source: TI12-security/trunk/ndg_xacml/ndg/xacml/test/ndg1.xml @ 7112

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ndg_xacml/ndg/xacml/test/ndg1.xml@7112
Revision 7112, 5.1 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • added more description text to the ndg1 policy file
  • Property svn:keywords set to Id
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
7    <Description>
8        NDG XACML example for unit tests: allow access for resource URIs
9        matching given regular expressions.  The subject must have at least one
10        of a set of named attributes allocated
11    </Description>
12   
13    <!--
14        The Policy target(s) define which requests apply to the whole policy
15    -->
16    <Target>
17        <Resources>
18            <Resource>
19                <!-- Pattern match all request URIs beginning with / -->
20                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
21                    <ResourceAttributeDesignator
22                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
23                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
24                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
25                </ResourceMatch>
26            </Resource>
27        </Resources>
28    </Target>   
29   
30    <!-- Deny everything by default -->
31    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
32    <!--
33        Following rules punch holes through the deny everything rule above
34        because the rule combining algorithm is set to permit overrides - see
35        Policy element above
36    -->
37    <Rule RuleId="urn:ndgsecurity:secured-uri-rule" Effect="Permit">
38        <!--
39            Rule target(s) define which requests apply to the particular rule
40        -->
41        <Target>
42            <Resources>
43                <Resource>
44                    <!-- Pattern match the request URI -->
45                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
46                        <ResourceAttributeDesignator
47                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
48                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
49                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
50                    </ResourceMatch>
51                </Resource>
52            </Resources>
53        </Target>
54       
55        <!--
56            The condition narrows down the constraints layed down in the target to
57            something more specific
58           
59            The user must have at least one of the roles set - in this
60            case 'urn:siteA:security:authz:1.0:attr:staff'
61        -->
62        <Condition>
63            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
64                <SubjectAttributeDesignator 
65                    AttributeId="urn:ndg:security:authz:1.0:attr" 
66                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
67                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
68                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
69                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
70                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
71                </Apply>
72            </Apply>
73        </Condition>
74    </Rule>
75    <Rule RuleId="accessDeniedToSecuredURIRule" Effect="Permit">
76        <Target>
77            <Resources>
78                <Resource>
79                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
80                        <ResourceAttributeDesignator
81                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
82                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
83                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
84                    </ResourceMatch>
85                </Resource>
86            </Resources>
87        </Target>
88        <Condition>
89            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
90                <SubjectAttributeDesignator 
91                    AttributeId="urn:ndg:security:authz:1.0:attr" 
92                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
93                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
94                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">forbidden</AttributeValue>
95                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
96                </Apply>
97            </Apply>
98        </Condition>
99    </Rule>
100</Policy>
Note: See TracBrowser for help on using the repository browser.