This is a post in a serious of discussions I am starting to get some discussion going on XACML. I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML. The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0.
This thread will discuss policy enforcement. The core JBoss XACML (PicketBox) portion provides PDP, context handling, and a bit of PIP functionality. Any PEP capability is elsewhere.
Anil, you mentioned in another thread that PEPs are in higher level projects. When you get a chance can you let me know where to look for those?
Enforcement can be very specific to the resource being protected and to the security environment, but I think there could be some useful pieces that could be provided out of the box. The first thing is simply an API to simplify making a XACML request. The majority of enforcement types will only need to deal with a small number of core attributes.. e.g. subject-id, resource-id, action-id. Additional attributes could be made available more simply as key/value pairs rather than requiring the PEP implementer to construct a complex XACML Request object.
The second thing that can be provided is a library of PEPs that can handle common resources, in this case container resources or development framework resources. For example, you might be able to provide a generalized PEP for an EJB, a servlet, a portlet, etc. You might have resources in Seam (I'm not very familiar with Seam, so forgive me) but maybe some REST resource or JSF resources (perhaps you want to protect a data field).
Last thing might be to provide common obligation handling capabilities... maybe must log or something like this. Plus, the XACML spec states that if a PEP cannot fulfil an obligation it should deny access....if every PEP is written differently, its hard to consistently ensure this is met.
In all, its hard to provide a set of PEPs that will work for all resources you are protecting, and there's not a ton you can provide here.. but just a couple thoughts/ideas.
|Retrieving data ...|