Menu
I'm considering migrating my client application from using a XACML 2.0 authorization service to using a newer XACML 3.0 service.
What changes or issues will I run into in migrating my client app from making XACML 2.0 requests to making XACML 3.0 requests?
753
Extensible Access Control Markup Language is an attribute-based access control policy language or XML-based language, designed to express security policies and access requests to information. XACML can be used for web services, digital rights management, and enterprise security applications.
Extensible Access Control Markup Language (XACML) is a system for using Extensible Markup Language (XML) conventions to address security and access protocols for the Web or for particular applications. Since 2003, this form of XML has enabled businesses and organizations to control aspects of digital security.
The XACML PEP is responsible for intercepting all access requests, collecting the appropriate information (such as who is making the request, which resource is being accessed, and what action is to be taken), and sending a request for a decision to the XACML PDP.
XACML supports Attribute-Based Access Control (ABAC) and evaluation can be done with the additional data retrieved from Policy Information Point (PIP) which is defined by the XACML reference architecture.
The biggest difference between XACML 2.0 and XACML 3.0 for your client app is that the structure of the attributes in the authz request have changed significantly in XACML 3.0.
In XACML 2.0, attributes were organized into subject, resource, environment, or action categories using XML element tags:
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd">
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Julius Hibbert</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>
In XACML 3.0, these categories are indicated using XML attributes instead of XML element tags:
<?xml version="1.0" encoding="utf-8"?>
<Request xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>
The <Subject> element in XACML 2.0 becomes <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> in XACML 3.0, for example. Ditto for the resource, environment, and action categories.
This structural change simplifies the processing model for handling requests and makes it easy to extend the model with custom application-specific or domain-specific categories without running afoul of schema validation.
There are new data types and functions defined in XACML 3.0 for use in policy definitions. The AnyURI data type is now distinct from the string datatype. Several of the 2.0 combining algorithms have been deprecated in favor of new 3.0 equivalents that define more precisely how indeterminate states propagate up through the policy decision tree. The old combining algorithms are still included as "legacy" artifacts.
XACML 2.0 requests and policies can be mechanically converted to XACML 3.0 format with no loss of information. Converting a 3.0 response back to 2.0 format is doable if you stick to simple permit/deny responses.
62
Please check the OASIS XACML TC wiki for an official list of differences:
"Differences between XACML 2.0 and XACML 3.0"
In a nutshell...
The key difference between XACML 2.0 and XACML 3.0 is in new features such as
This information is summarized on the XACML TC wiki page at OASIS. The TC is backed by such leading organization as Oracle, IBM, and Axiomatics. The editor of the XACML 3.0 specification is Axiomatics's CTO, Erik Rissanen.
Also, Kuppinger Cole delivered a webinar on the topic: "Policy Based Access Control with XACML 3.0".
Lastly, I summarized the new features on "Enhancements and new features in #XACML 3.0".
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
