[PicketBox Development] - Get something started with XACML - Requirements Discussion
by Dan Gradl
Dan Gradl [http://community.jboss.org/people/dgradl] created the discussion
"Get something started with XACML - Requirements Discussion"
To view the discussion, visit: http://community.jboss.org/message/637330#637330
--------------------------------------------------------------
Hello all,
I have recently begun participating in this project and I noticed that the discussion on XACML has been fairly quiet, so I thought I would kick off some discussions to see what the interest level is, see what requirements people have considered, see who is using it, and maybe create some interest in it from others who don't know what it is or have looked at it and found it lacking something.
I'm going to use this post as a teaser for topics I'm going to write about and to provide a summary of links to them. However, I would also like people to respond on this thread, if there is something I don't mention, or to provide other general thoughts on the subject of XACML.
In a past role I architected and implemented a fine-grained access control system on a large scale using XACML. This was built on the SunXACML library which is now at the core of JBossXACML (since the Sun community died off). The library left a lot to be desired for such an implementation, and it was our desire actually to purchase a vendor product because of those gaps. However, due to various reasons this purchase was delayed and we fell back on this library and filling gaps ourself to provide at least a portion of the capabilities required. I am going to share some of the learning from this experience on various aspects of a complete access control solution based on XACML. I believe that for JBoss XACML to get more adoption and interest and to provide an alternative to the commercial products it needs to address some of these concerns. Don't take this as a critcism of what's here nor me just complaining (I intend to help build new features, if there is some interest).
Here's some of the key considerations in its implementation that I intend to write about and start discussions on:
1. Performance - Access control is a cross cutting concern, it is pervasive throughout an application (or an enterprise). If you are controlling access to services it's going to be checked on every service invocation, if you are controlling access to data it will be called whenever its accessed. As such it needs to have a low overhead and be able to scale well. One thread is started about caching, but there is more to consider.
http://community.jboss.org/thread/175058?tstart=0 Caching
2. Enforcement - In the XACML logical architecture, JBossXACML pretty much provides just the PDP, some context handling, and hooks to PIPs. Enforcement will vary greatly depending on what resources you are protecting, but is there anything generic it could provide here?
3. Administration - Policy writing is difficult, complex, and has a great impact on item #1. There is no open source Policy Administration Point (PAP) that I am aware of, but this is essential for ease of use and adotion. This may also include the need to test a policy that was created.
4. Auditing/Reporting - Access to resources is a major security concern so of course auditors and it security professionals and others need to know who has access to what
5. Deployment - Is the entire XACML stack (PEP, PDP, PIP, PAP) on one box alongside the application using it or is support for more distributed deployment topologies required?
6. Resource management - keeping an inventory of things you are protecting, seems simple, sounds like administration, but there are some gotcha's I'd like to share.
7. Best practices - this'll be a catchall for some random things
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/637330#637330]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
13 years, 1 month
[JBoss Web Services Development] - Exception in thread "main" java.lang.NoSuchMethodError: com.sun.xml.bind.api.JAXBRIContext.newInstance([Ljava/lang/Class; )Ljavax/xml/bind/JAXBContext;
by Sreejith K T
Sreejith K T [http://community.jboss.org/people/srekt] created the discussion
"Exception in thread "main" java.lang.NoSuchMethodError: com.sun.xml.bind.api.JAXBRIContext.newInstance([Ljava/lang/Class;)Ljavax/xml/bind/JAXBContext;"
To view the discussion, visit: http://community.jboss.org/message/637023#637023
--------------------------------------------------------------
Hi,
I am getting the below exception while invoking the Web Service
log4j:WARN No appenders could be found for logger (org.jboss.ws.metadata.builder.jaxws.JAXWSWebServiceMetaDataBuilder).
log4j:WARN Please initialize the log4j system properly.
*Exception in thread "main" java.lang.NoSuchMethodError: com.sun.xml.bind.api.JAXBRIContext.newInstance([Ljava/lang/Class;)Ljavax/xml/bind/JAXBContext*;
at org.jboss.ws.metadata.acessor.JAXBAccessor$1.create(JAXBAccessor.java:67)
at org.jboss.ws.metadata.acessor.JAXBAccessor$1.create(JAXBAccessor.java:54)
at org.jboss.ws.metadata.umdm.ParameterMetaData.eagerInitialize(ParameterMetaData.java:470)
at org.jboss.ws.metadata.umdm.OperationMetaData.eagerInitialize(OperationMetaData.java:466)
at org.jboss.ws.metadata.umdm.EndpointMetaData.eagerInitializeOperations(EndpointMetaData.java:516)
at org.jboss.ws.metadata.umdm.EndpointMetaData.initializeInternal(EndpointMetaData.java:502)
at org.jboss.ws.metadata.umdm.EndpointMetaData.eagerInitialize(EndpointMetaData.java:490)
at org.jboss.ws.metadata.builder.jaxws.JAXWSClientMetaDataBuilder.rebuildEndpointMetaData(JAXWSClientMetaDataBuilder.java:292)
at org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl.getPortInternal(ServiceDelegateImpl.java:274)
at org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl.getPort(ServiceDelegateImpl.java:200)
at javax.xml.ws.Service.getPort(Service.java:116)
at tutorial.hanbo.webservice.jaws.GreetingService.getGreetingPort(GreetingService.java:56)
at tutorial.hanbo.webservice.Client.main(Client.java:10)
My Webservice is up and running and client code as follows, Please help
GreetingService service = new GreetingService();
tutorial.hanbo.webservice.jaws.Greeting echo = service.getGreetingPort();
/* Set NEW Endpoint Location */
String endpointURL = " http://dskt:8080/greeting/GreetingWebService?wsdl http://dskt:8080/greeting/GreetingWebService?wsdl";
BindingProvider bp = (BindingProvider)echo;
bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpointURL);
System.out.println("Server said: " + echo.greetClient("Sreejith"));
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/637023#637023]
Start a new discussion in JBoss Web Services Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
13 years, 1 month
[PicketBox Development] - XACML Best Practices
by Dan Gradl
Dan Gradl [http://community.jboss.org/people/dgradl] created the discussion
"XACML Best Practices"
To view the discussion, visit: http://community.jboss.org/message/637524#637524
--------------------------------------------------------------
This is a post in a serious of discussions I was starting to get some discussion going on XACML. I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML. The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0 http://community.jboss.org/thread/175091?tstart=0.
This topic is meant to be a catchall for items not in the other major categories listed there.
I am starting with just one of those misc. items this morning, primarily because I ran across this as I was attempting to use JBoss XACML in a way I had used SunXACML.
I found it very useful to leverage PolicyIdReference in PolicySets. Rather than embed all the policies within the PolicySet, using references to policies, kept things cleaner and more understandable, and it enabled reuse. In the RBAC Profile example here: http://community.jboss.org/docs/DOC-16676 http://community.jboss.org/wiki/XACMLRBACLocator, the policies are directly in the PPS. I preferred instead to create a set of policies externally and refer to them as references in the PPS. This enabled me to use them in different roles in different combinations. More specifically policies were written to target specific resource/action combinations (only), and then assigned them to PolicySets that targetted specific subjects (namely a role). As far as I can see the JBoss XACML Locators and FinderModules do not handle references. Everything is treated as a first level policy and it's common to see this warning "INFO: More than one top-level applicable policy for the request". The XACML spec says "the mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification", so it's up to implementation detail. However, the way I believe it should work is that those policies referenced should be considered a second-level policy. As such, they should not be target evaluated in the initial passthrough, only if a top-level PolicySet matches the target and refers to these policies, then the target should be evaluated. In the SunXACML module there is a StaticRefPolicyFinderModule, and it works just that way. It will "find" policies only by reference id and not by evaluation, and can be pointed at a different set of policies. So I would place all of my RPS/PPS files in one directory and all of my policies in a separate directory and they would be evaluted if an RPS/PPS matched first and had reference to it. That component is still there but can't be used directly by the JBoss Locators because of some differences. But I would suggest that there definitely needs to be support for PolicyIdReference capabilities, but would like to solicit feedback on the approach I described.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/637524#637524]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
13 years, 1 month