Home » Archives » October 2007 » Protected by SecPAL

[Previous entry: "New futurama"] [Next entry: "iMac"]

10/25/2007: "Protected by SecPAL"




















I have spent hte last month or so doing all sorts of programming. I have been creating a certificate issuer and repository for the Carmen project in the hope that we will use it, I have been writing glue code so that the Carmen Portal can make use of my access control engine (nicknamed the junk). In addition I have been spending my free time as you may have guessed doing more programming on SecPAL who I consider my baby although the concept, c# development, and everything else belongs to MS.

On the plus side I identified several potential evaluators for the SecPAL API which may or may not please my colleagues at Microsoft. I have identified a bioinformatics project here at Newcastle called Cisban which deals with large biology related datasets that are handled by various (hudrends as i understand it) users. The security requirements as they were expressed to me by my liaison on CISBAN relate closely to SecPAL's grammar so Iam excited about this potential collaboration.

I have also identified another project at the City University London in collaboration with my colleague Christos Kloukinas. I got some positive feedback from him to whom I have spoken about SecPAL on several occassions in the past.

Apart from academic partners British telecom wih whom i closely collaborate on other projects have offerred themsevels as potential collaborators of the API. Their experience and skills in the area of web services security will enable them provide invaluable feedback for the API and SecPAL in general.

I am looking forward to dicsussing these projects with MS and decide on future steps. The code is been debugged and debugged again although the Datalog engine and in particular the transformation from the SecPAL grammar to the Datalog Objects took more time than i had initially estimated...the end is near now and i look forward to having it evaluated. Here is an example of how easy it is to write SecPAL using the current API...just to wet your apettite


package org.secpal.test;

import org.secpal.Authorization.*;

import xsl.XsltProc;

import java.util.ArrayList;
import java.util.List;

public class CanActAsScenario
{

private KeyHolderPrincipal stsPrincipal = new KeyHolderPrincipal("K-STS");
private KeyHolderPrincipal userPrincipal2 = new KeyHolderPrincipal("K-User2");

public List getPolicies() {
List policies = new ArrayList();
List claims = new ArrayList();
List tokens = new ArrayList();

claims.add(
new Claim(
new CanSayFact(
this.stsPrincipal,
new PossessFact(
new PrincipalVariable("p"),
new AttributeVariable("a"),
new FactQualifier(
new DateTimeVariable("t1"),
new DateTimeVariable("t2"),
new LocationVariable("f"),
new DurationVariable("ts")))),
new Constraint[] {
new DurationConstraint("t1", "t2", 366, 0, 0, 0),
new TemporalConstraint("t1", "t2"),
new AttributeMatchConstraint(
"a",
AttributeType.RFC_822_NAME,
new String[] {".*@fabrikam\\.com"}) }));

claims.add(
new Claim(
new ActionFact(
new PrincipalVariable("p"),
VerbType.READ,
new Resource(
"digitalContent",
"file:///public/")),
new Fact[]{new PossessFact(
new PrincipalVariable("p"),
new AttributeVariable("a"))},
new Constraint[]{ new AttributeMatchConstraint(
"a",
AttributeType.RFC_822_NAME,
new String[]{".*@fabrikam\\.com"})}));

claims.add(
new Claim(
new CanSayFact(
this.stsPrincipal,
new CanActAsFact(
new PrincipalVariable("x"),
new PrincipalVariable("y")))));

policies.add(
new Policy(
new PrincipalIssuer(new LocalAuthorityPrincipal()),
claims));

return policies;
}

public AuthorizationQuery getQuery()
{
// K-User2 read file:///public/data.txt
Expression expression =
new AssertionExpression(
new LocalAuthorityPrincipal(),
new ActionFact(
this.userPrincipal2,
VerbType.READ,
new Resource(
ResourceType.DIGITAL_CONTENT,
"file:///public/data.txt")));

return new AuthorizationQuery(expression);
}


public String GetXml(){
String output="";

try {
for(Policy pol : this.getPolicies()){
output += pol.encode();
}
} catch (Exception e){
output += e.getMessage();
}

return output;
}

public String GetDataLog(){
String output="";
XsltProc myProc = new XsltProc();
output=myProc.Xslt(this.GetXml(), "C:\\SecPalToDataLog.xsl", output);
return output;
}
public static void main(String[] args)
{
ArrayList lp;
ArrayList lt=new ArrayList();
CanActAsScenario c=new CanActAsScenario();
lp=(ArrayList)c.getPolicies();
AuthorizationQuery aq= c.getQuery();
DatalogBridge d=new DatalogBridge();
PrincipalIdentifier p=c.stsPrincipal;

try {
d.makeDecision(p, lt, lp, aq);
}
catch (Exception e) {e.printStackTrace();}
}


}