Skip to content

XACML Functions

Jump to bottom Edit New page
amitbit05 edited this page Feb 25, 2021 · 10 revisions

AuthzForce supports all the XACML functions defined in XACML 3.0 core specification and dnsName-value-equal from XACML DLP/NAC Profile. Besides, the XACML 3.0 Core standard allows to use extra functions not defined in the standard, and AuthzForce can support them, provided that you implement and provide it as Function extension, or get it from a third party as such. The AuthzForce project also provides a separate Function extension example for documentation and testing purposes. If you wish to make such a Function extension to use it in your policies, read on the next section.

Making a Function extension

The steps to make your own Function extension go as follows:

  1. Create a Maven project with jar packaging type and following Maven dependency:

    <dependency>
  <groupId>org.ow2.authzforce</groupId>
  <artifactId>authzforce-ce-core-pdp-api</artifactId>
  <version>17.0.0</version>
  <scope>provided</scope>
</dependency>

    Make sure the version matches the one used by the authzforce-ce-core-pdp-engine version you are using.

  2. A Function extension class must implement interface org.ow2.authzforce.core.pdp.api.func.Function; and have a public no-argument constructor or no constructor. Instead of implementing this Function interface directly, you should extend one of the following Function sub-classes whenever possible, depending on your needs:

    • org.ow2.authzforce.core.pdp.api.func.ComparisonFunction: to be extended for implementing comparison functions type-greater-than, type-greater-than-or-equal, type-less-than and type-less-than-or-equal. Examples from XACML 3.0 Core standard: see §A.3.6 and §A.3.8.
    • org.ow2.authzforce.core.pdp.api.func.EqualTypeMatchFunction: to be extended for implementing match functions with two parameters of same type`. Examples from XACML 3.0 Core standard: equality functions in §A.3.1, x500name-match, string-starts-with. You may use AuthzForce TestDNSNameValueEqualFunction class (used for AuthzForce unit tests) as an example. This example provides a test implementation of function dnsName-value-equal defined in XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0.
    • org.ow2.authzforce.core.pdp.api.func.NonEqualTypeMatchFunction: to be extended for implementing match functions with two parameters of different type. Examples from XACML 3.0 Core standard: rfc822Name-match, anyURI-starts-with, dnsName-regexp-match.
    • org.ow2.authzforce.core.pdp.api.func.HigherOrderBagFunction: to be extended for implementing higher-order bag functions. Examples from XACML 3.0 Core standard are functions in §A.3.12.
    • org.ow2.authzforce.core.pdp.api.func.SingleParameterTypedFirstOrderFunction: to be extended for implementing first-order functions having all parameters of the same type, when previous cases do not apply. Examples from XACML 3.0 Core standard are logical and, or or not in §A.3.5.
    • org.ow2.authzforce.core.pdp.api.func.MultiParameterTypedFirstOrderFunction: to be extended for implementing first-order functions having at least two different types of parameters, when previous cases do not apply. Examples from XACML 3.0 Core standard are logical n-of and *-substring functions.
    • org.ow2.authzforce.core.pdp.api.func.BaseFunction: to be extended for implementing functions when none of the previous cases apply.

  3. When your implementation class is ready, create a text file org.ow2.authzforce.core.pdp.api.PdpExtension in folder src/main/resources/META-INF/services (you have to create the folder first) and put the fully qualified name of your implementation class on the first line of this file, like in the example from Authzforce source code.

  4. Run Maven package to produce a JAR from the Maven project.

Now you have a Function extension ready for use by AuthzForce, as explained in the next section.

Integrating a Function extension into AuthzForce

This section assumes you have a Function extension in form of a JAR, typically produced by the process described in the previous section. Make sure it is available on classpath before using it at runtime. You may use AuthzForce PDP Core Tests JAR if you only wish to test the examples in this documentation. This JAR is available on Maven Central: groupId= org.ow2.authzforce, artifactId= authzforce-ce-core-pdp-testutils, version= 16.0.0.

Enabling a Function extension

To enable the new function for use in your policies at runtime, add a function element with corresponding function ID as value inside the pdp element in the PDP configuration file (XML).

Add a custom footer
Add a custom sidebar
Clone this wiki locally