XACML implementation

Question

I am novice to XACML policies. Can you specify me how to implement XACML policies. I have tried different API's. But for my project I need to implement XACML evaluation engine. So, can you help me providing the implementation details. Which language will be best suitable for implementing the evaluation engine .

Thanks in Advance.

Answer 1

I guess, Implementing a XACML evaluation engine is not an easy task. You need to go through XACML specification at https://www.oasis-open.org/committees/xacml/ and do the implementation based on it. It would be better, if you can find already implemented XACML based authorization engine.

"Balana" is one of the XACML implementation (with partial XACML 3.0 version) which is java based open source project.

Therefore you can use it freely and you can find the source core from https://svn.wso2.org/repos/wso2/trunk/commons/balana/.

Also if you really want to implement a new XACML engine, you can go through Balana source code and can get some idea implementation or reuse source code of it. More details on Balana and about XACML can be found from this blog post at http://xacmlinfo.com/. I guess, java would be easy language to deal with as you need to work with more XML stuff.

Answer 2

You want to look at XACML implementations that exist today.

The following are all open source implementations available today:

• Sun XACML: provides partial XACML 2.0 implementation
• Heras AF: provides a conformant XACML 2.0 implementation (http://www.herasaf.org/heras-af-xacml.html)
• Balana: as previously mentioned, provides partial XACML 3.0 implementation
• AuthzForce: fully XACML 3.0 compliant (all mandatory features) (https://github.com/authzforce/core)

The following are vendor implementations:

• Axiomatics Policy Server: fully XACML 2.0 and XACML 3.0 implementation - also attested to conformance (this is where the XACML 3.0 editor works). Attestation of implementation: https://lists.oasis-open.org/archives/xacml/201010/msg00002.html
• IBM DataPower: contains a XACML 2.0 engine
• Quest: through their acquisition of Bitkoo, they also have XACML support.
• Oracle

All of the open source implementations cited above are Java. Axiomatics and Bitkoo also provide a C# engine.

If you wanted to go your own, you'd want to generate the XACML objects from the XACML schema using JAXB. But that wouldn't give you the evaluation logic though.

Answer 3

Not sure what you mean by 'Evaluation'. Do you have access requests that need to be evaluated in order to determine whether or not access is granted?

For that purpose, I was able to run WSO2 Identity Server quickly, to compose XACML 3.0 policies and have it check the access control requests.

The server: http://wso2.com/products/identity-server/ The blog that helped my out: http://xacmlinfo.com/2012/06/13/pdp-pep-communication-wso2is/