Dan Gradl [
http://community.jboss.org/people/dgradl] created the discussion
"XACML Deployment"
To view the discussion, visit:
http://community.jboss.org/message/639689#639689
--------------------------------------------------------------
This is a post in a serious of discussions I am starting to get some discussion going on
XACML. I led the implementation of XACML on a large scale using the original SunXACML
libraries as the PDP and I am sharing some of my insights as a way to elicit some
requirements on the further development of XACML. The original post and index to these
discussions is
http://community.jboss.org/thread/175091?tstart=0
http://community.jboss.org/thread/175091?tstart=0.
This is a thread to talk about deployment. In a simple XACML implementation you may be
able to have everything (PAP, PDP, PEP) co-located in a single JVM, but as you protect
more resources in a distributed system or across multiple sytems you may need a more
distributed approach. You may want the capability to administer centrally, but spread the
work across multiple PDPs to put them closer to their PEPs or to enable them to
index/process against smaller sets of policies. You may want to separate the PDP concern
from the application (and the PEP) for maintainability, or perhaps you have a non-java
system that needs to execute policies using PDP as a service.
There needs to be protocols to support a variety of deployment models. Ways to distribute
policies from PAP to 1 or more PDPs, ways to communicate to PDPs remotely from PEPs, etc.
There is an article already about using a PDP remotely, so there may already be ways to
handle some of this distributed capability.
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/639689#639689]
Start a new discussion in PicketBox Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]