0 Replies Latest reply: Nov 21, 2011 9:34 AM by Dan Gradl RSS

XACML Best Practices

Dan Gradl Newbie

This is a post in a serious of discussions I was starting to get some discussion going on XACML.  I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML.   The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0

 

This topic is meant to be a catchall for items not in the other major categories listed there. 

 

I am starting with just one of those misc. items this morning, primarily because I ran across this as I was attempting to use JBoss XACML in a way I had used SunXACML.   

 

I found it very useful to leverage PolicyIdReference in PolicySets.  Rather than embed all the policies within the PolicySet, using references to policies, kept things cleaner and more understandable, and it enabled reuse.   In the RBAC Profile example here: http://community.jboss.org/wiki/XACMLRBACLocator, the policies are directly in the PPS.  I preferred instead to create a set of policies externally and refer to them as references in the PPS.  This enabled me to use them in different roles in different combinations.  More specifically policies were written to target specific resource/action combinations (only), and then assigned them to PolicySets that targetted specific subjects (namely a role).  As far as I can see the JBoss XACML Locators and FinderModules do not handle references.  Everything is treated as a first level policy and it's common to see this warning "INFO: More than one top-level applicable policy for the request".    The XACML spec says "the mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification", so it's up to implementation detail.  However, the way I believe it should work is that those policies referenced should be considered a second-level policy.  As such, they should not be target evaluated in the initial passthrough, only if a top-level PolicySet matches the target and refers to these policies, then the target should be evaluated.  In the SunXACML module there is a StaticRefPolicyFinderModule, and it works just that way.  It will "find" policies only by reference id and not by evaluation, and can be pointed at a different set of policies.    So I would place all of my RPS/PPS files in one directory and all of my policies in a separate directory and they would be evaluted if an RPS/PPS matched first and had reference to it.    That component is still there but can't be used directly by the JBoss Locators because of some differences.  But I would suggest that there definitely needs to be support for PolicyIdReference capabilities, but would like to solicit feedback on the approach I described.