I'm trying to develop a web service environment and secure it with the RBAC profile of XACML. I'm using Sun's implementation (the 1.2 version). I'm getting an error when loading my one of my policies and I have no idea why. I include the error and the policie here in my post.
Hopely someone can help me.
I got the following error:
Error reading policy from file permissionDoctor.xml
java.lang.NullPointerException
at com.sun.xacml.Rule.getInstance(Unknown Source)
at com.sun.xacml.Policy.<init>(Unknown Source)
at com.sun.xacml.Policy.getInstance(Unknown Source)
at com.sun.xacml.PolicySet.<init>(Unknown Source)
at com.sun.xacml.PolicySet.getInstance(Unknown Source)
at com.sun.xacml.finder.impl.FilePolicyModule.loadPolicy(Unknown Source)
at com.sun.xacml.finder.impl.FilePolicyModule.init(Unknown Source)
at com.sun.xacml.finder.PolicyFinder.init(Unknown Source)
at com.sun.xacml.PDP.<init>(Unknown Source)
I suggest schema-checking your policy. Usually when you see a NPE trying to load a policy, it means that some required element is missing. In general, the SunXACML code assumes a valid policy, working on the theory that an enterprise policy will have been generated by a tool or at least schema-validated first. If you check against the XACML schema, you'll probably find the problem, but if not, please reply here and folks can look more closely.
FYI, if you're still having trouble, it would be helpful to re-run using the debug version so that we can see line numbers. From looking at the stack trace, my guess is that the problem is with your Rule. You've got "RuleID" instead of "RuleId" (the "d" should be lower-case).
seth
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is there also u known place to find an already implemented PolicyFinderModule which can handle IdReference? I can't imagine no-one else have already implemented this and I don't like double work ;) I can't find one except for the StringPolicyModule. Otherwise I'll try to implement one myself starting from the SamplePolicyFinderModule.
To try to test the rest of my code already, I have choosen to combine the PPS and RPS to 1 policy as suggested in some posts on this forum. The result is that I'm getting the following message:
"No applicable policies were found for the request"
It's probably again something small I overlooked. I think it's maybe because I didn't included a condition tag in my policy like there is in the example from Sun Introduction... But if I look to the RBAC profile, I can't find one either, so I think it's something else. I will include my request and policy, hopely someone can find the problem.
With the 2.0 code there are a couple of sample PFMs that handle references. There's also an example in the test code for supporting some of the conformance tests that use references. This issue has come up a lot on the mailing list, but while I've asked I don't think that I've seen any examples posted.
seth
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I read a lot of posts of the mailing list in the archive in advance and indeed didn't found a solution. That's why I asked again for one.
My program is running at the moment by combining the RPS and PPS in 1 PolicySet. But as you know that is not practical to extend.
So I tried you're 2 suggestions, looking at the 2.0 code and looking at the conformance tests.
First I looked at the CVS and the 2.0 code and found the StaticPolicyFinderModule and the StaticRefPolicyFinderModule (and off course the supporting classes PolicyCollection and PolicyReader). I adjusted the classes to run it at XACML 1.1. I tried to run it in 2 different ways.
First I just made a policyList with the RPS included as well as the PPS. I didn't expect it would work because the PPS could be loaded directly without using the reference. With some extra System.out.println, I found that both RPS and PPS were loaded and combined the 1 new policy with result that the decision is NotApplicable.
What I don't fulle understand is why StaticRefPolicyFinderModule has been called twice? If I delete the support to wrap different policies in one new one, I got the 'to many toplevel policies'-error, which is expected.
Secondly, I loaded the RPS in the StaticPolicyFinderModule and the PPS in the StaticRefPolicyFinderModule. This time I expected that everything would work, but I got the same decission (NotApplicable). Again StaticRefPolicyFinderModule has been called twice.
Secondly I used the TestPolicyFinderModule from the conformance tests. I used following code and put it in the SamplePDP to configure the PolicyFinder:
TestPolicyFinderModule testPolicyModule = new TestPolicyFinderModule();
testPolicyModule.setPolicies(policiesfiles1);
HashMap hm = new HashMap();
hm.put("PPS:doctor:role", policiesfiles2);
testPolicyModule.setPolicySetRefs(hm, prefix);
// next, setup the PolicyFinder that this PDP will use
PolicyFinder policyFinder = new PolicyFinder();
Set policyModules = new HashSet();
policyModules.add(testPolicyModule);
policyFinder.setModules(policyModules);
policiesfiles1 is the filePath+fileName to the RPS, policiesFiles2 is the fileName from the PPS and prefix is the filePath to PPS.
I got the following message:
"PolicyReference with id PPS:doctor:role was queried but was not configured with a PolicyFinder"
And as a result the decission is "Indeterminate". I can't configure why the PolicyReference wuld not be configured correcly because I can't see a difference when using StaticRefPolicyFinderModule in my first experiment.
I know this is a lot of text and hopely somoene will take the time to read it and answer my questions. I will also include my RPS and PPS.
Hi,
I'm trying to develop a web service environment and secure it with the RBAC profile of XACML. I'm using Sun's implementation (the 1.2 version). I'm getting an error when loading my one of my policies and I have no idea why. I include the error and the policie here in my post.
Hopely someone can help me.
I got the following error:
Error reading policy from file permissionDoctor.xml
java.lang.NullPointerException
at com.sun.xacml.Rule.getInstance(Unknown Source)
at com.sun.xacml.Policy.<init>(Unknown Source)
at com.sun.xacml.Policy.getInstance(Unknown Source)
at com.sun.xacml.PolicySet.<init>(Unknown Source)
at com.sun.xacml.PolicySet.getInstance(Unknown Source)
at com.sun.xacml.finder.impl.FilePolicyModule.loadPolicy(Unknown Source)
at com.sun.xacml.finder.impl.FilePolicyModule.init(Unknown Source)
at com.sun.xacml.finder.PolicyFinder.init(Unknown Source)
at com.sun.xacml.PDP.<init>(Unknown Source)
the policies:
policypermission:
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
PolicySetId="PPS:doctor:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<Policy PolicyId="Permissions:specifically:for:the:doctor:role"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<Rule RuleID="Permission:to:getHello" Effect="Permit">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:17598/DemoServer/HelloWorldService</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">getHello1</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
</PolicySet>
role policy:
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
PolicySetId="RPS:doctor:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:somapp:attributes:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<PolicySetIdReference>PPS:doctor:role</PolicySetIdReference>
</PolicySet>
I suggest schema-checking your policy. Usually when you see a NPE trying to load a policy, it means that some required element is missing. In general, the SunXACML code assumes a valid policy, working on the theory that an enterprise policy will have been generated by a tool or at least schema-validated first. If you check against the XACML schema, you'll probably find the problem, but if not, please reply here and folks can look more closely.
FYI, if you're still having trouble, it would be helpful to re-run using the debug version so that we can see line numbers. From looking at the stack trace, my guess is that the problem is with your Rule. You've got "RuleID" instead of "RuleId" (the "d" should be lower-case).
seth
Tanks a lot.
It was indeed "RuleID" that causes the error.
Is there also u known place to find an already implemented PolicyFinderModule which can handle IdReference? I can't imagine no-one else have already implemented this and I don't like double work ;) I can't find one except for the StringPolicyModule. Otherwise I'll try to implement one myself starting from the SamplePolicyFinderModule.
To try to test the rest of my code already, I have choosen to combine the PPS and RPS to 1 policy as suggested in some posts on this forum. The result is that I'm getting the following message:
"No applicable policies were found for the request"
It's probably again something small I overlooked. I think it's maybe because I didn't included a condition tag in my policy like there is in the example from Sun Introduction... But if I look to the RBAC profile, I can't find one either, so I think it's something else. I will include my request and policy, hopely someone can find the problem.
____________________
Request:
<Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:somapp:attributes:role"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>doctor</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://localhost:17598/DemoServer/HelloWorldService</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>getHello1</AttributeValue>
</Attribute>
</Action>
</Request>
___________________
Policy:
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
PolicySetId="PPS:doctor:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects> <AnyResource/> </Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<Policy PolicyId="Permissions:specifically:for:the:doctor:role"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:somapp:attributes:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<Rule RuleId="Permission:to:getHello" Effect="Permit">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
http://localhost:17598/DemoServer/HelloWorldService
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
getHello1
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
</PolicySet>
With the 2.0 code there are a couple of sample PFMs that handle references. There's also an example in the test code for supporting some of the conformance tests that use references. This issue has come up a lot on the mailing list, but while I've asked I don't think that I've seen any examples posted.
seth
problem solved:
<Subjects> <AnyResource/> </Subjects>
Kind of stupid as I thought ;)
Thanks a lot for the advice.
I read a lot of posts of the mailing list in the archive in advance and indeed didn't found a solution. That's why I asked again for one.
My program is running at the moment by combining the RPS and PPS in 1 PolicySet. But as you know that is not practical to extend.
So I tried you're 2 suggestions, looking at the 2.0 code and looking at the conformance tests.
First I looked at the CVS and the 2.0 code and found the StaticPolicyFinderModule and the StaticRefPolicyFinderModule (and off course the supporting classes PolicyCollection and PolicyReader). I adjusted the classes to run it at XACML 1.1. I tried to run it in 2 different ways.
First I just made a policyList with the RPS included as well as the PPS. I didn't expect it would work because the PPS could be loaded directly without using the reference. With some extra System.out.println, I found that both RPS and PPS were loaded and combined the 1 new policy with result that the decision is NotApplicable.
[class]:[method]:[policySetId]
StaticPolicyFinderModule: findPolicy: urn:com:sun:xacml:support:finder:dynamic-policy-set
StaticRefPolicyFinderModule: findPolicy: PPS:doctor:role
StaticRefPolicyFinderModule: findPolicy: PPS:doctor:role
What I don't fulle understand is why StaticRefPolicyFinderModule has been called twice? If I delete the support to wrap different policies in one new one, I got the 'to many toplevel policies'-error, which is expected.
Secondly, I loaded the RPS in the StaticPolicyFinderModule and the PPS in the StaticRefPolicyFinderModule. This time I expected that everything would work, but I got the same decission (NotApplicable). Again StaticRefPolicyFinderModule has been called twice.
StaticPolicyFinderModule: findPolicy: RPS:doctor:role
StaticRefPolicyFinderModule: findPolicy: PPS:doctor:role
StaticRefPolicyFinderModule: findPolicy: PPS:doctor:role
What went wrong in this case?
Secondly I used the TestPolicyFinderModule from the conformance tests. I used following code and put it in the SamplePDP to configure the PolicyFinder:
TestPolicyFinderModule testPolicyModule = new TestPolicyFinderModule();
testPolicyModule.setPolicies(policiesfiles1);
HashMap hm = new HashMap();
hm.put("PPS:doctor:role", policiesfiles2);
testPolicyModule.setPolicySetRefs(hm, prefix);
// next, setup the PolicyFinder that this PDP will use
PolicyFinder policyFinder = new PolicyFinder();
Set policyModules = new HashSet();
policyModules.add(testPolicyModule);
policyFinder.setModules(policyModules);
policiesfiles1 is the filePath+fileName to the RPS, policiesFiles2 is the fileName from the PPS and prefix is the filePath to PPS.
I got the following message:
"PolicyReference with id PPS:doctor:role was queried but was not configured with a PolicyFinder"
And as a result the decission is "Indeterminate". I can't configure why the PolicyReference wuld not be configured correcly because I can't see a difference when using StaticRefPolicyFinderModule in my first experiment.
I know this is a lot of text and hopely somoene will take the time to read it and answer my questions. I will also include my RPS and PPS.
Many thanks in advance!
_________________________________
RPS:
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
PolicySetId="RPS:doctor:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:somapp:attributes:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<PolicySetIdReference>PPS:doctor:role</PolicySetIdReference>
</PolicySet>
_________________________
PPS:
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
PolicySetId="PPS:doctor:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<Policy PolicyId="Permissions:specifically:for:the:doctor:role"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
</Target>
<Rule RuleId="Permission:to:voorschrift" Effect="Permit">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:17598/DemoServer/VoorschriftService</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
</Rule>
</Policy>
</PolicySet>