Title: eXtensible Access Control Markup Language [OASIS Standard]
1eXtensible Access Control Markup LanguageOASIS
Standard
- Kailash Bhoopalam
- Java and XML
2Contents
- Introduction to Access Control
- Introduction to XACML
- The XACML schema.
- Access Control Examples and Experiments with
XACML. - The XACML framework.
- Installing and using the XACML package.
- Beyond Vanilla XACML
- User Extensions to XACML Implementation
- XACML in Secure Distributed Digital Libraries
3Introduction to Access Control
John wants access to protected file
PatientRecord1.doc
File Server
Authentication
Authorization (Access Control)
PatientRecord1.doc PatientRecord2.doc
4Access Control, contd.
5Introduction to XACML
John wants access to protected file
PatientRecord1.doc
XACML Policy
Request Context
Response Context
ltrule effectpermitgt lttargetgt
ltsubjectgt ltvaluegtJohnlt/valuegt
lt/subjectgt ltresourcegt
ltvaluegtPatientRecord1.doclt/valuegt
lt/resourcegt ltactiongt
ltvaluegtRlt/valuegt
lt/actiongt lt/targetgt lt/rulegt
ltresponsegt ltdecisiongt
ltvaluegtPermitlt/valuegt lt/decisiongt lt/responsegt
ltrequestgt ltsubjectgt
ltvaluegtJohnlt/valuegt lt/subjectgt
ltresourcegt
ltvaluegtPatientRecord1.doclt/valuegt
lt/resourcegt ltactiongt
ltvaluegtRlt/valuegt
lt/actiongt lt/requestgt
6Introduction to XACML contd.
How does XACML Work?
7XACML Schemas
Policy Schema
Request Schema
Response Schema
Response Decision Obligation
PolicySet (Combining Alg) Policy (Combining
Alg) Rule (Effect) Subject
Resource Action
Condition Obgligation
Request Subject Resource
Action
8Some Experiments
9XACML Framework (Data flow model)
10XACML Framework (Policy Language Model)
11Installing and using the XACML Implementation
- Available Implementations
- Sun Microsystems (here) (download)
- You may also optionally copy from
kbhoopal/public_html/xacml/sunxacml.jar - Jiffy Software (here)
- More on Suns XACML implementation
- Available as zip file.
- unzip and build with ant (download ant)
- include the sunxacml.jar in the class path.
12Using the XACML Implementation(A Programmers
Guide)
- Using Suns XACML Implementation
- Overview of APIs
- Building a basic PDP
- Building the basic PEP
- Validating Policies and Requests
- Some Experiments
13Beyond Vanilla Access Control
- Policy Rule Combining algorithms
- Permit Overrides
- If a single rule permits a request,
irrespective of the other rules, the result of
the PDP is Permit - Deny Overrides
- If a single rule denies a request,
irrespective of the other rules, the result of
the PDP is deny. - First Applicable
- The first applicable rule that satisfies the
request is the result of the PDP - Only-one-applicable
- If there are two rules with different effects
for the same request, the result is indeterminate
14Beyond Vanilla, contd.
- Conditions
- Declarative use of boolean expressions
- Using Environment variables like time, etc.
- E.g., John can access patientrecord1.doc only
between 9am and 4pm. - Obligations
- An operation performed in a policy or policy set
that should be performed in conjunction with the
enforcement of an authorization decision.
15Beyond Vanilla, contd.
- XACML Functions
- Equality Predicates
- Arithmetic Arithmetic comparison
- String Conversion
- Numeric Data Type Conversion
- Logical
- Date and Time
- Set
- And Many more.
16User Extensions to XACML Implementation
- Extend
- Attributes
- Functions
- Combining algorithms
- Finder modules.
17XACML in SDDL
- Implementation PAP, PIP using a Policy Editor
(here) - Implementation of SunXACMLs PDP with a custom
PEP and integration with Shibboleth and Archon.
(here)
18References
- XACML Specification
- Suns XACML Implementation