Search code examples
authorizationxacmlabacalfaxacml2

URL accessible at specific hours only XACML

I have a knotty problem (at least for me) to solve

In a nutshell:

  1. A web server exposing a single URL (static page)
  2. the URL should only be accessible between 9 am and 5 pm (everyday)
  3. the whole thing should be implemented through XACML

Questions

  • What actually do I need in order to accomplish my objective?
  • Is there any Oracle implementation of XACML which I should install? Is it by any chance free?
  • Could other XACML implementation be suitable? I'm refering to WSO2 Balana
  • Which tools should I use?
  • How should I start with?

Thanks a lot

Solution

  • You'll need:

    • a PEP (policy enforcement point) to intercept the request to the server. In your case you are controlling access to a web server. If you're using a Java web server e.g. Tomcat, you can implement a Servlet Filter PEP.
    • a PDP (policy decision point) to receive the request from the PEP and return a decision (either Permit or Deny). Oracle used to have a PDP solution called Oracle Entitlements Server (OES) but it was discontinued. Nowadays you have several options
      • Balana, an open-source XACML engine
      • AuthZForce, the latest and possibly most complete open-source XACML 3.0 PDP
      • Axiomatics, a commercial solution that provides you with turnkey PDP, PEP, and policy authoring (aka PAP)
    • a PAP (policy administration / authoring point): you need to write your policy. I typically use which is easy-to-read shorthand notation for XACML.

    In your case, the policy would look like the following:

    policy allowOfficeHours{
    apply firstApplicable
    rule allowOfficeHours{
        target clause current_time>"09:00:00":time and current_time<"17:00:00":time
        permit
    }
}

    Plan of action

    Start

    1. Start with downloading the PDP of your choice. If you need free, then go to AuthZForce. You can ask and tag questions with here. Their main architect / dev is active here.
    2. Then download the ALFA plugin for Eclipse to start writing some policies.
    3. Finally, use AuthZForce's PEP SDK to write your own PEP. Look at Java servlet filters as an easy means to write a PEP. Check out this post and that one for tips.