Adding Access Control Criteria to Muradora
The Architecture
To add access control criteria to Muradora, you first have to do the following:
- Create an AttributeFinder
- Configure the MelcoePDP with your new AttributeFinder
- Configure the Muradora application with the new Attributes
Creating an AttributeFinder
The MelcoePDP uses the SunXACML PDP Engine, and as such, has to follow the SunXACML method for the creation of AttributeFinders.
When creating an AttributeFinder, you simply create a class that extends the AttributeFinderModule class from the SunXACML package, and override the methods you wish.
You can examine the melcoe.xacml.pdp.finder.attribute.FedoraRISearchAttributeFinder class to get an understanding of how an AttributeFinder could work. There is additional information you might find useful regarding the MelcoePDP as well. You might also like to examine the SunXACML class: com.sun.xacml.finder.AttributeFinderModule.
Configure the MelcoePDP with your new AttributeFinder
Once you've created your AttributeFinder, you need to then register it with the SunXACML PDP Engine. If you do not register it, then it will not be used as a source of attributes when the PDP engine evaluates your requests against your policies.
To register the AttributeFinder, locate the file called config-pdp.xml which should be in $MELCOEPDP_HOME/conf and should look similar to this:
<?xml version="1.0" encoding="UTF-8"?> <config defaultPDP="melcoePDP" defaultAttributeFactory="attr" defaultCombiningAlgFactory="comb" defaultFunctionFactory="func"> <pdp name="melcoePDP"> <policyFinderModule class="melcoe.xacml.pdp.finder.policy.GenericPolicyFinderModule"/> <attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule" /> <attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule" /> <attributeFinderModule class="melcoe.xacml.pdp.finder.attribute.FedoraRIAttributeFinder" /> </pdp> <attributeFactory name="attr" useStandardDatatypes="true" /> <combiningAlgFactory name="comb" useStandardAlgorithms="true" /> <functionFactory name="func" useStandardFunctions="true" /> </config>
Register your AttributeFinder by adding an <attributeFinder> element under the <pdp> element like so:
<?xml version="1.0" encoding="UTF-8"?> <config defaultPDP="melcoePDP" defaultAttributeFactory="attr" defaultCombiningAlgFactory="comb" defaultFunctionFactory="func"> <pdp name="melcoePDP"> <policyFinderModule class="melcoe.xacml.pdp.finder.policy.GenericPolicyFinderModule"/> <attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule" /> <attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule" /> <attributeFinderModule class="melcoe.xacml.pdp.finder.attribute.FedoraRIAttributeFinder" /> <attributeFinderModule class="your.attribute.Finder" /> </pdp> <attributeFactory name="attr" useStandardDatatypes="true" /> <combiningAlgFactory name="comb" useStandardAlgorithms="true" /> <functionFactory name="func" useStandardFunctions="true" /> </config>
Once this is complete, your attribute finder should now be registered with the PDP and will be used in the evaluation of requests/policies.
Configure the Muradora application with the new Attributes
Once you have created and registered your AttributeFinder, you need to tell Muradora about them. This will allow you to use the attributes you have registered when creating XACML policies through the Muradora GUI.