Search code examples
xacmlxacml3xacml2

Can i use xpath-like expression in the attributevalue in a xacml plicy


I'd like to declare some policies likes:

some one can visit anything under the img path, but img folders are scattered everwhere, so the attributevalue in the xacml policy may seem like this: "/rootpath/**XPATH_PART**/img/*".

how to write policy of this kind.

I looked through the "XACML3.0 core spec", "Multiple Profile", they says

Each Individual Decision Request SHALL be identical to the original request context with two exceptions: the “multiple:content-selector” attribute SHALL NOT be present and an added “content-selector” attribute value SHALL be an XPath expression that evaluates to a single node in the <Content> element

I think this means that in the policy file, i cann't use XPath in the AttributeValue to refer to multiple resources like i said in the first place, right? because the request is resolved to individual request each asking for a resource with a specified attribute id.

Is there something in the specification i missed out or misunderstood? or can anyone suggest a better way to do what i want?

Now i'm wondering if using regular expression in the resource can do that. The corresponding function is urn:oasis:names:tc:xacml:1.0:function:string-regexp-match.

P.S.: I'm trying to setup a authorization server for my company, XACML seems a good place to start with. But nobody around me knows about it. I would be appreciated if any one can give me any suggestion about setting up the access control system.


Solution

  • I chatted with some of my colleagues at Axiomatics and the conclusion is that you do not need XPath but rather regular expressions. XACML provides a regular expression function that works on URI data types. It is called anyURIRegexpMatch and it takes in a string (the regular expression) and the XACML attribute to which to apply the regular expression. It returns either true or false.

    Your rule target would look as follows in ALFA (Axiomatics Language for Authorization):

    policy matchResources{
        apply firstApplicable
        rule allow{
            target clause anyURIRegexpMatch("^https?://(?:[a-z\\-]+\\.)+[a-z]{2,6}(?:/[^/#?]+)+\\.(?:jpg|gif|png)$", resourceId)
            permit
        }
    }
    

    See also this other example (XACML 2.0): How do I apply XACML rules to every child URI?