Versions Compared

Old Version 24

changes.mady.by.user Greg Jansen

Saved on

compared with

New Version 25

changes.mady.by.user Greg Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The ResourceFinder returns a ResourceFinder result, which contains the entire set of resolved resource ID attribute values. In other words the result is not a streaming interface, but a concrete class that returns a set. It would be far preferable to have a streaming/iterator approach to support big deletes trees.

Components to Develop

PolicyFinderModule (w/PolicyLocator for JBossPDP configuration)

Fedora will need an implementation of this interface, originally part of Sun XACML. This finder module will deliver the correct policy set for the resource ID in a XACML request context according the rules for "Finding the Effective Policy Set" above. A similar kind of lookup, based on node path, happens in the access roles provider.

This is admittedly a little abstruse, but policy finder modules become part of the PDP via configured implementations of the PolicyLocator interface. An implementation must have a no argument constructor and received configuration via a setOptions() callback method. The PolicyLocator has a map where it will store its PolicyFinderModule for use by the JBossPDP. A simple example is the JBossPolicyLocator, which puts a list of pre-configured policies into a wrapper policy finder module. This wrapper policy finder module is added to the locator's internal map under the policy finder module key. To see how the PDP builds the list of policy finder modules at initialization time, see JBossPDP.boostrapPDP(), especially the createPolicyFinderModules() method. There you can see it build a list of finder modules from each configured policy locator.

The policy lookup operation involves the following steps:

  1. finding the nearest real node for a given the path, since access checks are sometimes performed on new nodes before they are added.
  2. Then you find the nearest parent with a policy property.
  3. Then you read in and return the policy XACML. (There is a PolicyReader class you can use here)
  4. It will also need to support requests for policies by node URI, i.e. resolving policies that are linked from the first policy.

ResourceFinder

ResourceAttributeFinderModule

SubjectAttributeFinderModule

EnvironmentAttributeFinderModule