Dan Gradl [http://community.jboss.org/people/dgradl] created the discussion "XACML Enforcement" To view the discussion, visit: http://community.jboss.org/message/639028#639028 -------------------------------------------------------------- This is a post in a serious of discussions I am starting to get some discussion going on XACML.  I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML.   The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0 http://community.jboss.org/thread/175091?tstart=0. This thread will discuss policy enforcement.  The core JBoss XACML (PicketBox) portion provides PDP, context handling, and a bit of PIP functionality.  Any PEP capability is elsewhere. Anil, you mentioned in another thread that PEPs are in higher level projects.  When you get a chance can you let me know where to look for those?    Enforcement can be very specific to the resource being protected and to the security environment, but I think there could be some useful pieces that could be provided out of the box.   The first thing is simply an API to simplify making a XACML request.   The majority of enforcement types will only need to deal with a small number of core attributes.. e.g. subject-id, resource-id, action-id.    Additional attributes could be made available more simply as key/value pairs rather than requiring the PEP implementer to construct a complex XACML Request object.  The second thing that can be provided is a library of PEPs that can handle common resources, in this case container resources or development framework resources.  For example, you might be able to provide a generalized PEP for an EJB, a servlet, a portlet, etc.   You might have resources in Seam (I'm not very familiar with Seam, so forgive me) but maybe some REST resource or JSF resources (perhaps you want to protect a data field). Last thing might be to provide common obligation handling capabilities... maybe must log or something like this.   Plus, the XACML spec states that if a PEP cannot fulfil an obligation it should deny access....if every PEP is written differently, its hard to consistently ensure this is met. In all, its hard to provide a set of PEPs that will work for all resources you are protecting, and there's not a ton you can provide here.. but just a couple thoughts/ideas. -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/639028#639028] Start a new discussion in PicketBox Development at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]