How can I get XACML Console prints in Java

Question

I'm working on xacml as an incredibly new person and working on some policy creation. Of course I'm running into issues, normally I'd start by throwing some print.ln statements into Java to start figuring out where the code is getting to (or isn't) but I don't see anything in the OASIS documentation of XACML for print outs or debugs.

So, I'm wondering if there are ways to do it or if there's something I can throw in to sort of figure out the where or why of how something is working in a Policy / Rule evaluation.

The specific issue is that I'm getting a permit from a policy rule, it seems to evaluate a "P" the same as a "PI" then return a permit for it.

    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PI</AttributeValue>
            <AttributeDesignator
                AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
        </Apply>
    </Condition>

I think it might be the function:any-of and the string-equal function causing it to evaluate a true condition here, but I'm not sure. I'm working with another guy on this and he seems insistent that's not the problem, but I don't have the whole code to work out.

But still if there's a way to do a print out that would be great, especially since I want to know where my evaluation is getting to when running different algorithms like first applicable.

Answer 1

What you are after has nothing to do with the OASIS XACML spec and everything to do with the engine you use. You have to tell Balana to print the statements / a trace. The Axiomatics Policy Server gives you that possibility: you can simulate an evaluation and get a trace back which shows you what happened, what result you are getting, and why.

Your snippet says that it will return true if there is at least one value for urn:oasis:names:tc:xacml:1.0:subject:subject-id (because of the flag MustBePresent set to true) and one of these values must be equal to PI.

For instance, if you have the following policy (which is the same as yours but wrapped inside a Rule and a Policy:

ALFA Notation (wikipedia)

namespace example{

    import Attributes.*

    policy simpleCondition{
        apply firstApplicable
        rule simpleCondition{
            condition "PI"==subjectId
            permit
        }

    }
}

XACML 3.0 Notation

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/example.simpleCondition"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/example.simpleCondition.simpleCondition">
        <xacml3:Description />
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                <xacml3:AttributeValue
                    DataType="http://www.w3.org/2001/XMLSchema#string">PI</xacml3:AttributeValue>
                <xacml3:AttributeDesignator 
                    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    MustBePresent="false"
                />
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>

Testing the Policy with the Axiomatics Policy Administration Point (PAP)

Build a XACML request to test your use case.

Empty XACML Request

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="http://axiomatics.com/xacml/attribute-category/none" >
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

Because of the MustBePresent flag, this request leads to Indeterminate.

XACML Request with the wrong subject ID

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="http://axiomatics.com/xacml/attribute-category/none" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Not PI</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

This request leads to NotApplicable.

XACML Request with the right subject ID, PI

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="http://axiomatics.com/xacml/attribute-category/none" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PI</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

This request leads to Permit.

This is what the evaluation trace looks like in the Axiomatics Policy Administration Point: