PicketBox XACML (Formerly JBossXACML)
-
PicketBox XACML (Formerly JBossXACML)
- Source Code
- Current Version
- Features
- Documentation
- Container Integration
- XACML Profiles
- XACML ExistDB Integration
- Diagram
- Locators (Attributes/Policy/Caching)
- Is it PicketBox XACML or PicketLink XACML?
- Performance
- Locking Issues
- Troubleshooting / Usage
- PDP Service
- Commercial Support
- Advanced Users
- References
Source Code
https://github.com/picketbox/security-xacml
Current Version
2.0.9.Final (Released 17 June 2013)
Please check in downloads. There may be newer versions there.
Features
Oasis XACML v2.0 library
JAXB v2.0 based object model
- ExistDB Integration for storing/retrieving XACML Policies and Attributes
Download
http://www.jboss.org/picketbox/downloads.html
Documentation
http://www.jboss.org/jbosssecurity/docs/jbossxacml/
UPDATE: This link is broken due to project migration. Will update it shortly for you.
Until then, please use: http://community.jboss.org/wiki/PicketBoxXACMLSimpleWalkThrough
Container Integration
JBoss XACML is integrated in JBoss Application Server v5.0
http://anil-identity.blogspot.com/2008/12/as5-fine-grained-authorization-using.html
The XACML Engine has also been integrated into JBoss Enterprise Application Platform (EAP) since v5.0. It should also be available as part of the JBoss SOA Platform v5 and beyond.
XACML Profiles
SAML v2.0 Profile of XACML v2.0
RBAC Profile of XACML v2.0
XACML ExistDB Integration
Since PicketBox XACML v2.0.5.CR2, it is possible to store and retrieve XACML policies and attributes from ExistDB, an OSS XML Database.
Please read about the XACML ExistDB integration here.
Diagram
The following diagram shows the high level xacml interaction.
The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call. It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.
Locators (Attributes/Policy/Caching)
- Policy Locator using LDAP
- Attribute Locator using Database
- Attribute Locator using LDAP
- Attribute Locator using File System
- Cache Locator (Improves Performance)
- RBAC Locator (XACML RBAC Profile)
Is it PicketBox XACML or PicketLink XACML?
We have one XACML engine that is used by both the PicketBox and PicketLink distributions. So when you see references to either, we are referring to the same XACML engine.
Performance
Please take a look at Cache Locator in the locators section above.
Locking Issues
PDP.evaluate() method is thread safe by default (It uses a Reentrant lock). When you need this to be lock free, set the system property
picketbox.xacml.pdp.lockstrategy to "lockfree". (Since 2.0.9.Final). If you set it to "readwrite", the the locking is using a ReadWrite lock.
Troubleshooting / Usage
PDP Service
If you are looking to host PDP as a service, please look at the following articles:
Commercial Support
The XACML Engine is part of the JBoss Enterprise Application Platform (EAP) and is commerically supported by Red Hat Inc.
Advanced Users
If you are looking for the source code, then please look for the version in the tags at
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/
There are test cases that we use under http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/
the java folder contains the various potential test cases and the resources houses the policy config files and policies.
References
Comments