So upstream, PicketBox XACML can be used to protect my web resources or my EJBs, right? But still the end user is the one who hooks it in and writes policies and configures it and all of that right? Unless the policies are prewritten and provided by those upstream projects, there is at least one pain point to using this project I would say. If all this was used for was to protect various container resources, wouldn't you still need to address some of the concerns I am referring to?
i.e.
Performance is still important
Policy writing is still painful (wouldn't a PAP be useful?)
Might someone still want to be able to report and audit on the access granted to those resources?
Isn't there still a set of resources to manage? (EJBs, Servlets, etc)
I don't suppose XACML is a mandatory part of the JBoss AS, but it is there in case you need to provide fine grained access control to resources. Still these things would make it easier to leverage for that purpose.
Yea I can also see these capabilities also enabling a standalone XACML platform that could be used outside of JBoss, and a few things I mentioned may only make sense in that arena.
Before we spawn a project though, I guess we should see if anyone is interested in these things.