0 Replies Latest reply on Jul 7, 2006 2:20 PM by Anil Saldanha

    XACML Integration in JBoss 5.0

    Anil Saldanha Master

      Now that the following JIRA issues have been resolved, I want to update the community about XACML Integration with the web and ejb layers.


      I have the first cut of xacml 2.0 integrated with the web and the ejb layers in jboss 5.0 (Branch: HEAD). There is scope for integration with other layers (on demand).

      Utilized the Open Source Sun XACML project as the integration foundation (Policy Decision Point). Given this, we basically needed a mechanism to generate the XACML requests, because the parsing of the xacml policy files were taken care of by the foundation(SunXACML).

      We have a XACMLPolicyModule that can be plugged into the authorization framework and this can take an injected delegate map based on the layers (Resource.WEB and Resource.EJB or whatever). The delegates for the layer are the Policy Enforcement Points (PEP) that take in the information that is provided via the contextual map of the Resource interfacehttp://fisheye.jboss.com/viewrep/JBoss/jbosssx/src/main/org/jboss/security/authorization/Resource.java
      and build the xacml request.

      At the current level of integration, an xacml policy file is located by the presence of "jboss-xacml-policy.xml" in the WEB-INF/META-INF of your web/ejb deployment.

      As always there is scope for improvement and based on advanced user needs, we will work on the xacml layer.

      In the future, I would like to refactor the layer to provide pluggable PDP.

      From a user's perspective, all you will need to do is include the xacml policy file in your web/ejb deployment.

      Links to xacml policy files used in the testsuite:

      Currently, for the web layer, the integration is provided by a JBoss realm that does the ExtendedRealm interface to a JASPI layer.
      The ejb layer integration is done via an interceptor SecurityAuthorizationInterceptor that can be used as a replacement to JaccAuthorizationInterceptor from the old jacc configuration.

      There will be a wiki entry detailing the configuration for this integration. So spare your questions until then.