PicketBox XACML (JBossXACML)

PicketBox XACML (Formerly JBossXACML)


Source Code



Current Version


2.0.9.Final   (Released 17 June 2013)

Please check in downloads. There may be newer versions there.





  1. Oasis XACML v2.0 library

  2. JAXB v2.0 based object model

  3. ExistDB Integration for storing/retrieving XACML Policies and Attributes









UPDATE:  This link is broken due to project migration.  Will update it shortly for you.


Until then, please use: http://community.jboss.org/wiki/PicketBoxXACMLSimpleWalkThrough



Container Integration


JBoss XACML is integrated in JBoss Application Server v5.0



The XACML Engine has also been integrated into JBoss Enterprise Application Platform (EAP) since v5.0.  It should also be available as part of the JBoss SOA Platform v5 and beyond.


XACML Profiles


SAML v2.0 Profile of XACML v2.0


SAML-XACML Integration


RBAC Profile of XACML v2.0

RBAC Locator



XACML ExistDB Integration

Since PicketBox XACML v2.0.5.CR2, it is possible to store and retrieve XACML policies and attributes from ExistDB, an OSS XML Database.

Please read about the XACML ExistDB integration here.



The following diagram shows the high level xacml interaction.


The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call.  It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.


Locators (Attributes/Policy/Caching)

  1. Policy Locator using LDAP
  2. Attribute Locator using Database
  3. Attribute Locator using LDAP
  4. Attribute Locator using File System
  5. Cache Locator  (Improves Performance)
  6. RBAC Locator (XACML RBAC Profile)

We have one XACML engine that is used by both the PicketBox and PicketLink distributions. So when you see references to either, we are referring to the same XACML engine.



Please take a look at Cache Locator in the locators section above.


Locking Issues

PDP.evaluate() method is thread safe by default (It uses a Reentrant lock). When you need this to be lock free, set the system property

picketbox.xacml.pdp.lockstrategy to "lockfree". (Since 2.0.9.Final). If you set it to "readwrite", the the locking is using a ReadWrite lock.

Troubleshooting / Usage

  1. Enable debug logs for troubleshooting
  2. Simple Usage


PDP Service

If you are looking to host PDP as a service, please look at the following articles:

  1. WSDL based SOAP PDP Service
  2. Servlet that accepts SOAP/SAML/XACML Payload

Commercial Support

The XACML Engine is part of the JBoss Enterprise Application Platform (EAP) and is commerically supported by Red Hat Inc.


Advanced Users


If you are looking for the source code, then please look for the version in the tags at



There are test cases that we use under http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/



the java folder contains the various potential test cases and the resources houses the policy config files and policies.