10:42 p.m.
Dan Gradl [https://community.jboss.org/people/dgradl] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/646809#646809
--------------------------------------------------------------
Having given this some time to sit out there, it seems that my thoughts haven't
generated any discussion at all. I guess there isn't a ton of interest in the XACML
piece of this.. or do you think it is being used more than it seems, Anil? I think it
is understandable though.. a PDP alone just isn't too exciting, it's really one
part of an overall access control solution and writing policy files isn't a whole lot
of fun either. I feel like a more complete XACML solution, would have a great deal more
use. I'm just not sure if there is even any interest level for this in PicketBox or
even in the JBoss community... based on the lack of feedback so far I guess.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/646809#646809]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:51 a.m.
Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/647185#647185
--------------------------------------------------------------
Hi Dan, I am sorry I have not been able to answer your posts. Been busy with JBoss AS7.
Let me answer you in a bit.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/647185#647185]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
12:14 p.m.
Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/647443#647443
--------------------------------------------------------------
Dan, in reality XACML is still years behind the adoption curve. The industry is still
getting to terms with authentication. :( I am hoping that there will be emphasis on
access control in a couple of years.
There is adoption of xacml among university research and other security focused entities.
The need of the hour is domain based editors that can be used to craft the xacml
policies. Rather than crafting xacml policies by hand, GUI should be employed depending
on domains to craft the policies.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/647443#647443]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
9:21 p.m.
Dan Gradl [https://community.jboss.org/people/dgradl] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/647501#647501
--------------------------------------------------------------
I obviously agree on the need for a GUI policy administration point. There's too
much work involved to implement xacml based access control without it. I also think that
people won't see value in XACML when all that is there is a decision engine. There
are commercial XACML implementations out there... they don't neccessarily even promote
the XACML name, but they are full solutions and they are obviously seeing use in various
places such as in the finance industry. Like I may have mentioned to you before, I
implemented XACML at a large bank and we looked at the products because there was no open
source alternative, and building and maintaining something like that ourself didn't
make sense. I'd definitely be interested to work towards creating a more complete
open source XACML solution. It would seem, however, that given the low interest it would
end up being me running solo on it. At least until it had enough features to be more
interesting to others.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/647501#647501]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
1:08 p.m.
Kiran Anantha [https://community.jboss.org/people/raylite3] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/736031#736031
--------------------------------------------------------------
Hi, Dan, Anil,
Stumbled on to this topic late in the thread but it definitely sounds very interesting and
useful. I am new to XACML and so it will be very helpful to have some links to how to
configure a web/ejb container (as Anil mentions) to use XACML. A pointer to an example
will be great.
Thanks,
Kiran.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/736031#736031]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4:14 p.m.
Christian QD93S7 [https://community.jboss.org/people/ceebee] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/752902#752902
--------------------------------------------------------------
Hi,
what I see is that there are COTS solutions, that are conceptually not much further on the
"adoption curve"... We need a good pap implementation that is tailorable to the
domain experts, to their vocabulary. The role of the "policy modeller" is not
very well described up to now. It is not an IT admin, it is more the Service Manager. So
we build a kind of eclipse rcp app that consumes a dsl to generate XACML and distributes
it on a set of preconfigured pdps...
May be requirements analysis helps us to understand, why the standard is still not widely
used.
->cb
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/752902#752902]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:53 a.m.
Dan Gradl [https://community.jboss.org/people/dgradl] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/753039#753039
--------------------------------------------------------------
In the XACML impl I worked on it the thought had been that the policy modeller would be
part of the info security team, even in a PAP this takes some specialized skill. However
without a PAP it fell to developers to craft the XML policies. There was also a need to
delegate control over some of the details to a variety of different people (business
users, customer power users). They wouldn't write policies per say but have control
over some of the "constraints" defined by the policies and the UI would be
simplified greatly to where it needed little to no training/additional skill.
I like your thinking on the DSL.. that idea had been bouncing around in my head as well.
Although, I was thinking it could directly drive the PDP... I see the value in XACML being
the data and logical model and not so much in the fact that it uses XML. That is to say I
don't see any particular value in generating XML other than the fact that the current
PDP drives off of it. Many of the COTS drive off a database representation of the
entities. Also, I think a DSL may be a good interim step in creating a usable PAP, but
that ultimately it needs a UI on top of it for easiest learning curve.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/753039#753039]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
9:41 a.m.
Christian QD93S7 [https://community.jboss.org/people/ceebee] created the discussion
"Re: Get something started with XACML - Requirements Discussion"
To view the discussion, visit: https://community.jboss.org/message/753046#753046
--------------------------------------------------------------
the policy modeller as part of the info security team- interesting point. I thought the
possible advantage of XACML -besides from interop- is the ability to change and adapt
existing access rules while the system is running, i.e. is already developed. So if we
restrict the ability to change the rules to specialized people, it tends to get adjusted
one time or twice in the lifecycle of the software. It is not much different from
hardcoding the rules in the software. If we really want to use the advantage, we need to
enable the business guys to understand what happens.
But I haven't seen such a system working. So as you describe it - this organization
has some procedure to work with "meta-rules" and then they give the order to
change to the security team. The question is, how often occur changes ?
But even if you have specialized people- the policysets get big and complex and so the GUI
should really be able to structure them according to different perspectives (like eclipse
perspectives) There might be an application perspective, an organization perspective, a
dictionary. It is a special kind of rule management system. There have been various
attempts to write good editors, see http://www.tfgordon.de/publications
http://www.tfgordon.de/publications. But it is worth a try.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/753046#753046]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4568
days inactive
4777
days old
jboss-dev-forums@lists.jboss.org
7 comments
4 participants
participants (4)
-
Anil Saldhana -
Christian QD93S7
-
Dan Gradl
-
Kiran Anantha