribute Datatype extension into AuthzForce

This section assumes you have an Attribute Datatype extension in form of a JAR, typically produced by the process described in the previous section. Make sure it is available on classpath before using it at runtime. You may use AuthzForce PDP Core Tests JAR if you only wish to test the examples in this documentation. This JAR is available on Maven Central: groupId= org.ow2.authzforce, artifactId= authzforce-ce-core-pdp-testutils, version= 16.0.0.

Enabling an Attribute Datatype extension in AuthzForce PDP

Add an attributeDatatype element - with the identifier corresponding to your implementation as value - to the pdp element in the PDP configuration file (XML).

Add a custom footer
Add a custom sidebar
Clone this wiki locally