I am trying to write a code that will enable user access of content from a website based on security roles. Thus some users can see all the content, and some can only see urls with certain extensions.
Most of my code works, but I have trouble with the access for the 3 subcategories.
<Rule Effect="Permit" RuleId="accesses">
<Description>Permission for lower clearance</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">home.html
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin#website.com"
MustBePresent="true" />
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">localweather.html
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin#website.com"
MustBePresent="true" />
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">about.html
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin#website.com"
MustBePresent="true" />
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="AccessLevel"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin#website.com"
MustBePresent="true" />
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Clear</AttributeValue>
</Apply>
</Apply>
</ Condition >
</Rule>
I have these 3 resources, and when I run the program, I get an "indeterminate" response. Can I only have 1 resource per rule? Is something else throwing an exception?
You can have tree resources for in target. According to the your rule, they would act as "OR". Please check with your XACML request, may be you are sending request that is not matching with policy (policy has MustBePresent="true it means, if attribute is not there, PDP would create a indeterminate error). Please change them to "false" and see.
It was actually a condition problem. The resources were all leaf-level files. I didn't have the right set of user attribute values for my policy. I compared it against my LDAP schema and got it working.
Related
I've searched for this, but can't seem to come up with the right search terms to find - seems it would be a common question.
WIMP, IIS version is 8
I want to come up with a rewrite rule:
Incoming URL: http://example.com/1a2b3cdef
Rewritten to: http://example.com?p=1a2b3cdef
Note, the start of this url will always be "http://example.com/" (not the real domain name), that will never change.
From there my default document of index.php will retrieve the GET variable p.
Any help is greatly appreciated.
This is the configuration that can be applied in web.config.
<defaultDocument>
<files>
<add value="index.php" />
</files>
</defaultDocument>
<rewrite>
<rules>
<rule name="rewrite" enabled="true">
<match url="^[_0-9a-z]+" />
<action type="Rewrite" url="?p={R:0}" />
</rule>
</rules>
</rewrite>
** Edited for clarification **
I've inherited a bunch of xml documents (configuration files) that resemble the following structure (element names changes and structured simplified for the sake of brevity.
<containers>
<container id="c1">
<ports>
<port id="p2"/>
</ports>
<rules>
<!--
Within a container, a rule must refer to a port
declared within the same container.
A rule cannot refer to a port that does not
exist in the enclosing container.
-->
<rule id="r1" portId="p1"/><!-- p1 is not in c1, but in c2, bad -->
<rule id="r2" portId="p2"/><!-- this is good -->
<rule id="r3" portId="p3"/><!-- p3 is nowhere, bad -->
</rules>
</container>
<container id="c2">
<ports>
<port id="p1"/>
<port id="p2"/>
</ports>
<rules>
<rule id="r1" portId="p1"/>
</rules>
</container>
</containers>
A container can have points and rules (point and rule ids can be duplicated among containers; they just need to be unique within a container.)
The requirement is that if a rule references a point id, that point id must be defined within the enclosing container.
I need to search for rules within containers that, by mistake reference non-existing points.
I have xpath expressions that can find a rule that points to a non-existing point (unfortunately for the entire xml document.)
//*/rule/#portId[not( . = //*/port/#id)]
The rule applies to the entire document, it is not contained within containers.
That is, this xpath expression would detect that the rule r3 in container c1 refers to a port p3 that does not exist anywhere in the document.
However, this same xpath expression would not detect that rule r1 in container c1 refers to a port p2 that is not in container c1. Why? Because this xpath expression will match it with port p2 in container c2.
My xpath expression would not detect this.
Granted, I could do this with several xpath expressions and glue code between them (say, by applying the xpath expression to each container) but I was hoping if it is possible to use one single xpath expression starting from the root element instead.
Any advice?
Another option using the ancestor:: axis...
//rule[not(#portId = ancestor::container//port/#id)]
Try this one.
//rule[#portId[not(. = ./parent::rule/parent::rules/parent::container/*/port/#id)]]
This seems to work for me. Tested on:
<containers>
<container id="c1">
<ports>
<port id="p2"/>
<port id="p4"/>
</ports>
<rules>
<!--
Within a container, a rule must refer to a port
declared within the same container.
A rule cannot refer to a port that does not
exist in the enclosing container.
-->
<rule id="r1" portId="p1"/><!-- p1 is not in c1, but in c2, bad -->
<rule id="r2" portId="p2"/><!-- this is good -->
<rule id="r3" portId="p3"/><!-- p3 is nowhere, bad -->
</rules>
</container>
<container id="c2">
<ports>
<port id="p1"/>
<port id="p2"/>
</ports>
<rules>
<rule id="r1" portId="p1"/>
<rule id="r2" portId="p4"/>
</rules>
</container>
</containers>
using this online processor.
Got the following output
Element='<rule id="r1" portId="p1"/>'
Element='<rule id="r3" portId="p3"/>'
Element='<rule id="r2" portId="p4"/>'
I want to express a fine-grained access control use case with XACML 3.0 for an XML document but I don't know whether I can use a full XPath expression like
for $a in fn:distinct-values(sales/clientid)return (fn:sum(sales[clientid = $a]/value)
This my XML:
<?xml version="1.0"?>
<database>
<sales>
<salesid>1</salesid>
<clientid>1</clientid>
<value>1000</value>
</sales>
<sales>
<salesid>2</salesid>
<clientid>1</clientid>
<value>10000</value>
</sales>
<sales>
<salesid>3</salesid>
<clientid>2</clientid>
<value>500</value>
</sales>
<client>
<clientid>1</clientid>
<nom>a</nom>
</client>
<client>
<clientid>2</clientid>
<nom>b</nom>
</client>
</database>
How can I limit the access to the clients who have a sales value less than 10,000?
As I understand your requirement, you need to apply XACML policy based on the xml schema as described above. The sample xml needed to be in XACML request else if you are planning to read from xml as repository you may need to write a custom PIP.
You can achieve the XPath based policy design for the same, provided that the xml input for the client details is available in XACML request inside element as below sample:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Content>
<client id="xxxx">
<sales id="yyyy">
<value>1234</value>
</sales>
</client>
</Content>
</Attributes>
Then you can create the policy based for your use case as below sample:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="sample-xpath-policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Sample XPath policy</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10000</AttributeValue><AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="/client/sales/value/text()" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule RuleId="rule2" Effect="Deny">
<Description>Deny rule</Description>
</Rule>
</Policy>
I've a simple site with a web.config file for rewriting URL's
for instance, navigating to www.domain.com/story will show the page at www.domain.com/story.php
I've added a child folder with a copy of the site with a Chinese translation to www.domain.com/zh
I can access the story page at www.domain.com/zh/story.php but not www.domain.com/zh/story
How do I need to configure my web.config file? I've tried copying the web.config file to the /zh folder but this doesn't work, I've also tried copying and changing my match URL from ^story to ^zh/story but this also doesn't have the desired effect. Can someone suggest what is going on please?
Here is my existing web.config in the web root:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Rewrite to story.php">
<match url="^story" />
<action type="Rewrite" url="story.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Haven't had a chance to try myself, but try something like this:
<rule name="Rewrite to story.php">
<match url="^zh/story" />
<action type="Rewrite" url="zh/story.php" />
</rule>
Suppose I have a Web.config like such:
<configuration>
<elmah>
...
</elmah>
</configuration>
Is it possible to remove the <elmah> node with config transforms? So far I've tried something like:
<configuration>
<elmah xdt:Transfrom="RemoveAll"/>
</configuration>
Which doesn't work (according to Preview Transform). Althought this type of thing does seem to work on other nodes. Does anyone know how this can be removed?
Thanks
You need to have a xdt:Locator to get the match.
Try using the following:
Debug:
<configuration>
<elmah name="debug" />
</configuration>
Release:
<configuration>
<elmah name="debug" xdt:Locator="Match(name)" xdt:Transform="RemoveAll" />
</configuration>
Or without the need for name matching:
<configuration>
<elmah name="debug" xdt:Locator="XPath(//elmah)" xdt:Transform="RemoveAll" />
</configuration>
or
<configuration>
<elmah name="debug" xdt:Locator="XPath(configuration/elmah)" xdt:Transform="RemoveAll" />
</configuration>
As a note:
Currently the Web.config transforms are only applied during the Web Publish Pipleline (WPP) that is on Publish, not during debug, to enable them during debug check the following link: http://sedodream.com/2010/10/21/ASPNETWebProjectsWebdebugconfigWebreleaseconfig.aspx .
Hope it helps.
You have a typo in your xdt syntax – it should be xdt:Transform, not xdt:Transfrom.