Support for SAML 2.0 profile for XACML. (Updated: August 1st 2007)
=======================================

Tools include:

- XACML Authorization service port type definition.
- Generation of Java bindings for the schema
- Helper API for processing request/response.
- Authorization callout PDP, that can talk to a XACML Authorization
sevice and plugged into Java WS Core authorization framework.
- Sample authorization service 

Source code
============

Code is in Globus CVS repository: 

(1) Remote CVS access


- Set CVSROOT to :pserver:anonymous@cvs.globus.org:/home/globdev/CVS/globus-packages
- cvs co -r bug_5102_branch_1 wsrf/java wsrf/build.xml wsrf/schema wsrf/compact

(Instructions from http://www.globus.org/toolkit/docs/development/remote-cvs.html)

(2) Pre requisites

- JDK 1.4.x
- Ant 1.6.x

(3) Building code

$ export GLOBUS_LOCATION=/sandbox/globus/xacml
$ cd wsrf
$ ant all

Using GT XACML Authorization Callout
====================================

Class: org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout

This section describes using the XACML authorization callout PDP for
authorizing access to services hosted in the GT container. The PDP
calls out to a configured XACML Authorization Service and processes
the decision and obligation.

In this example, we will assume the service being protected is
SecureCounterService and the XACML authorization service contacted is
SampleXACMLAuthzService. These are shipped as part of Java WS Core.

(1) Configuring the SecureCounter Service.

The counter service needs to be configured to use the XACML
Authorization callout for authorization decision. The descriptor
$GLOBUS_LOCATION/etc/globus_wsrf_core_samples_counter/xacml-security-config.xml
can be used for the purpose.

It sets the following policy:

(A) createCounter and add methods required one of the three specified
authentication scheme.
(B) destroy method requires Secure Conversation
(C) All others require no authentication 
(D) All secure method invocations are secured using the
"XACMLAuthorizationCallout". The callout allows follows configuration:
- "xacmlAuthzService": Endpoint of the authorization service;
required.
- Obligation handler configuration: mapping from obligation Id to
Obligation handler. The handler should implement ObligationHandler

Two other optional parameters, not used in this descriptor.

        - "inputContextOnly", true/false. If true, then external
        attributes can be used in decisions. Defaults to false. Optional.
        - "returnContext", true/false. If true, then request context
        is part of the response. Defaults to false. Optional.

(2) Edit "SecureCounterService" deployment in file
$GLOBUS_LOCATION/etc/globus_wsrf_core_samples_counter/service-config.wsdd. Replace
the following

	<parameter name="securityDescriptor" value="etc/globus_wsrf_core_samples_counter/security-config.xml"/>

with 

	<parameter name="securityDescriptor" value="etc/globus_wsrf_core_samples_counter/xacml-security-config.xml"/>


(3) Copy xacml-security-config.xml to
$GLOBUS_LOCAITON/etc/globus_wsrf_core_samples_counter. This file
configures XACMLCallout PDP to be used with the authorization service
URL set to https://localhost:9090/wsrf/services/SampleXACMLAuthzService

(4)
$GLOBUS_LOCATION/etc/globus_wsrf_core_samples_authzService/jndi-config.xml
provides a list of methods to deny and the user accout to return as
obligation. By default it denies "add" method.

(5). Shell 1: To contact secure counter service
        export GLOBUS_LOCATION=/sandbox/globus/gtInstall
        cd $GLOBUS_LOCATION
        bin/grid-proxy-init
        bin/globus-start-container 

(6) Shell 2: Authorization service container       
        export GLOBUS_LOCATION=/sandbox/globus/gtInstall
        cd $GLOBUS_LOCATION
        bin/globus-start-container -p 9090

(7) Shell 3: Client shell
        export GLOBUS_LOCATION=/sandbox/globus/gtInstall
        cd $GLOBUS_LOCATION
        bin/counter-create -s https://localhost:8443/wsrf/services/SecureCounterService -m msg -z none > counterEpr
        <Should succeed and will write EPR to file counterEpr>
        bin/counter-add -e counterEpr -m msg -z none 10
        <Should fail>

(8) The obligation handler configured, LocalAccountObligationHandler
is invoked and it pushes the local user account to the peer Subject
maintained in container. LocalAccountObligationHandler has constant
for obligation Id that is processed.

Writing XACML Authorization Service
===================================

(1)Schema: gtInstall/share/schema/core/security/authorization/xacml

(2)Stubs: Generated as part of the GT target. Java namespace set to
org.oasis.names.*

(3)Port type class:
org.globus.wsrf.security.authorization.xacml.XACMLAuthorizationPortType

(4)Sample service:
        - wsrf/java/core/samples/authzService
        - deploy-server.wsdd, "SampleXACMLAuthzService" 
        - Returns a permit for any non-anonymous access for operations
        that are not in a configured denied list.
        - Denied list configured in deploy-jndi-config.xml
        - Local user account returned configured in deploy-jndi-config.xml

XACML Processing Library
========================

Code: wsrf/java/xacml/source

Utilities to construct and process data types from the XACML/SAML
profile. Helper classes provide the basic constructs required for
query and decision processing. 

The library exists as part of the Java WS Core code and will eentually
be separated. The Java data bindings for the SAML 2.0 profile for
XACML 2.0 schema are generated using Axis WSDL2Java tool. The helper
classes use the generated Java bindings.

A distrubution of just the helper library, with additional jars that
are required has been provided. This contains the stubs that were generated
using Axis tools. (build/stubs)

(1) Source xacmlUtilSrc.tar.gz

$ cd xacmlUtil/source
$ ant dist
$ You will need all jars from xacmlUtil/source/build/lib/common and xacmlUtil/source/lib

(2) Binray xacmlUtilBin.tar.gz

This is a collection of jars that you will need to use the utility

Proposed enhancements:
=====================

The code is currently alpha quality, so warrants general code improvements.

(1) Tests for utility library. Today only round trip using GT
authorization framework exists.

(2) i18n and Java docs.

(3) XACML pieces as separate code base - both processing library and
the callout. Hence package name change.

(4) Investigate use of other tools for java bean generation, today
Axis is used.

(5) Signed assertion 

(6) Resource helper processes with specific URI and datatype. Add more
API to allow other type.
 (Assumes Constants.RESOURCE_URI and STRING_XSD_URI as the resource type)

(7) Subject Helper, attributes constructed assume issuer is
null. Similar case for retrieval.

(8) License and code format
Notes
=====

- Requirements:
http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2339 (July 10th)
- Tweaked schema some for attribute value to be xsd:any, allows better
generated API
- Sample service does not look at request context with response property
- Axis stub issue
        - http://issues.apache.org/jira/browse/AXIS-1672
- Assertions Structure
        - Array of Statement 
                - Response:
                        - Array of Status
                        - Each Status has resource id, status, decision
- Decision Algorithm:
        for each statement {
                get response
                if response is not indeterminate
                 for each status in response
                   - if resource id matches
                   - and status is ok   
                   - and action name and namspace matches
                        - AND
                        - if decision is permit, return permit
                        - if decision is deny, return deny