0 Replies Latest reply on Nov 29, 2011 9:39 PM by Dan Gradl

    XACML Enforcement

    Dan Gradl Newbie

      This is a post in a serious of discussions I am starting to get some discussion going on XACML.  I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML.   The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0.


      This thread will discuss policy enforcement.  The core JBoss XACML (PicketBox) portion provides PDP, context handling, and a bit of PIP functionality.  Any PEP capability is elsewhere.


      Anil, you mentioned in another thread that PEPs are in higher level projects.  When you get a chance can you let me know where to look for those?   


      Enforcement can be very specific to the resource being protected and to the security environment, but I think there could be some useful pieces that could be provided out of the box.   The first thing is simply an API to simplify making a XACML request.   The majority of enforcement types will only need to deal with a small number of core attributes.. e.g. subject-id, resource-id, action-id.    Additional attributes could be made available more simply as key/value pairs rather than requiring the PEP implementer to construct a complex XACML Request object. 


      The second thing that can be provided is a library of PEPs that can handle common resources, in this case container resources or development framework resources.  For example, you might be able to provide a generalized PEP for an EJB, a servlet, a portlet, etc.   You might have resources in Seam (I'm not very familiar with Seam, so forgive me) but maybe some REST resource or JSF resources (perhaps you want to protect a data field).


      Last thing might be to provide common obligation handling capabilities... maybe must log or something like this.   Plus, the XACML spec states that if a PEP cannot fulfil an obligation it should deny access....if every PEP is written differently, its hard to consistently ensure this is met.


      In all, its hard to provide a set of PEPs that will work for all resources you are protecting, and there's not a ton you can provide here.. but just a couple thoughts/ideas.