Thanks a lot Bernard for the info. This is really encouraging to see someone actually has done this! So if you have implemented with Node.js, which is based on Chrome’s V8, does it mean that your PDP runs only in a browser environment? So is this a PDP primarily for controlling your browser access to different GUI component? This could be a very cool feature because my _javascript_ function could then control which div to turn on or off… Is your prototype somewhere downloadable? Thanks! Nick From: Bernard Butler [mailto:bbutler@tssg.org] Sent: Friday, March 22, 2013 9:05 AM To: Nick Duan Cc: 'David Brossard'; xacml-users@lists.oasis-open.org; Leigh Griffin Subject: Re: [xacml-users] XACML JSON Profile Hi Nick (and David!),
My colleagues and I have already looked at the use of JSON as a format for representing access control policies. At the time, the JSON profile of XACML was not available to us, so we developed something similar:
1) we took some existing XACML policies (with associated requests) and translated them to JSON equivalents (keeping the decision semantics, but omitting advanced features like obligations) 2) we developed a prototype PDP using _javascript_ and deployed it to Node.js to work with these JSON-encoded policies and requests.
In relation to checking against a JSON schema, the prototype PDP does not attempt this. If there was a problem with the "schema", we just tweaked the translated JSON until it was accepted by the PDP. In practice, we found that checking the schema *syntax* was less helpful than checking that the policy semantics were correct. That is, supports for authoring policies are valuable but should be considered in their totality.
Our prototype PDP/encoding is just that - it falls far short of what is needed for a production deployment. However, we identified the following advantages a) dramatic performance improvements compared to the reference SunXACML implementation b) policies had much less "bloat" and became easier to read, even by non-experts. Of course, ALFA has similar advantages over XACML. c) _javascript_ handles JSON natively (and so is "friction-free"): the PDP has much less code than an equivalent Java+XML implementation d) The use of Node.js (to host the PDP) and Redis (to store polices for easy retrieval) is motivated by developments elsewhere on highly scalable web services.
For the prototype, we wanted to ensure that there was sufficient spare processing capacity, given limited computing resources, that acceptable performance could be obtained even when requests arrived in large bursts. With sub-millisecond average response times on moderate hardware, the prototype succeeded in that regard!
We published a paper with our findings at IEEE POLICY 2012. The paper is available here http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6267997
Failing that, a preprint is available here: http://repository.wit.ie/1739/
Comments welcome, Bernard Butler Waterford Institute of Technology.
On 03/18/2013 04:29 PM, Nick Duan wrote: Thanks David! Thanks for the info on ALFA. My use case is very straightforward. I am trying to create a policy server that is easy to scale and distribute. If policies can be jsonized, I would be able to utilize many NoSQL databases. Combined with your PEP/PDP JSON profile, I could use JSON-api for all my XACML processing needs, with potential performance improvement. I understand the validation challenge of JSON docs. How about using JSON schema (http://json-schema.org/)? Not sure it’s a standard yet or not… ND From: David Brossard [mailto:david.brossard@axiomatics.com] Sent: Monday, March 18, 2013 11:49 AM To: Nick Duan Cc: xacml-users@lists.oasis-open.org Subject: Re: [xacml-users] XACML JSON Profile Hi Nick, At the last RSA in February, some of us did discuss representing XACML policies in JSON. However it does require a bit more work. JSON lacks a proper schema which would make it hard to validate XACML policies in JSON. Also it's hard to see the value of encoding XACML policies in JSON. My goal with the JSON profile was really to let developers in any language (Java, C#, Python...) that may have support for XML or not easily produce a request and a response and send it off to a PDP using REST or any other protocol - but the point is the developer shouldn't care what the transport protocol is or what the policy format is. What's your use case? Why would you like to see policies in JSON? David. On Mon, Mar 18, 2013 at 3:39 PM, Nick Duan <nduan@verizon.net> wrote: The current XACML JSON profile was only for the authorization query request and response. Is there any effort by the XACML TC to jsonize the policy request and reponse as well? To do this, the entire policy document would have to be jsonized. Has anyone done this before? Any thought and suggestions on what the complexity may be involved in doing this?
Thanks!
ND
--------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
-- David Brossard, M.Eng, SCEA, CSTP Product Manager +46(0)760 25 85 75 Axiomatics AB Skeppsbron 40 S-111 30 Stockholm, Sweden http://www.linkedin.com/companies/536082 http://www.axiomatics.com http://twitter.com/axiomatics
|