[jboss-dev-forums] [PicketBox Development] - XACML Enforcement
Dan Gradl
do-not-reply at jboss.com
Tue Nov 29 21:39:35 EST 2011
Dan Gradl [http://community.jboss.org/people/dgradl] created the discussion
"XACML Enforcement"
To view the discussion, visit: http://community.jboss.org/message/639028#639028
--------------------------------------------------------------
This is a post in a serious of discussions I am starting to get some discussion going on XACML. I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML. The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0 http://community.jboss.org/thread/175091?tstart=0.
This thread will discuss policy enforcement. The core JBoss XACML (PicketBox) portion provides PDP, context handling, and a bit of PIP functionality. Any PEP capability is elsewhere.
Anil, you mentioned in another thread that PEPs are in higher level projects. When you get a chance can you let me know where to look for those?
Enforcement can be very specific to the resource being protected and to the security environment, but I think there could be some useful pieces that could be provided out of the box. The first thing is simply an API to simplify making a XACML request. The majority of enforcement types will only need to deal with a small number of core attributes.. e.g. subject-id, resource-id, action-id. Additional attributes could be made available more simply as key/value pairs rather than requiring the PEP implementer to construct a complex XACML Request object.
The second thing that can be provided is a library of PEPs that can handle common resources, in this case container resources or development framework resources. For example, you might be able to provide a generalized PEP for an EJB, a servlet, a portlet, etc. You might have resources in Seam (I'm not very familiar with Seam, so forgive me) but maybe some REST resource or JSF resources (perhaps you want to protect a data field).
Last thing might be to provide common obligation handling capabilities... maybe must log or something like this. Plus, the XACML spec states that if a PEP cannot fulfil an obligation it should deny access....if every PEP is written differently, its hard to consistently ensure this is met.
In all, its hard to provide a set of PEPs that will work for all resources you are protecting, and there's not a ton you can provide here.. but just a couple thoughts/ideas.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/639028#639028]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20111129/8f3aeba1/attachment.html
More information about the jboss-dev-forums
mailing list