The values in a bag are not ordered, and some of the values may be duplicates. There SHALL be no notion of a bag containing bags , or a bag containing values of differing types; i.
A named attribute includes specific criteria with which to match attributes in the context. The Category of the named attribute MUST match, by identifier equality , the Category of the corresponding context attribute. If Issuer is supplied in the named attribute , then it MUST match, using the urn:oasis:names:tc:xacml If Issuer is not supplied in the named attribute , then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone, regardless of the presence, absence, or actual value of Issuer in the corresponding context attribute.
The PDP SHALL reference the attributes as if they were in a physical request context document, but the context handler is responsible for obtaining and supplying the requested values by whatever means it deems appropriate, including by retrieving them from one or more Policy Information Points.
The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type. Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation.
That is, every subsequent test of that attribute shall use the same bag of values that was initially tested. Standard environment attributes are listed in Section B. If a value for one of these attributes is supplied in the decision request , then the context handler SHALL use that value.
In the case of date and time attributes , the supplied value SHALL have the semantics of the "date and time that apply to the decision request ". NOTE: It is not necessary for an implementation to actually follow these steps.
It is only necessary to produce results identical to those that would be produced by following these steps. XACML defines an evaluation result of "Indeterminate", which is said to be the result of an invalid expression, or an operational error occurring during the evaluation of the expression.
This element represents a Boolean expression over attributes of the request context. In addition, functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute, and those functions MAY use data-types that are also extensions, so long as the extension function returns a Boolean result and takes two single base types as its inputs.
Use of non-indexable or complex functions may prevent efficient evaluation of decision requests. The evaluation semantics for a matching element is as follows. It is also possible to express the semantics of a target matching element in a condition. An empty target matches any request. The target match table is shown in Table 1. The AnyOf table is shown in Table 2. Policies with undefined references are invalid. Any evaluation scheme that preserves this semantic is acceptable.
A variable reference containing circular references is invalid. The final decision returned by a PDP cannot be an extended Indeterminate. Any such decision at the top level policy or policy set is returned as a plain Indeterminate in the response from the PDP. A rule has a value that can be calculated by evaluating its contents. Rule evaluation involves separate evaluation of the rule 's target and condition.
The rule truth table is shown in Table 4. The value of a policy SHALL be determined only by its contents, considered in relation to the contents of the request context. A policy 's value SHALL be determined by evaluation of the policy 's target and, according to the specified rule-combining algorithm, rules ,. Specified by the rule-combining algorithm. However, non-standard combining algorithms MAY take parameters.
In such a case, the values of these parameters associated with the rules , MUST be taken into account when evaluating the policy. The parameters and their types should be defined in the specification of the combining algorithm.
If the implementation supports combiner parameters and if combiner parameters are present in a policy , then the parameter values MUST be supplied to the combining algorithm implementation. The value of a policy set SHALL be determined by its contents, considered in relation to the contents of the request context. A policy set 's value SHALL be determined by evaluation of the policy set 's target , and, according to the specified policy-combining algorithm, policies and policy sets ,.
Policy set Value. Specified by the policy-combining algorithm. In such a case, the values of these parameters associated with the policies , MUST be taken into account when evaluating the policy set. A policy set id reference or a policy id reference is evaluated by resolving the reference and evaluating the referenced policy set or policy. A policy set id reference or a policy id reference containing circular references is invalid.
It is often the case that a resource is organized as a hierarchy e. XACML provides several optional mechanisms for supporting hierarchical resources. A rule , policy, or policy set may contain one or more obligation or advice expressions. When such a rule , policy, or policy set is evaluated, the obligation or advice expression SHALL be evaluated to an obligation or advice respectively, which SHALL be passed up to the next level of evaluation the enclosing or referencing policy , policy set, or authorization decision only if the result of the rule , policy, or policy set being evaluated matches the value of the FulfillOn attribute of the obligation or the AppliesTo attribute of the advice.
If the FulfillOn or AppliesTo attribute does not match the result of the combining algorithm or the rule evaluation, then any indeterminate in an obligation or advice expression has no effect. As a consequence of this procedure, no obligations or advice SHALL be returned to the PEP if the rule , policies, or policy sets from which they are drawn are not evaluated, or if their evaluated result is "Indeterminate" or "NotApplicable", or if the decision resulting from evaluating the rule , policy, or policy set does not match the decision resulting from evaluating an enclosing policy set.
If the PDP 's evaluation is viewed as a tree of rules , policy sets and policies , each of which returns "Permit" or "Deny", then the set of obligations and advice returned by the PDP to the PEP will include only the obligations and advice associated with those paths where the result at each level of evaluation is the same as the result being returned by the PDP. In situations where any lack of determinism is unacceptable, a deterministic combining algorithm, such as ordered-deny-overrides, should be used.
If, in this case a status code is supplied, then the value. SHALL be used, to indicate that more information is needed in order for a definitive decision to be rendered. Note, this requirement forces the PDP to eventually return an authorization decision of "Permit", "Deny", or "Indeterminate" with some other status code, in response to successively-refined requests. When such identifiers are compared for equality, the comparison MUST be done so that the identifiers are equal if they have the same length and the characters in the two identifiers are equal codepoint by codepoint.
The following is a list of the identifiers which MUST use this definition of equality. These may be extended by the creation of new URIs associated with new semantics for these attributes.
See Section 5 for definitions of these attribute types. This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system.
The section is informative only. It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards. We assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret, insert, delete, and modify messages or parts of messages. Additionally, an actor may use information from a former message maliciously in subsequent transactions.
It is further assumed that rules and policies are only as reliable as the actors that create and use them. Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies.
Mechanisms for trust establishment are outside the scope of this specification. The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties.
While some of these entities are not strictly within the scope of this specification, their compromise could lead to the compromise of access control enforced by the PEP.
It should be noted that there are other components of a distributed system that may be compromised, such as an operating system and the domain-name system DNS that are outside the scope of this discussion of threat models. Compromise in these components may also lead to a policy violation. XACML does not specify any inherent mechanisms to protect the confidentiality of the messages exchanged between actors.
Therefore, an adversary could observe the messages in transit. Under certain security policies , disclosure of this information is a violation. Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy. A message replay attack is one in which the adversary records and replays legitimate messages between XACML actors. This attack may lead to denial of service, the use of out-of-date information or impersonation.
Note that encryption of the message does not mitigate a replay attack since the message is simply replayed and does not have to be understood by the adversary. A message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors.
The solution to a message insertion attack is to use mutual authentication and message sequence integrity safeguards between the actors. It should be noted that just using SSL mutual authentication is not sufficient. This only proves that the other party is the one identified by the subject of the X.
In order to be effective, it is necessary to confirm that the certificate subject is authorized to send the message. A message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors. Message deletion may lead to denial of service. However, a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack. The solution to a message deletion attack is to use message sequence integrity safeguards between the actors.
If an adversary can intercept a message and change its contents, then they may be able to alter an authorization decision. A message integrity safeguard can prevent a successful message modification attack. A result of "NotApplicable" means that the PDP could not locate a policy whose target matched the information in the decision request.
In general, it is highly recommended that a "Deny" effect policy be used, so that when a PDP would have returned "NotApplicable", a result of "Deny" is returned instead. In some security models, however, such as those found in many web servers, an authorization decision of "NotApplicable" is treated as equivalent to "Permit". There are particular security considerations that must be taken into account for this to be safe.
These are explained in the following paragraphs. If "NotApplicable" is to be treated as "Permit", it is vital that the matching algorithms used by the policy to match elements in the decision request be closely aligned with the data syntax used by the applications that will be submitting the decision request.
So an unintended failure to match may allow unintended access. Commercial http responders allow a variety of syntaxes to be treated equivalently. Multiple character sets may be permitted and, in some cases, the same printed character can be represented by different binary values. Unless the matching algorithm used by the policy is sophisticated enough to catch these variations, unintended access may be permitted. It may be safe to treat "NotApplicable" as "Permit" only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies.
In a more open environment, where decision requests may be received from applications that use any legal syntax, it is strongly recommended that "NotApplicable" NOT be treated as "Permit" unless matching rules have been very carefully designed to match all possible applicable inputs, regardless of syntax or type variations.
Note, however, that according to Section 7. A negative rule is one that is based on a predicate not being "True". If not used with care, negative rules can lead to policy violations, therefore some authorities recommend that they not be used. However, negative rules can be extremely efficient in certain cases, so XACML has chosen to include them.
Nevertheless, it is recommended that they be used with care and avoided if possible. A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access. For example, we might want to write a rule that allows all vice presidents to see the unpublished financial data, except for Joe, who is only a ceremonial vice president and can be indiscreet in his communications.
However, in some environments this approach may not be feasible. It is worth noting in passing that referring to individuals in rules does not scale well. Generally, shared attributes are preferred. If not used with care, negative rules can lead to policy violations in two common cases: when attributes are suppressed and when the base group changes.
An example of suppressed attributes would be if we have a policy that access should be permitted, unless the subject is a credit risk. If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason, then unauthorized access may result.
In some environments, the subject may be able to suppress the publication of attributes by the application of privacy controls, or the server or repository that contains the information may be unavailable for accidental or intentional reasons. An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code, except for secretaries.
Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy. However, the new department also includes individuals identified as administrative assistants, who ought to be treated in the same way as secretaries.
Unless the policy is altered, they will unintentionally be permitted to change software source code. Problems of this type are easy to avoid when one individual administers all policies , but when administration is distributed, as XACML allows, this type of situation must be explicitly guarded against. A denial of service attack is one in which the adversary overloads an XACML actor with excessive computations or network traffic such that legitimate users cannot access the services provided by the actor.
The urn:oasis:names:tc:xacml It is possible that the function is invoked during the recursive invocations of the PDP such that loops are formed. Such loops may in some cases lead to large numbers of requests to be generated before the PDP can detect the loop and abort evaluation. Such loops could cause a denial of service at the PDP , either because of a malicious policy or because of a mistake in a policy. Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction.
Authentication may be in one direction, or it may be bilateral. Given the sensitive nature of access control systems, it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests.
Otherwise, there is a risk that an adversary could provide false or invalid authorization decisions , leading to a policy violation. It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what, if any, sensitive data should be passed.
One should keep in mind that even simple "Permit" or "Deny" responses could be exploited if an adversary were allowed to make unlimited requests to a PDP.
Many different techniques may be used to provide authentication, such as co-located code, a private network, a VPN, or digital signatures. Authentication may also be performed as part of the communication protocol used to exchange the contexts.
In this case, authentication may be performed either at the message level or at the session level. If the contents of policies are exposed outside of the access control system, potential subjects may use this information to determine how to gain unauthorized access. To prevent this threat, the repository used for the storage of policies may itself require access control.
Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit. In some environments it is deemed good practice to treat all data within an access control system as confidential. In other environments, policies may be made freely available for distribution, inspection, and audit.
The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access. Regardless of the approach chosen, the security of the access control system should not depend on the secrecy of the policy. Communications confidentiality can be provided by a confidentiality mechanism, such as SSL. Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised.
It should go without saying that if a repository is used to facilitate the communication of cleartext i. Therefore, maintaining its integrity is essential. There are two aspects to maintaining the integrity of the policy. In many cases, both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors.
The selection of the appropriate mechanisms is left to the implementers. However, when policy is distributed between organizations to be acted on at a later time, or when the policy travels with the protected resource , it would be useful to sign the policy. Digital signatures should only be used to ensure the integrity of the statements. Digital signatures should not be used as a method of selecting or evaluating policy.
That is, the PDP should not request a policy based on who signed it or whether or not it has been signed as such a basis for selection would, itself, be a matter of policy. However, the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy. The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document.
Since policies can be referenced by their identifiers, it is the responsibility of the PAP to ensure that these are unique. Confusion between identifiers could lead to misidentification of the applicable policy. This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy. This is a matter of administrative practice. However, care must be taken in either case. If the identifier is reused, there is a danger that other policies or policy sets that reference it may be adversely affected.
Conversely, if a new identifier is used, these other policies may continue to use the prior policy , unless it is deleted. In either case the results may not be what the policy administrator intends. If a PDP is provided with policies from distinct sources which might not be fully trusted, as in the use of the administration profile [XACMLAdmin] , there is a concern that someone could intentionally publish a policy with an id which collides with another policy.
This could cause policy references that point to the wrong policy, and may cause other unintended consequences in an implementation which is predicated upon having unique policy identifiers. One method is to make sure that the policy identifier begins with a string which has been assigned to the particular policy issuer or source. The remainder of the policy identifier is an issuer-specific unique part. For instance, Alice from Example Inc.
The PDP or another trusted component can then verify that the authenticated source of the policy is Alice at Example Inc, or otherwise reject the policy. Anyone else will be unable to publish policies with identifiers which collide with the policies of Alice. Discussions of authentication, integrity and confidentiality safeguards necessarily assume an underlying trust model: how can one actor come to believe that a given key is uniquely associated with a specific, identified actor so that the key can be used to encrypt data for that actor or verify signatures or other integrity structures from that actor?
Many different types of trust models exist, including strict hierarchies, distributed authorities, the Web, the bridge, and so on. It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist. They may collect data from it, for example authentication data but are responsible for verifying it themselves. This in turn implies that the PDP is supplied with the correct inputs.
The PAP is not dependent on other components. It is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors. Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML. The decision regarding whether, how, and when to deploy such mechanisms is left to the implementers associated with the environment. There are many security considerations related to use of Unicode.
This definition of equality does not do any kind of canonicalization or escaping of characters. The identifiers defined in the XACML specification have been selected to not include any ambiguity regarding these aspects.
A set of test cases has been created to assist in this process. The site hosting the test cases contains a full description of the test cases and how to execute them. The implementation MUST include the rule - and policy-combining algorithms associated with the following identifiers that are marked "M". If values for these attributes are not present in the decision request , then their values MUST be supplied by the context handler.
So, unlike most other attributes , their semantics are not transparent to the PDP. The implementation MUST properly process those functions associated with the identifiers marked with an "M".
They are planned to be deprecated at some unspecified point in the future. The implementation MUST properly process those features associated with the identifiers marked with an "M". Data-types and functions normative. This section specifies the data-types and functions used in XACML to create predicates for conditions and target matches. This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values, as well as the evaluation of arithmetic functions.
It describes the primitive data-types and bags. The standard functions are named and their operational semantics are described. Types such as Boolean, integer, and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse, such as numbers.
The following primitive data-types are specified for use with XACML and have explicit data representations:. XACML defines four data-types representing identifiers for subjects or resources ; these are:. Note that an IPv6 address or mask, in this syntax, is enclosed in literal "[" "]" brackets. If the port number is of the form "-x", where "x" is a port number, then the range is all ports numbered "x" and below.
If the port number is of the form "x-", then the range is all ports numbered "x" and above. The syntax is defined by the XPath W3C recommendation. The context node of the XPath expression is the document node of this stand alone document. XACML specifies the following functions. Unless otherwise specified, if an argument of one of these functions were to evaluate to "Indeterminate", then the function SHALL be set to "Indeterminate".
The following functions are the equality functions for the various primitive types. Each function for a particular data-type follows a specified standard convention for that data-type.
The function SHALL return "True" if and only if the value of both of its arguments are of equal length and each string is determined to be equal. This function shall perform its evaluation according to the "op:duration-equal" function [XF] Section An RFC name consists of a local-part followed by " " followed by a domain-part.
The local-part is case-sensitive, while the domain-part which is usually a DNS host name is not case-sensitive. Perform the following operations:. Normalize the domain-part of each argument to lower case. The result is the second argument subtracted from the first argument. The result is the first argument divided by the second argument.
The result is remainder of the first argument divided by the second argument. Case mapping shall be done as specified for the fn:lower-case function in [XF] with no tailoring for particular languages or environments. The evaluation SHALL stop with a result of "False" if any argument evaluates to "False", leaving the rest of the arguments unevaluated.
The first argument specifies the minimum number of the remaining arguments that MUST evaluate to "True" for the expression to be considered "True". If the number of arguments after the first one is less than the value of the first argument, then the expression SHALL result in "Indeterminate". The order of evaluation SHALL be: first evaluate the integer value, and then evaluate each subsequent argument.
The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement. Note: When evaluating and, or, or n-of, it MAY NOT be necessary to attempt a full evaluation of each argument in order to determine whether the evaluation of the argument would result in "Indeterminate".
Analysis of the argument regarding the availability of its attributes , or other analysis regarding errors, such as "divide-by-zero", may render the argument error free. Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed.
These functions form a minimal set for comparing two numbers, yielding a Boolean result. This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS] Appendix E.
If the second argument is a positive duration, then this function SHALL return the value by adding the corresponding negative duration, as per the specification [XS] Appendix E. These functions perform comparison operations on two arguments of non-numerical types. It SHALL return "True" if and only if the first argument is lexicographically strictly greater than the second argument. It SHALL return "True" if and only if the first argument is lexicographically greater than or equal to the second argument.
Note: it is illegal to compare a time that includes a time-zone value with one that does not. In such cases, the time-in-range function should be used. It SHALL return "True" if the first argument falls in the range defined inclusively by the second and third arguments.
Regardless of its value, the third argument SHALL be interpreted as a time that is equal to, or later than by less than twenty-four hours, the second argument. If no time zone is provided for the first argument, it SHALL use the default time zone at the context handler. If no time zone is provided for the second or third arguments, then they SHALL use the time zone from the first argument. The following functions operate on strings and convert to and from other data types.
The key element here is. To get a similar tree, simply follow instructions here. Before you continue, you will need to download some DOJO libraries. In particular, this example was built using the now antiquated Dojo 0. You will need to follow instructions on where to copy the JS files. Ultimately you should end up with a structure similar to the following:. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog.
Stack Gives Back Safety in numbers: crowdsourcing data on nefarious IP addresses. Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Visit chat. Related 2. Hot Network Questions. Question feed.
0コメント