[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] XACML and WS-Policy
Hi Jackson, The XACML TC has indeed considered those potential benefits, and is in the process of standardizing a "Web Services Profile of XACML (WS-XACML)". This profile defines two policy Assertions: XACMLAuthzAssertion and XACMLPrivacyAssertion. These Assertions are of the type used in WS-Policy, although can also be used independently as metadata. We will add the XML attributes, such as Optional and Ignorable, defined in WS-Policy once the W3C WS-Policy WG settles on what those are and what they mean. The WS-XACML Assertions internally separate "Requirements" constraints from "Capabilities" constraints. "Requirements" can include either a full XACML Policy or PolicySet or a list of XACML <Apply> elements, representing a list of AND'ed constraints. "Capabilities" can include either a full XACML Request or a list of XACML <Apply> elements, representing a list of OR'ed constraints. Based on the old "WSPL" Working Draft and on the XACML core specification, the current draft specification gives algorithms for efficiently "matching" two Assertions containing any combination of these types of Requirements and Constraints with the exception of a list of <Apply> elements as Capabilities in one Assertion and a Policy or PolicySet as Requirements in the other Assertion. The current Working Draft (WD 8) is available under the "Work in Progress" section of the XACML TC's home page at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#CURRENT I expect to issue a new Working Draft before the end of July, to include resolutions to several issues that are listed in the XACML Issues list at http://wiki.oasis-open.org/xacml/IssuesList. If you have feedback on the current Working Draft, now would be a good time to submit it, in order to incorporate the feedback into the new draft. Regards, Anne Wynn, Jackson E. wrote: > Hello, > > I'm trying to understand requirements for an integrated security policy > language for web services that includes access control (XACML?), SOAP > message security (WS-SecurityPolicy), message reliability > (WS-ReliableMessaging), etc. > > XACML provides a generalized access control policy language. It is not > designed is specifically for web services, but it can be used in that > context, e.g., web service URL as a resource. > > WS-SecurityPolicy and WS-ReliableMessaging are designed specifically > for web services, being extensions of the W3C WS-Policy specification. > The WS-Policy specification includes generic framework elements and > alternative methodologies for attaching policies to web services. > Because they both extend WS-Policy, it is possible to combine elements > from WS-SecurityPolicy and WS-ReliableMessaging into a single, > integrated web service security policy. > > Given that XACML does not extend WS-Policy, it does not appear possible > to embed XACML rules governing web service access control into the same > web service security policy describe above. > > Is this correct?? > > If so, has the XACML TC considered the potential benefits of defining a > XACML subset, based on WS-Policy, that can be used specifically to > enforce web service access?? > > > Thanks in advance, > > Jackson Wynn > Lead Infosec Engineer - G026 > The MITRE Corporation > Bedford, MA > > (781) 271-3419 > > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]