Changeset 7287 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml
- Timestamp:
- 06/08/10 09:49:47 (11 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml
r7257 r7287 6 6 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 7 7 <Description> 8 NDG XACML example for unit tests: allow access for resource URIs 9 matching given regular expressions. The subject must have at least one 10 of a set of named attributes allocated 8 Example for NDG Security unit tests: allow access for resource URIs 9 defined in the rules. All other URIs are blocked from access 10 11 See ndg.security.test.unit.wsgi.authz.test_authz to see the various 12 rules tested out 11 13 </Description> 12 14 … … 78 80 <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> 79 81 <!-- 80 Rule target(s) define which requests apply to the particular rule 82 Secure a URI path and all sub-paths using a regular expression to 83 define a URI pattern 81 84 --> 82 85 <Target> … … 99 102 100 103 The user must have at least one of the roles set - in this 101 case ' urn:siteA:security:authz:1.0:attr:staff'104 case 'staff' 102 105 --> 103 106 <Condition> … … 118 121 <Resources> 119 122 <Resource> 120 <ResourceMatch MatchId="urn:oasis:names:tc:xacml: 2.0:function:anyURI-regexp-match">123 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 121 124 <ResourceAttributeDesignator 122 AttributeId="urn: siteA:security:authz:1.0:attr:resourceURI"125 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 123 126 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 124 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 127 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 128 </ResourceMatch> 129 </Resource> 130 </Resources> 131 </Target> 132 <Condition> 133 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 134 <SubjectAttributeDesignator 135 AttributeId="urn:ndg:security:authz:1.0:attr" 136 DataType="http://www.w3.org/2001/XMLSchema#string"/> 137 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 138 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 139 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> 140 </Apply> 141 </Apply> 142 </Condition> 143 </Rule> 144 <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit"> 145 <!-- 146 This rule is a modified version of the above to allow for a real use 147 case where adding a special query argument grants extra privileges 148 associated with an administrator 149 --> 150 <Target> 151 <Resources> 152 <Resource> 153 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 154 <ResourceAttributeDesignator 155 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 156 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 157 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue> 125 158 </ResourceMatch> 126 159 </Resource> … … 128 161 <Subjects> 129 162 <Subject> 130 <SubjectMatch >163 <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 131 164 <SubjectAttributeDesignator 132 165 AttributeId="urn:ndg:security:authz:1.0:attr" 133 166 DataType="http://www.w3.org/2001/XMLSchema#string"/> 134 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> keepout</AttributeValue>167 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> 135 168 </SubjectMatch> 136 169 </Subject>
Note: See TracChangeset
for help on using the changeset viewer.