xacmlxacml
Security
Home > Books > NetKernel API and Services Reference > Accessor Listing > Security Extensions > xacml
Preface
Accessor Listing
ASpell Spell Checker
Berkeley DBXML Accessors and Utilities
Cron Scheduled Jobs
DPML
Entrypoint Management
HTTP Client Services
HTTP Transport
Image Resource Model
JMS Connectivity
JSON Library
Kernel Management and Development APIs
Layer1
LDAP / DSML Accessors and Utilities
Lucene Full Text Search
PiNKY
RDBMS Accessors and Utilities
Ruby Language Runtime
Scripting Runtimes
Security Extensions
gk
guid
md5
xacml
xsign
xverify
Session Extensions
SMTP Email Service
SOAP Service Infrastructure
Utility and System Accessors
WebDav Client
XHTML Utilities
XML Accessors
XQuery
XRL
XUnit - Unit Test Framework
Aspect Listing
Transport Listing
Transreptor Listing
Fragmentor Listing
NetKernel API
Protocol Handler

Rate this page:
Really useful
Satisfactory
Not helpful
Confusing
Incorrect
Unsure
Extra comments:

 send 

Module

urn:org:ten60:netkernel:ext:xsecurity

The xacml accessor is exported by the urn:org:ten60:netkernel:ext:xsecurity module. Import this module to gain access to the accessor.

Syntax

URI
active:xacml

ArgumentRulesDescription
operandMandatory Fragment OKthe XACML request document
operatorMandatory the XACML policy document

Example Usage

DPML

<instr>
  <type>xacml</type>
  <operand>request.xml</operand>
  <operator>policy.xml</operator>
  <target>response.xml</target>
</instr>

NetKernel Foundation API

req=context.createSubRequest("active:xacml");
req.addArgument("operand", [resource representation, aspect, or URI] );
req.addArgument("operator", [resource representation, aspect, or URI] );
result=context.issueSubRequest(req);

Purpose

Description

XACML or XML Accesses Control Markup Language is an Oasis standard which provides a generalised XML based platform for controlling access to resources. Requests are checked against a policy or policies and a response is created. The response can be Permit, Deny, NotApplicable or Indeterminate. NotApplicable is returned when the policy cannot be evaluated from the given request. Indeterminate is returned when the evaluation fails because of an error. The policy may attach obligations to the response which provide extra information on fulfilling the request.

Example

With a policy of:

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId="xacmlpolicy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
  <Target>
    <Subjects>
      <AnySubject />
    </Subjects>
    <Resources>
      <Resource>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Mambo</AttributeValue>
          <ResourceAttributeDesignator AttributeId="Animal" DataType="http://www.w3.org/2001/XMLSchema#string" />
        </ResourceMatch>
      </Resource>
    </Resources>
    <Actions>
      <AnyAction />
    </Actions>
  </Target>
  <Rule Effect="Permit" RuleId="FinalRule" />
</Policy>
and a request of:
<Request xmlns="urn:oasis:names:tc:xacml:1.0:context">
  <Subject />
  <Resource>
    <Attribute AttributeId="Animal" DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>Mambo</AttributeValue>
    </Attribute>
  </Resource>
  <Action />
</Request>
gives a response of:
<Response>
  <Result>
    <Decision>Permit</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
    </Status>
  </Result>
</Response>

References

Oasis XACML Specification
Sun XACML Implementation

(C) 2003, 1060 Research Limited
© 2003-2007, 1060 Research Limited. 1060 registered trademark, NetKernel trademark of 1060 Research Limited.