Version 39

    PicketBox XACML (Formerly JBossXACML)

     

    Source Code

    https://github.com/picketbox/security-xacml

     

    Current Version

     

    2.0.9.Final   (Released 17 June 2013)

    Please check in downloads. There may be newer versions there.

     

    Features

     

     

    1. Oasis XACML v2.0 library

    2. JAXB v2.0 based object model

    3. ExistDB Integration for storing/retrieving XACML Policies and Attributes

     

     

    Download

     

    http://www.jboss.org/picketbox/downloads.html

     

    Documentation

    http://www.jboss.org/jbosssecurity/docs/jbossxacml/

    UPDATE:  This link is broken due to project migration.  Will update it shortly for you.

     

    Until then, please use: http://community.jboss.org/wiki/PicketBoxXACMLSimpleWalkThrough

     

     

    Container Integration

     

    JBoss XACML is integrated in JBoss Application Server v5.0

    http://anil-identity.blogspot.com/2008/12/as5-fine-grained-authorization-using.html

     

    The XACML Engine has also been integrated into JBoss Enterprise Application Platform (EAP) since v5.0.  It should also be available as part of the JBoss SOA Platform v5 and beyond.

     

    XACML Profiles

     

    SAML v2.0 Profile of XACML v2.0

     

    SAML-XACML Integration

     

    RBAC Profile of XACML v2.0

    RBAC Locator

     

     

    XACML ExistDB Integration

    Since PicketBox XACML v2.0.5.CR2, it is possible to store and retrieve XACML policies and attributes from ExistDB, an OSS XML Database.

    Please read about the XACML ExistDB integration here.

     

    Diagram

    The following diagram shows the high level xacml interaction.

    XACML.png

    The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call.  It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.

     

    Locators (Attributes/Policy/Caching)

    1. Policy Locator using LDAP
    2. Attribute Locator using Database
    3. Attribute Locator using LDAP
    4. Attribute Locator using File System
    5. Cache Locator  (Improves Performance)
    6. RBAC Locator (XACML RBAC Profile)

    We have one XACML engine that is used by both the PicketBox and PicketLink distributions. So when you see references to either, we are referring to the same XACML engine.

     

    Performance

    Please take a look at Cache Locator in the locators section above.

     

    Locking Issues

    PDP.evaluate() method is thread safe by default (It uses a Reentrant lock). When you need this to be lock free, set the system property

    picketbox.xacml.pdp.lockstrategy to "lockfree". (Since 2.0.9.Final). If you set it to "readwrite", the the locking is using a ReadWrite lock.

    Troubleshooting / Usage

    1. Enable debug logs for troubleshooting
    2. Simple Usage

     

    PDP Service

    If you are looking to host PDP as a service, please look at the following articles:

    1. WSDL based SOAP PDP Service
    2. Servlet that accepts SOAP/SAML/XACML Payload

    Commercial Support

    The XACML Engine is part of the JBoss Enterprise Application Platform (EAP) and is commerically supported by Red Hat Inc.

     

    Advanced Users

     

    If you are looking for the source code, then please look for the version in the tags at

    http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/

     

    There are test cases that we use under http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/

    http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/

     

    the java folder contains the various potential test cases and the resources houses the policy config files and policies.

     

     

    References

     

    Announcement

     

    FAQ