PicketBox XACML (JBossXACML)

PicketBox XACML (Formerly JBossXACML)

 

Source Code

https://github.com/picketbox/security-xacml

 

Current Version

 

2.0.9.Final   (Released 17 June 2013)

Please check in downloads. There may be newer versions there.

 

Features

 

 

  1. Oasis XACML v2.0 library

  2. JAXB v2.0 based object model

  3. ExistDB Integration for storing/retrieving XACML Policies and Attributes

 

 

Download

 

http://www.jboss.org/picketbox/downloads.html

 

Documentation

http://www.jboss.org/jbosssecurity/docs/jbossxacml/

UPDATE:  This link is broken due to project migration.  Will update it shortly for you.

 

Until then, please use: http://community.jboss.org/wiki/PicketBoxXACMLSimpleWalkThrough

 

 

Container Integration

 

JBoss XACML is integrated in JBoss Application Server v5.0

http://anil-identity.blogspot.com/2008/12/as5-fine-grained-authorization-using.html

 

The XACML Engine has also been integrated into JBoss Enterprise Application Platform (EAP) since v5.0.  It should also be available as part of the JBoss SOA Platform v5 and beyond.

 

XACML Profiles

 

SAML v2.0 Profile of XACML v2.0

 

SAML-XACML Integration

 

RBAC Profile of XACML v2.0

RBAC Locator

 

 

XACML ExistDB Integration

Since PicketBox XACML v2.0.5.CR2, it is possible to store and retrieve XACML policies and attributes from ExistDB, an OSS XML Database.

Please read about the XACML ExistDB integration here.

 

Diagram

The following diagram shows the high level xacml interaction.

XACML.png

The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call.  It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.

 

Locators (Attributes/Policy/Caching)

  1. Policy Locator using LDAP
  2. Attribute Locator using Database
  3. Attribute Locator using LDAP
  4. Attribute Locator using File System
  5. Cache Locator  (Improves Performance)
  6. RBAC Locator (XACML RBAC Profile)

We have one XACML engine that is used by both the PicketBox and PicketLink distributions. So when you see references to either, we are referring to the same XACML engine.

 

Performance

Please take a look at Cache Locator in the locators section above.

 

Locking Issues

PDP.evaluate() method is thread safe by default (It uses a Reentrant lock). When you need this to be lock free, set the system property

picketbox.xacml.pdp.lockstrategy to "lockfree". (Since 2.0.9.Final). If you set it to "readwrite", the the locking is using a ReadWrite lock.

Troubleshooting / Usage

  1. Enable debug logs for troubleshooting
  2. Simple Usage

 

PDP Service

If you are looking to host PDP as a service, please look at the following articles:

  1. WSDL based SOAP PDP Service
  2. Servlet that accepts SOAP/SAML/XACML Payload

Commercial Support

The XACML Engine is part of the JBoss Enterprise Application Platform (EAP) and is commerically supported by Red Hat Inc.

 

Advanced Users

 

If you are looking for the source code, then please look for the version in the tags at

http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/

 

There are test cases that we use under http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/

http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/

 

the java folder contains the various potential test cases and the resources houses the policy config files and policies.

 

 

References

 

Announcement

 

FAQ