The tresor-pdp is an XACML Policy Decision Point (PDP) created in the context of the TRESOR project which supports XACML2, XACML3 and geoXACML for both though non-standard in the case of XACML3.
Balana is used as a base for decision processing, extended by geoXACML components from geotools community and specific policystore implementations (among other extensions) as well as a contexthandler providing a RESTful API.
# clone the repo
git clone https://github.com/TU-Berlin-SNET/tresor-pdp.git
# change into the directory
cd tresor-pdp
# package with maven
mvn package
# run it
java -jar -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector modules/contexthandler/target/tresor-pdp.jarIt is strongly recommended to set the system property Log4jContextSelector to org.apache.logging.log4j.core.async.AsyncLoggerContextSelector to enable asynchronous logging for all loggers for better performance.
Option 2: Deploy with docker
# clone the repo
git clone https://github.com/TU-Berlin-SNET/tresor-pdp.git
# change into the directory
cd tresor-pdp
# build the image from dockerfile
docker build -t tresor-pdp .
# run it
docker run --name="tresor-pdp" -p 8080:8080 tresor-pdpConfiguration for the tresor-pdp can be provided in yaml or, in a very limited way, through the command line.
These arguments can be provided on start:
--server.port=PORT binds server instance to port
--spring.config.location=PATH location of .yml config file to load
--policystore.path=PATH stores policies in given directory path, overriding any other settings By default, the tresor-pdp uses the application.yml configuration file example in modules/contexthandler/src/main/resources/ which looks similar to this.
#
# Usage:
#
# pdp: # prefix for tresor-pdp config
# locationpips: # (optional) configure locationpips
# -
# url:
# authentication: # (optional) http-basic authentication header
# stationpips: # (optional) configure stationpips
# -
# url: <url>
# policystore: # (optional) configure policystore
# type: (file or redis)
# path: # (optional) file path, default: pdp directory
# host: # (optional) redisDB host, default: localhost
# port: # (optional) redisDB port, default: 6379
# timeout: # (optional) redisDB timeout in ms, default: 2000
# password: # (optional) redisDB password
pdp:
locationpips:
-
url: localhost
authentication: Basic dGhpc19pczpub3R0aGVwYXNzd29yZA==
policystore:
type: file
- All URLs are relative to the base URL
- UTF-8 is assumed
| Resource | Description |
|---|---|
| GET / | discover the home document |
| POST /pdp | retrieve a decision from PDP |
| GET /policy/:clientID | retrieve all policies for a client |
| GET /policy/:clientID/:serviceID | retrieve a specific policy |
| PUT /policy/:clientID/:serviceID | put a policy |
| DELETE /policy/:clientID/:serviceID | delete a policy |
GET / HTTP/1.1
Accept: application/xmlPOST /pdp HTTP/1.1
Accept: application/xacml+xml
Content-Type: application/xacml+xml
:xacml-requestPOST /pdp HTTP/1.1
Accept: application/samlassertion+xml
Content-Type: application/samlassertion+xml
:xacml-saml-requestGET /policy/:clientID/ HTTP/1.1
Accept: application/json
Authorization: BASIC <base64 encoded "username:password">Returns a collection in the json-format:
{ "service_id" : "policy" }GET /policy/:clientID/:serviceID HTTP/1.1
Accept: application/xacml+xml
Authorization: BASIC <base64 encoded "username:password">Returns:
HTTP/1.0 200 OK
Content-Type: application/xacml+xml
:xacml_PolicyPUT /policy/:clientID/:serviceID HTTP/1.1
Content-Type: application/xacml+xml
Authorization: BASIC <base64 encoded "username:password">
:xacml_policyDELETE /policy/:clientID/:serviceID HTTP/1.1
Authorization: BASIC <base64 encoded "username:password">Licensed under the Apache License 2.0.