Attribute Finder Plug-ins for Authorization

DirX Access supports attribute finder plug-ins, also called Policy Information Points (PIPs) in the authorization subsystem. This chapter describes into detail the use and employment of custom XACML PIPs.

About Attribute Finders for Authorization

An XACML PIP is a system entity that acts as a source of attribute values. Such sources of attribute values are integrated with the authorization decision rendering process at the PDP via attribute finder plug-ins.

A use case for a PIP could be a policy assertion of type “_allow download of item if current account balance plus price for this item is greater than const X_” and the attribute finder plug-in would be a way to look up the current account balance for an authenticated subject.

Developing an Attribute Finder

This section describes the tasks necessary for developing a custom attribute finder.

Externalizing Attribute Finding from the DirX Access Server

The DirX Access Server allows externalizing attribute finding during authorization decision rendering through a plug-in interface. This method requires creation of an attribute finder that extends the AttributeFinderModule class (com.sun.xacml.finder.AttributeFinderModule). The relevant methods should be overridden. The implementing class has to be contained within an exported package of an OSGi bundle.

Employing the Attribute Finder

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using the Attribute Finder

The following tasks need to be performed to use an attribute finder. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom attribute finder, the OSGi bundle exporting the package containing the callout implementation must be installed on the DirX Access Server. To accomplish this task, make sure you have performed all of the steps described in the section Employing External Plug-in Modules.

Configuring the Custom Attribute Finder at the DirX Access Server

  • In DirX Access Manager, go to Configuration | Authorization | Policy decision points.

  • Select a PDP identifier for which the sample attribute finder should be added.

    • In Attribute finder module names, enter the class name of the custom AttributeFinderModule implementation and then click Add.

    • Click Save.