PicketBox XACML (JBossXACML)

    PicketBox XACML (Formerly JBossXACML)


    Source Code



    Current Version


    2.0.9.Final   (Released 17 June 2013)

    Please check in downloads. There may be newer versions there.





    1. Oasis XACML v2.0 library

    2. JAXB v2.0 based object model

    3. ExistDB Integration for storing/retrieving XACML Policies and Attributes









    UPDATE:  This link is broken due to project migration.  Will update it shortly for you.


    Until then, please use: http://community.jboss.org/wiki/PicketBoxXACMLSimpleWalkThrough



    Container Integration


    JBoss XACML is integrated in JBoss Application Server v5.0



    The XACML Engine has also been integrated into JBoss Enterprise Application Platform (EAP) since v5.0.  It should also be available as part of the JBoss SOA Platform v5 and beyond.


    XACML Profiles


    SAML v2.0 Profile of XACML v2.0


    SAML-XACML Integration


    RBAC Profile of XACML v2.0

    RBAC Locator



    XACML ExistDB Integration

    Since PicketBox XACML v2.0.5.CR2, it is possible to store and retrieve XACML policies and attributes from ExistDB, an OSS XML Database.

    Please read about the XACML ExistDB integration here.



    The following diagram shows the high level xacml interaction.


    The Policy Enforcement Point (PEP) acts as an interceptor. In the component or container where an access decision is to be made, the PEP will create an XACML request based on various parameters of the call.  It then asks the PDP for an access decision. The PDP will use one or more policies to make an access decision.


    Locators (Attributes/Policy/Caching)

    1. Policy Locator using LDAP
    2. Attribute Locator using Database
    3. Attribute Locator using LDAP
    4. Attribute Locator using File System
    5. Cache Locator  (Improves Performance)
    6. RBAC Locator (XACML RBAC Profile)

    We have one XACML engine that is used by both the PicketBox and PicketLink distributions. So when you see references to either, we are referring to the same XACML engine.



    Please take a look at Cache Locator in the locators section above.


    Locking Issues

    PDP.evaluate() method is thread safe by default (It uses a Reentrant lock). When you need this to be lock free, set the system property

    picketbox.xacml.pdp.lockstrategy to "lockfree". (Since 2.0.9.Final). If you set it to "readwrite", the the locking is using a ReadWrite lock.

    Troubleshooting / Usage

    1. Enable debug logs for troubleshooting
    2. Simple Usage


    PDP Service

    If you are looking to host PDP as a service, please look at the following articles:

    1. WSDL based SOAP PDP Service
    2. Servlet that accepts SOAP/SAML/XACML Payload

    Commercial Support

    The XACML Engine is part of the JBoss Enterprise Application Platform (EAP) and is commerically supported by Red Hat Inc.


    Advanced Users


    If you are looking for the source code, then please look for the version in the tags at



    There are test cases that we use under http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.6.Final/jboss-xacml/src/test/



    the java folder contains the various potential test cases and the resources houses the policy config files and policies.