Re: [xacml-comment] XACML standard

[David Brossard <david.brossard@axiomatics.com>]

Hi Sagar,

I'm glad my peers responded faster than I did. They provided a lot of great feedback to your rude and ill-conceived emails.

Here's a little advice: you have to watch your language. "Half-assed" and "hope to die" are not terms that are generally accepted in professional or academic environments. Given you are a student at university, you should learn to spend a considerable amount of time to research a topic before jumping to conclusions. It feels like you've not read through documentation thoroughly. It sounds like you do not know your way around Java either. As a matter of fact, your profile on angel.co lists PHP, C, and C++ which is impressive but is not quite Java which all of the implementations you derided are written in.

I find it rather funny that you mention WSO2 and Balana given the latter is the former's engine as Pushpalanka was kind enough to point out. Surely you should know that if you had studied the products a little bit more. Also, there is indeed a free version of WSO2 Identity Server. It just does not come with commercial support (that's where companies are expected to pay - this is a very common business model). SunXACML is feature-complete XACML 2.0 engine and not any further developed. Perhaps you know that Oracle acquired Sun years ago. You mention AuthZForce - do you even know who is behind that implementation? Luckily for you, Cyril kindly replied to you and gave you pointers. I fully agree with his response. I would assume they know what they are doing. After all Cyril alone has 10+ years as a security IT architect. What about you? Are there bugs in any of the implementations? Probably, maybe. But then rather than complain about it, tell them. Make the product better, that's the point of having freely available distributions. Did you look at other implementations? Heras AF?  UMU XACML? AT&T XACML? enygma? Both AT&T and AuthZForce are in fact brand new implementations released in the last few years. This alone should tell you that XACML is growing. AuthZForce is funded by the European Union and NIST (the National Institute of Standards and Technology) is one of the driving forces behing ABAC, NGAC, and XACML. And of course OASIS.

Also on the topic of free software vs. paid software, do you expect to get a salary one day? You do, right? Well, all software cannot be free. That is a fact of life. Many OS software go down the path of free or paid with support. It is the case of Linux distributions as well as other software (databases, you name it...).

On to the topic of documentation, there are several pages on XACML that could help you as Rich pointed out. There is a pretty thorough Wikipedia page and there is Stackoverflow where many of us are active in responding to questions about XACML.

You write: AuthzForce documentation is horrible, for example. I tried to install and use it, but my Eclipse IDE just doesn’t recognize its classes and functions.

So you are smart enough enough to think they are the problem and you are not. Sure, they may well be documentation issues but then work it out with them. Cyril who is on this list is extremely responsive and has been one of the driving forces of the XACML Technical Committee in the past year. If I were your supervisor or manager and you told me that "Eclipse IDE just doesn’t recognize its classes and functions." I would think you do not know how to set Eclipse up. This is Java 101 really and you shouldn't need much documentation to get it to work.

"Ws02 server doesn’t give the correct responses to the requests against the policies I used, and it’s not free." Again, there may be bugs but I know several companies that use WSO2 successfully. So you think your 5-minute testing is superior to theirs? You think WSO2's product is bad enough that it returns wrong decisions. You do realize that sounds quite pretentious? What are the odds you made a mistake? In any case, ask for help, don't bash people! You saw their response: you probably misconfigured their engine. Heck, when I started with XACML in 2007 or so, I couldn't get it to work either but I didn't go about telling people their software was horrible. I was humble enough to try and learn.

"The other implementations like Balana or SunXACML are either abandoned, or only support 2.0. " Well, as I previously wrote, this makes me wonder what type of research you did. Balana is WSO2's engine and it implements XACML 3.0. Don't take my word for it. Just google it. And you got confirmation earlier in this thread. And WSO2 is hardly the only the implementation. Neither is Java the only language they are written in. Here is an open-source C++ project. And one in PHP.

"All this makes me wonder why this standard exists. I don’t want to waste my time learning it anymore." The quality of any implementation does not mean the standard is worthy or not. You could have a single implementation of a standard and that would still be a very important standard. Conversely you could have dozens of implementations of a fairly unimportant standard. You are angry at the standard because you had issues running AuthZForce and Balana. Do you realize these are two different things? And you think it's easy to implement a standard and not make mistakes? Look at all the bugs and flaws and vulnerabilities that have been reported over the years for other implementations of noteworthy standards and protocols. Do you think it makes those standards any less valuable?

Your overall tone is unworthy of anyone doing research. It shows immaturity and lack of reflection.

Please kindly have some more respect for the work that others have done. No one is perfect. That includes you. And the best way forward is to collaborate, provide constructive feedback, and help the standard become even better.

And as a rule of thumb, be careful and mindful of what you write on public forums. Do you think the following:

No I don’t want to report issues and wait for you to fix it before I can continue my work. XACML has made my life enough miserable already during this semester. I am unsubscribing from this email list. I just wanted you guys to know your standard is absolutely awful and I hope it dies soon.

is constructive?

Respectfully,

David. 

On Fri, Dec 22, 2017 at 12:36 PM, Sagar Limaye <sagarl3232@hotmail.com> wrote:

No I don’t want to report issues and wait for you to fix it before I can continue my work. XACML has made my life enough miserable already during this semester. I am unsubscribing from this email list. I just wanted you guys to know your standard is absolutely awful and I hope it dies soon.

 

Sagar

---

From: DANGERVILLE Cyril <cyril.dangerville@thalesgroup.com>
Sent: Friday, December 22, 2017 11:52:54 AM
To: Sagar Limaye
Cc: xacml-comment@lists.oasis-open.org

Subject: RE: [xacml-comment] XACML standard

 

Hello,

I am sorry for your misfortune. However, it seems - and I’m wondering why - you did not ask for help or did not report any specific issue through the proper channels in a first place, did you? It would have saved you a lot of time and energy. Otherwise, it looks like non-constructive comments that we cannot do much with, and it is not helpful. In the case of AuthzForce, you can request for support as told on the README of each project:

·         AuthzForce Core à https://github.com/authzforce/core#support

·         AuthzForce Server à https://github.com/authzforce/server#support

 

We are unable to find any request/issue from you on any authzforce support channel at this point. If you did, please provide some reference and we’ll be glad to help J If you didn’t but you wish to, despite all, please provide specifics as mentioned in the Support section: software/version (Authzforce Core XXX? Authzforce Server YYY?), platform, etc. so that we can reproduce. This is valid especially for technical issues, like the Eclipse IDE one you mentioned. Just for the record, they are many possible causes for issues in Eclipse IDE, not necessarily related to the JARs (e.g. AuthzForce) you are trying to use, per se; such as bad IDE configuration (Java 8 support?), bad Maven configuration (connectivity to Maven Central?), bad Eclipse project configuration (is Java 8 enabled?), etc. We could help sort this out but only if you tell us about it through the proper channels I mentioned.

 

For documentation issues – AuthzForce Core or Server? -  yes, it could be improved, and you are welcome to give any feedback on that via AuthzForce mailing list, so that it helps us improve it.

 

Kind regards,

Cyril

 

From: Sagar Limaye [mailto:sagarl3232@hotmail.com]
Sent: jeudi 21 décembre 2017 17:58
To: rich levinson; xacml-comment@lists.oasis-open.org
Subject: RE: [xacml-comment] XACML standard

 

I understand the motivation, but almost all implementations of it have terrible documentation, some are not even free and the free ones don’t even work as described in the documentation. AuthzForce documentation is horrible, for example. I tried to install and use it, but my Eclipse IDE just doesn’t recognize its classes and functions. Ws02 server doesn’t give the correct responses to the requests against the policies I used, and it’s not free. The other implementations like Balana or SunXACML are either abandoned, or only support 2.0. All this makes me wonder why this standard exists. I don’t want to waste my time learning it anymore.

 

Sagar

From: rich levinson
Sent: Tuesday, December 19, 2017 7:09 PM
To: Sagar Limaye; xacml-comment@lists.oasis-open.org
Subject: Re: [xacml-comment] XACML standard

 

Hi Sagar,

I feel bad that you had difficulty w the std.

It is true that as a stand-alone document, it is pretty difficult
for a beginner to get a good understanding of the motivation
behind the standard, which is to standardize repreesentation
of security policy for authorization and/or authentication.

I would suggest using google to search for:
    xacml tutorial

Some of these tutorials may provide the necessary context
for being able to more effectively use the spec.

  Thanks,
  Rich Levinson

On 12/19/2017 1:14 PM, Sagar Limaye wrote:

Hi,

This is the worst standard I have ever seen. There is literally no documentation available to get beginners to use it. The implementations listed on the website are all half-assed, and some are non existent. I can't believe how much time I wasted this semester trying to research into XACML, it ruined the grade for one of my classes. I hope I never have to use this useless standard ever again.

Thanks for nothing,

Sagar

 

 

--

David Brossard
VP of Customer Relations

+1 312 774-9163

+1 502 922 6538

+46(0)760 25 85 75

Axiomatics | 525 W. Monroe Suite 2310 | Chicago 60661

Support: https://support.axiomatics.com 
Web: http://www.axiomatics.com

Axiomatics Blog | Events | Resources, Webinars & Whitepapers

Connect with us on LinkedIn | Twitter | Google + | Facebook | YouTube