XACML - Declarative Access Control
By Rohan Pinto on Oct 12, 2008
Web applications need access control. I'm not gonna justify that fact. All web applications have the ability where you can restrict access to the resources that reside on it by simply modifying the deployment descriptors (web.xml). This method is called declarative security or declarative access control. Well, but does this really suffice ?
Well, say hello to XACML. XACML stands for eXtensible Access Control Markup Language.
It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.
If you had followed what Daniel Raskins had said from a long time ago, about supporting XACML, well, here it is. OpenSSO now has XACML support.
Support for XACML allows our customers to share access control policies across corporate boundaries and offers more dynamic standards-based tools for creating federated mashups. As a result, our customers can continue to expand their business reach while using open-standards to enforce security decisions and minimize security risk.
The OpenSSO codebase also has a XACML client sample which you could download, compile and run in a few clicks.
OpenSSO XACML implements SAML2.0 Profile of XACML2.0 - supporting XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement. PEP makes XAML2.0/SAML2.0/SOAP request to PDP and gets response. The OpenSSO XACML client sample is a remote client library that could be used by an application to make XACML calls to PDP.
The returned XACMLAuthzDecisionStatement has XACML Response, Result, Decision and so forth. The OpenSSO XACML implementation leverages SAML2.0 capability of OpenSSO to manage SAML2 metadata of PDP and PEP and exchange SAML messages.
Here's a simple 5 step guide to running the XACML client and testing it with opensso.
- get the OpenSSO.zip, extract and get the opensso-client.zip under samples directory
- extract the opensso-client.zip, and goto "sdk" subdirectory
- follow the README file to setup the samples
- follow the instruction in scripts/run-xacml-client-sample.sh to setup the XACML.
I hope this post has been helpful. Cheers and enjoy building applications that use XACML !! interoperability rocks!!