XACLProcessor Implementation:
Installation and Usage Guide

This page describes briefly how to install and use the XACL Processor.

Installation

The installation and configuration process is described as follows:

1. Install the required packages:
   • JDK 1.2 or higher
   • Xerces2 Java Parser 2.0.1 or higher
   • Xalan-Java Version 2.3.0 or higher

   Add xercesImpl.jar and xmlParserAPIs.jar (from Xerces2), and xalan.jar and xml-apis.jar (from Xalan2) to your classpath.

2. Install this package

   Consult the top page of this package for details.

3. Try the following command.

   Change the active directory to the data/xacldata directory that is just below the directory where you installed this package. For example, if you installed it in E:/xss4j, you would use the following command:

   E:/xss4j>cd data/xacldata

   Next, execute the following command (on one line):

   E:/xss4j/data/xacldata >java com.ibm.xml.policy.xacl.Processor ex1_request1.xml ex1_target.xml ex1_policy.xml ex1_status.xml

   This submits an access request and the XACL processor generates the file decision_list.xml. If this command works, the package was installed correctly.

Usage

The XACL processor takes as input an access request, a target XML document, an associated policy and status, and outputs a decision list and an initiator's view. Refer to the XACL specification for the details.

How to Run the Command Line Program

You can invoke the XACL processor from the command line prompt. The usage is as follows:

java -Dcom.ibm.xml.policy.xacl.rh=<role_hierarchy_definition> -Dcom.ibm.xml.policy.xacl.gh=<group_hierarchy_definition> com.ibm.xml.policy.xacl.Processor <request> <target> <policy> <status>

• System properties
  1. com.ibm.xml.policy.xacl.rh=<role_hierarchy_definition>: A definition file of the role hierarchy (e.g., role_hierarchy.xml)
  2. com.ibm.xml.policy.xacl.gh=<group_hierarchy_definition>: A definition file of the group hierarchy (e.g., group_hierarchy.xml)
• Input files
  1. <request> : this file specifies an access request that consists of a target object, subject, and an action to be performed on the object.
  2. <target> : this file is a target XML file.
  3. <policy> : this is a file that consists of the access control rules for the target object.
  4. <status> : this is a log file for storing access history.
• Output files
  1. decision_list.xml : this file contains a set of access decisions in response to the access request.
  2. When the access type is "execute," target_result.xml and status_result.xml will be created as well. These are updated target and status, respectively.

For more details, please refer to the instructions for Simple Example 1.

How to Run the XACL Visual Tool

You can invoke the XACL processor using a graphical user interface called the XACL Visual Tool. Before running it, make sure that the directory where you execute the XACL Visual Tool must contain the following files:

1. Schema (xacl.xsd)
   

   These schemas are used to validate related XML files.

2. A group definition (group.xml)
   

   This group definition shows which user belongs to which group.

3. A binding table (bind.xml)

   This table is used to associate a target XML file you want to access with a policy and a status.

The above files are already installed in the data/xacldata directory just below the directory where you installed this package. These examples and samples require you change the active directory to the data/xacldata directory.

The usage is as follows:

java com.ibm.xml.policy.tool.VisualTool

You should see the following screen:

XACL VisualTool consists of two panes: the access request pane and target XML document pane. You specify an access request in the access request pane. You can also import an access request file using the File/Open Access Request menu bar. You specify the target XML document using File/Open Target XML Document menu bar. The target XML document is displayed in the target XML document pane. You can see the associated policy document using the Tool/Policy Viewer menu bar. You can also see the associated status document using the Tool/Status Viewer menu bar.

You can specify any access requests in the access request pane. The target object href is set in two ways: the first is to write the XPath directly in the object-href entry box and click the "check" button, and the second is to click on some node in the Target XML Document pane and click the "Set" button. The access decision is displayed in the Target XML Document pane.

• We have two optional system properties for this visual tool: "com.ibm.xml.policy.tool.groupDefinitionPath" and "com.ibm.xml.policy.tool.bindTablePath". They can be used to specify the file paths of the group definition file (default group.xml) and the binding table (default bind.xml), respectively. For example, you can execute the following command:
  
  

  java -Dcom.ibm.xml.policy.tool.groupDefinitionPath=e:/xss4j/data/xacldata/group.xml -Dcom.ibm.xml.policy.tool.bindTablePath=bind.xml com.ibm.xml.policy.tool.VisualTool

  When they are omitted, the default files group.xml and bind.xml in the current directory will be used.
• Also, you can use the two system properties "com.ibm.xml.policy.xacl.rh" and "com.ibm.xml.policy.xacl.gh" as well (See above).

For more details, please refer to the instructions for Simple Example 2.

Limitations

This version of the XACL processor was implemented based on the XACL specification and you can author various policies according to the specification. However, some provisional actions described in the specification are not supported yet. The following table shows which functions, predicates, and provisional_actions are not yet supported in this release. Our implementation allows new functions, predicates, and provisional actions to be plugged into the processor. The details are documented in the API document.