+

Exposing Axiomatics PDP as a REST Authorization Service

Axiomatics Policy Server 5.x PDP API

The Axiomatics Policy Server exposes its Java Policy Decision Point as a JAX-WS conformant SOAP web service. In addition, the server also provides a managed PDP object which developers can use to expose the PDP as a new service. To grab the managed PDP, do the following:

AcsPdpModule<?> pdp = (AcsPdpModule<?>) AcsModuleCallback.getObject();

To then evaluate an authorization request, all a developer needs to do is build (or receive) a request, pass it to the PDP object using its evaluate() method and handle or return the response. 

// RequestCtx xacmlRequest = ...
ResponseCtx xacmlResponse = pdp.evaluate(xacmlRequest);

In this post, we want to take the Axiomatics PDP and wrap it according to the REST profile of XACML. To do so, we will implement the javax.servlet.Servlet API. 

Java Servlet to expose REST interface

Understand the requirements of the REST profile of XACML

The REST profile of XACML defines the interface of the REST PDP in section 2.2.2. It states that HTTP POST must be used and that the XACML request as XML or JSON is valid input. The HTTP Mime type must be set accordingly to either oftext/xmlorapplication/xacml+json.

Build a simple Servlet class

Let’s start off with a simple Servlet class. To create one, you can use your favorite IDE e.g. Eclipse and let it generate the method stubs. The ones we care about areinit()andservice():

package com.axiomatics.pdp.json;

import java.io.IOException;

import javax.servlet.Servlet;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

public class EmptyServlet implements Servlet {

	@Override
	public void destroy() {
		// TODO Auto-generated method stub

	}

	@Override
	public ServletConfig getServletConfig() {
		// TODO Auto-generated method stub
		return null;
	}

	@Override
	public String getServletInfo() {
		// TODO Auto-generated method stub
		return null;
	}

	@Override
	public void init(ServletConfig arg0) throws ServletException {
		// TODO Auto-generated method stub
	}

	@Override
	public void service(ServletRequest arg0, ServletResponse arg1)
			throws ServletException, IOException {
		// TODO Auto-generated method stub
	}

}

Expose the PDP via the Servlet class

We will take the code to grab the managed PDP object and insert it inside theinit(ServletConfig arg0)method of the Servlet we are writing:

private static AcsPdpModule<?> pdp;
   @Override
   public void init(ServletConfig arg0) throws ServletException {
      logger.debug("Retrieve managed PDP object");
      pdp = (AcsPdpModule<?>) AcsModuleCallback.getObject();		
}

Note that for this code to work, the new servlet must be exposed inside the PDP’s web application.

We now need to write the service(ServletRequest arg0, ServletResponse arg1) method to define how to process incoming HTTP requests and how to produce HTTP responses.

@Override
public void service(ServletRequest request, ServletResponse response)
		throws ServletException, IOException {
	try{
		HttpServletRequest hReq = (HttpServletRequest) request;
		if (	hReq.getMethod().equalsIgnoreCase("POST") &&
			hReq.getContentType().equals("text/xml")){

In the lines above, we check that the incoming request uses the POST method and that the contents are declared as text/xml. If it is the case, then we can start processing the payload of the request. To do so, we will use the DOM API part of the JRE.

// 1. create XACML request from input			
logger.debug("1. create XACML request from input");
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
DocumentBuilder documentBuilder = factory.newDocumentBuilder();
Document doc = documentBuilder.parse(hReq.getInputStream());

If the input was successfully parsed as XML, we can proceed to the next step: convert the XML into a XACML object. We can do that using the Axiomatics XACML APIs.

RequestCtx xacmlRequest = RequestCtx.getInstance(doc.getDocumentElement());

From there on, all we need to is send the XACML request to the managed PDP via a native Java method call and return the response via the Servlet http response class to the client:

ResponseCtx xacmlResponse = pdp.evaluate(xacmlRequest);
// 3. convert response into XML response and return
logger.debug("3. Return");
xacmlResponse.encode(response.getOutputStream(), "UTF-8", new Indenter(4), new HashSet<String>());

And your servlet is almost ready. The last step is to update your web.xml to expose the newly created servlet as part of your web application.

Configure your web application

All web applications in Java come with a web.xml descriptor file which defines which servlets to expose on which URLs. In our case here, all we need to do is add the following:

<servlet>
	<servlet-name>Axiomatics JSON PDP</servlet-name>
	<servlet-class>com.axiomatics.pdp.json.JSONPDP</servlet-class>
	<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
	<servlet-name>Axiomatics JSON PDP</servlet-name>
	<url-pattern>/rest/*</url-pattern>
</servlet-mapping>

As a last step, bundle your custom code inside the Axiomatics PDP’s web application archive (the .war file). If you do not create a jar for your code, just add your code to WEB-INF/classes. Alternatively, if you do build a jar, add it to WEB-INF/lib.

Benefits of the REST PDP

Exposing a PDP as a REST-like authorization service provides several benefits:

  • First of all, it’s standardized. The REST profile of XACML defines which headers need to be passed and what the format of the payload should be. Any profile-conformant service exposes the same interface and is therefore interoperable with clients that conform to the same standard
  • Secondly, REST is easier to integrate with: Java and .NET may have great support for SOAP but other languages e.g. PHP, Python, and Ruby may not. It’s simpler to create a client that POSTs data instead and conforms with a REST-like architecture.
  • Finally, it’s more efficient: if the SOAP overhead is eliminated, the overall message becomes smaller which means the transfer between client and service will be faster. Efficiency can be further augmented if JSON is used instead of XML to encode the XACML request and response.

Conclusion

To ensure the success of XACML as a foundation for fine-grained authorization, it is important to understand the developer’s needs and provide the best possible tools. In the case of XACML, three areas need to be enhanced:

  • simple policy authoring: Axiomatics provides the ALFA plugin for Eclipse for free to help developers write their policies more quickly.
  • lightweight protocol: this article explains how to expose a XACML PDP as a REST-like service. Removing the need for SOAP leads to a simpler protocol altogether.
  • simple request/response format: at Axiomatics we’re busy working on a simpler encoding of XACML. This is why we are defining a JSON-based encoding for XACML requests and responses.

This article illustrated how the Axiomatics Policy Server can be customized to support the REST profile of XACML and therefore simplify application integration.

Further Reading

  1. Using XACML to apply fine-grained access control on Java Servlets
  2. Using ALFA to write XACML authorization policies – a YouTube tutorial
  3. REST Profile of XACML v3.0 Version 1.0

Related Articles

Meeting today’s dynamic authorization and access challenges: The Axiomatics story | Dynamically Speaking
Dynamically Speaking
For more than 15 years, Axiomatics has worked with companies worldwide to define and deliver solutions to the most complex authorization and access challenge. In...
Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...