XACML | AT & T XACML 3.0 Implementation | Application Framework library

First of all the supplied policy is incomplete. It is missing the closing tag and the Permit rule. In my testing I added these and it "works for me" but since we do not know exactly what you have it is possible you have other mistakes.

Your issue seems to be that you copy/pasted the attributes in the policy and are using the wrong category for subject-id. It should be:

urn:oasis:names:tc:xacml:1.0:subject-category:access-subject

instead of:

urn:oasis:names:tc:xacml:3.0:subject-category:access-subject

So yes the request is missing the required subject-id attribute since the request is using a different category for subject-id than what is defined in the policy.

When I use the below corrected policy and request I do get a Permit. Note that I am not using Balana but you should see the same results.

Policy:

Thanks to Martin Honnen that pointed out that the namespace of the XACML didn't match the namespace for the schema. Using a request with a similar namespace solved the issue. Here is an example of an X(AC)ML sample that did in fact work, both with xmllint and in the script.

The problem was therefore the xmlns

The error got resolved by running:

You should get used to finding and using tools. I doubt you will get much reponse for questions like this :) Having said that here is your modified xml that does not give error. In notepad++ you have plugin "XML Tools". If you install that, and if you try to save invalid xml it would give you error. You can also display the xml in your favourite browser and get error message. You can see the difference in xml you gave and one I put below using a diff utility, I use "winmerge (winmerge.com)"

In short the problem was:

• extra "Apply" tag

• not closed "Apply" tag

• missing double quotes for policyId attribute value

You can write policies in ALFA, then use the ALFA Compiler (1.2 or later), i.e. alfac.jar to convert to XACML before sending the policies to AuthzForce. More info in the ALFA 1.2 User Guide (provided with the Compiler), in section XACML generation using the standalone ALFA compiler.

As an alternative, the AuthzForce project xacml-json-model provides:

• A JSON schema for policies, closely equivalent to XACML, more info in the README;
• A few examples of policies in this JSON format for testing, with various levels of complexity;
• XSLT stylesheets to translate this JSON policies into XACML 3.0 automatically, with help of your favorite XSLT 3.0 library/processor, more info in the README, e.g. in a command line with SAXON XSLT library:

There are several ways that you can add custom permissions to the WSO2 Identity Server. These methods are given in this answer.

There is a XACML function as urn:oasis:names:tc:xacml:1.0:function:eval-permission-tree defined in the WSO2 Identity Server. This can be used to validate the permissions of a user. This function requires two inputs.

 1. required permission string (ex: /permission/admin/login)

 2. subject or the user whose permissions are validated

In the WSO2 Identity Server, there is a sample XACML policy on using this function. If you login to the management console of the Identity Server, the sample is with the name evaluate_permission_tree_policy at Main > Entitlement > PAP > Policy Administration

You can get the permission string by referring to the registry of the Identity Server via Main > Registry > Browse 

I assume that you want to validate the permissions of a given role from the XACML policy. As per the current implementation, the function eval-permission-tree only checks whether the given user is authorized. [1] To achieve your requirement, you can write your own XACML function extending the EvalPermissionTreeFunction class. This blog[2] describes how you can write a custom XACML function and plug it into WSO2 IS.

[1] https://github.com/wso2/carbon-identity-framework/blob/master/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement/extension/EvalPermissionTreeFunction.java#L77

[2] https://pamodaaw.medium.com/custom-xacml-functions-for-wso2-identity-server-5-10-0-a91bc2ec673d

The only feature XACML provides OOTB is the notion of variable definitions and variable references. However it doesn't fully do what you're looking for.

For starters, variable definitions are defined globally but can only be used inside rules. You cannot use them inside targets. Variable definitions are made up of a XACML expression i.e. anything that can be expressed in a condition (so a string, a function, and more).

Variable definitions are defined within a policy and their visibility is scoped to that policy. This limits their usefulness.

If you wanted a cross-policy variable / constant, you'd have to do that outside XACML, define your policies, and then post-process them to replace your placeholders with your values. If you work directly on XML, you could do that with XSLT for instance. Otherwise, it'll largely depend on the IDE you're using.

Source: eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01

Yes, you can use an access token to authorize the request. If you navigate to /repository/conf/identity/identity.xml file, you can find a content as follows.

A possible solution would be like the following:

How can I implement the third application so that it can support non-specific, free-style permissions? Using a JWT Token that includes the user's permissions as scopes.

How can I store those permissions?

• Store your user Model on the third application, along with the permission/roles for each user.
• When the user log in, they will be redirected to your third application. On successful authentication, the third application can then generate an access_token in the form of a JWT token which includes the permissions that the user has as scopes.
• You can then have your front-end include this access_token on API requests to the client applications. The client applications can validate the access_token and check the scopes/permissions for the user to determine if the user can access certain data.

How should I transfer the permissions to the client applications? Your client applications can validate/read the scopes included in the JWT token on each API request

How can I query for some permissions? Not sure what this means, I can interpret 2 different things:

1. Take Github as an example, a Github App can specify that they need read access and email access (but not the write access), and the user can authenticate and only approve read and email access. In this case, the Authorization Server (Github) would generate a JWT that only includes scopes for read and email even though the user has other permissions available.
2. If you're talking about the client app wanting to know if the user has certain permission, then it can just look at the scopes included in the JWT. You might need to define the required scope for each endpoint in the client application.

Should I store all permissions in the third application and query for them each time when I the user asks for some resource, or should I save them locally and update them at some points?

The permissions for each user can be stored in the third application, and the client applications just trust the scopes included in the JWT. Since the access_token should be short lived (for example it expires in 1 hour), changes on the user's permission level can be handled by renewing the access_token.