Question

Currently, the XACML specification defines a protocol for request / response but leaves it up to interpretation as to how it can be integrated into an enterprise application. I believe that the value of XACML won't be realized unless there is the creation of a new open source project that attempts to develop/standardize around a set of common APIs.

For those who are familiar with XACML, I would love to understand their first reactions to creation of such a project, whether they would be willing to contribute and what they believe an XACML API would look like?

Was it helpful?

Solution

Maybe I don't understand the question, but doesn't the SAML profile for XACML do what you want? It defines SOAP formats for authzDecisionQuery and response records, which should be all you need for the WSDL.

I built one of these around Sun's interpreter for DOD/DISA (its on forge.mil), and a much faster version (not relesed yet) around a fully compiled implementation that directly transforms XACML into Java code. The main goal was readability, not speed, but its about ten times as fast.

IMO XACML works but is absolutely terrible as a language for people to look at. I'm more interested in finding a problem-specific language for expressing XACML's semantics so that people can understand them. Java beats XACML for this hands down, but Java's pretty clumsy as a domain-specific language. Perhaps Groovy?

PS: As our first shot at this we tried Attempto Controlled English (ACE). We quickly dropped that idea when we found ACE has nothing viable for expressing deeply nested conditionals (no parentheses or braces). And I'm not sure English was the right idea for this anyway, inspite of strong NSA interest in english-based policy languages.

OTHER TIPS

Doesn't Sun's XACML Implementation give you a solid API?

http://sunxacml.sourceforge.net/

(The development is back on track and the site should be updated soon. Hava a look at the sunxacml-devl mailing list.

sunxacml is not actively maintained. The last update on the page/implementation is from year 2006.

An actively maintained open source XACML implementation is the HERAS-AF XACML Core.

SAML profile for XACML and WS-XACML specifications are attempts to standardize the communication between XACML PEP and PDP. WSO2 Identity Server is an open source project and will adding this support by early next year..

Thanks...

WS-XACML is long dead unfortunately. SAML profile of XACML is today the only standardized approach but that's more about the communication than the ease of use of APIs.

At Axiomatics we did develop a simple SDK but it remains our fairly vendor-specific.

I know that there is a strong initiative called OpenAZ pushed forward by Oracle and Nextlabs. They are aiming at defining simpler APIs for PEPs. That is probably what you would want to look at.

Links:

James, I would seriously look at OpenAZ. There is a call every other week on Thursdays which you are welcome to attend.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top