4 Replies Latest reply on Sep 28, 2006 3:33 PM by judge2005

    XACML and DROOLS

    judge2005 Jun 9, 2006 3:18 PM

      I'm not sure if this is the right forum for this as it spans Drools and authorization.

      Basically I was wondering if there would be any mileage in using Drools to evaluate XACML policies. XACML policies are basically a set of rules. Drools is a rules evaluation engine, so in my naivete it seems like there might be some kind of synergy there.

      Note I'm not really concerned with the specific representation that XACML uses (i.e the XML schema it uses), rather I'm interested in evaluating the rules it expresses (OK. I might also be interested in a somewhat more human-readable version of XACML - it could always be translated to XACML for rule interchange purposes if necessary).

      I know that you have had discussions about applying security to DROOLs, but I'm turning this around and wondering if you could use DROOLs as a PDP.

      • 4836 Views
      • Tags:
        • 1. Re: XACML and DROOLS
          rlake3
          rlake3 Sep 8, 2006 2:34 PM (in response to judge2005)

          Yes - we believe this is of considerable interest - have you had any other responses?

            • Actions
          • 2. Re: XACML and DROOLS
            anil.saldhana
            anil.saldhana Sep 10, 2006 1:39 AM (in response to judge2005)

            Using Drools (aka JBoss Rules) for doing xacml evaluation may be a possibility. But why do it when you have full fledged Sun OSS implementation available free of charge.

              • Actions
            • 3. Re: XACML and DROOLS
              mark.proctor
              mark.proctor Sep 28, 2006 1:25 PM (in response to judge2005)

              Anything further to report with your investigations there? Drools provides very fast runtime queries of its working memory - ideal for acl query authorisation.

                • Actions
              • 4. Re: XACML and DROOLS
                judge2005 Sep 28, 2006 3:33 PM (in response to judge2005)

                As far as using SunXACML goes. Well there is just one guy working on it and it doesn't seem very active, I've no idea how performant it is and it requires that the rules be expressed in XACML, which is hardly the tersest language around.

                Drools seems a lot more active and I could possibly write a terser vocabulary to express the same policies.

                Anyhow, I am currently using SunXACML but am still interested in exploring DROOLs for this purpose. As with anything, its all just a question of time, or rather lack of it.

                  • Actions