I'm a student trying to use sun xacml to implement a role based access control based on the profile found at oasis web site , now i'm trying to run the example found on the pdf file but when I introduce the 3 policys on pdp I always receive a "Too many top level policy…" message.
Anyone can help me? I don't even know if it's possible to use sun xacml to do that.
Thanks
ps. Sorry for my bad english.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please look at the forum and mailing list archives where this has been discussed in detail. If a Finder produces more than one Policy that applies to your Request you'll see this message. The solution is either to group your applicable policies under a single root PolicySet or to create your own PolicyFinder that understands how to do this for you dynamically.
seth
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
If i would like to load 2 policy sets, while the second is dependent on the first, I also get "Too many top level policy…" message.
E.g.
filePolicyModule = new FilePolicyModule();
filePolicyModule.addPolicy("ps1.xml");
filePolicyModule.addPolicy("ps2.xml");
policyModules = new HashSet();
policyModules.add(filePolicyModule);
policyFinder = new PolicyFinder();
policyFinder.setModules(policyModules);
CurrentEnvModule envAttributeModule = new CurrentEnvModule();
SelectorModule selectorAttributeModule = new SelectorModule();
attributeFinder = new AttributeFinder();
attributeModules = new ArrayList();
attributeModules.add(envAttributeModule);
attributeModules.add(selectorAttributeModule);
attributeFinder.setModules(attributeModules);
1-st policy set
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
PolicySetId="RPS:employee:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<!- Use permissions associated with the employee role ->
<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
</PolicySet>
2-nd policy set
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
PolicySetId="PPS:employee:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target />
<!- Permissions specifically for the employee role ->
<Policy PolicyId="Permissions:specifically:for:the:employee:role"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target />
<!- Permission to create a purchase order ->
<Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
<!- HasPrivilegesOfRole Policy for employee role ->
<Policy PolicyId="Permission:to:have:employee:role:permissions"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target />
<!- Permission to have employee role permissions ->
<Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
There is a reference from the 1-st policySet to the 2-nd done through "<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>".
I would like to implement roles inheritance. This example is similar to that from the XACML specification.
Is it possible to do it in this manner? Is there any another way to do it?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As I already explained in this thread, if you have multiple top-level policies that apply to a given request the system can't decide which to choose. Either make the policies mutually exclusive, group them under a single PolicySet or write your own module. Grouping under a single PolicySet is usually the easiest solution here.
seth
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I'm a student trying to use sun xacml to implement a role based access control based on the profile found at oasis web site , now i'm trying to run the example found on the pdf file but when I introduce the 3 policys on pdp I always receive a "Too many top level policy…" message.
Anyone can help me? I don't even know if it's possible to use sun xacml to do that.
Thanks
ps. Sorry for my bad english.
Please look at the forum and mailing list archives where this has been discussed in detail. If a Finder produces more than one Policy that applies to your Request you'll see this message. The solution is either to group your applicable policies under a single root PolicySet or to create your own PolicyFinder that understands how to do this for you dynamically.
seth
Hi,
If i would like to load 2 policy sets, while the second is dependent on the first, I also get "Too many top level policy…" message.
E.g.
filePolicyModule = new FilePolicyModule();
filePolicyModule.addPolicy("ps1.xml");
filePolicyModule.addPolicy("ps2.xml");
policyModules = new HashSet();
policyModules.add(filePolicyModule);
policyFinder = new PolicyFinder();
policyFinder.setModules(policyModules);
CurrentEnvModule envAttributeModule = new CurrentEnvModule();
SelectorModule selectorAttributeModule = new SelectorModule();
attributeFinder = new AttributeFinder();
attributeModules = new ArrayList();
attributeModules.add(envAttributeModule);
attributeModules.add(selectorAttributeModule);
attributeFinder.setModules(attributeModules);
pdp = new PDP(new PDPConfig(attributeFinder, policyFinder, null));
request = RequestCtx.getInstance(new FileInputStream(new File("data/request.xml")));
response = pdp.evaluate(request);
1-st policy set
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
PolicySetId="RPS:employee:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<!- Use permissions associated with the employee role ->
<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
</PolicySet>
2-nd policy set
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
PolicySetId="PPS:employee:role"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target />
<!- Permissions specifically for the employee role ->
<Policy PolicyId="Permissions:specifically:for:the:employee:role"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target />
<!- Permission to create a purchase order ->
<Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
<!- HasPrivilegesOfRole Policy for employee role ->
<Policy PolicyId="Permission:to:have:employee:role:permissions"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target />
<!- Permission to have employee role permissions ->
<Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
There is a reference from the 1-st policySet to the 2-nd done through "<PolicySetIdReference>PPS:employee:role</PolicySetIdReference>".
I would like to implement roles inheritance. This example is similar to that from the XACML specification.
Is it possible to do it in this manner? Is there any another way to do it?
As I already explained in this thread, if you have multiple top-level policies that apply to a given request the system can't decide which to choose. Either make the policies mutually exclusive, group them under a single PolicySet or write your own module. Grouping under a single PolicySet is usually the easiest solution here.
seth
hello please if you run RBAC in SUN XACML tell me how thank you