security-services message

Subject: [security-services] XACML Open Source Implementation Project
From: Jeff Hodges <Jeff.Hodges@sun.com>
To: oasis security-jc <security-jc@lists.oasis-open.org>,oasis sstc <security-services@lists.oasis-open.org>
Date: Fri, 28 Feb 2003 12:02:10 -0800
Announcement: XACML Open Source Implementation Project
------------------------------------------------------

XACML ::= "eXtensible Access Control Markup Language"

The XACML open source impl project is housed here..

  http://sunxacml.sourceforge.net/

The XACML 1.0 spec set itself is available here..

  http://www.oasis-open.org/committees/xacml/#documents

  
>From the SourceForge XACML project webpage...


Welcome to Sun's XACML Implementation!

  This is an open source implementation of the OASIS XACML standard,
  written in the JavaTM programming language. For more information about
  XACML look at our FAQ, the Programmer's Guide or the XACML TC web
  page. Sun's XACML Implementation requires the Java 2 Platform,
  Standard Edition version 1.4 or later.
  
  This project provides complete support for all the mandatory features
  of XACML as well as a number of optional features. Specifically, there
  is full support for parsing both policy and request/response
  documents, determining applicability of policies, and evaluating
  requests against policies. All of the standard attribute types,
  functions, and combining algorithms are supported, and there are APIs
  for adding new functionality as needed. There are also APIs for
  writing new retrieval mechanisms used for finding things like policies
  and attributes.
  
  This project was developed in Sun Microsystems Laboratories, part of
  Sun Microsystems, Inc., and is part of an ongoing project on Internet
  Authorization in the Internet Security Research Group. Going forward,
  we have a host of features we'd like to add to this project, including
  better configurability, support for some of the up and coming
  standards to connect XACML and things like SAML or LDAP, and strong
  tools support. If you'd like to get involved please mail the project
  administrator: sethp@users.sourceforge.net

Introduction to XACML

  XACML (eXtensible Access Control Markup Language) is an XML-based
  language for access control that has been standardized in OASIS. XACML
  describes both an access control policy language and a
  request/response language. The policy language is used to express
  access control policies (who can do what when). The request/response
  language expresses queries about whether a particular access should be
  allowed (requests) and describes answers to those queries (responses).
  
  In a typical XACML usage scenario, a subject (e.g. human user,
  workstation) wants to take some action on a particular resource. The
  subject submits its query to the entity protecting the resource (e.g.
  filesystem, web server). This entity is called a Policy Enforcement
  Point (PEP). The PEP forms a request (using the XACML request
  language) based on the attributes of the subject, action, resource,
  and other relevant information. The PEP then sends this request to a
  Policy Decision Point (PDP), which examines the request, retrieves
  policies (written in the XACML policy language) that are applicable to
  this request, and determines whether access should be granted
  according to the XACML rules for evaluating policies. That answer
  (expressed in the XACML response language) is returned to the PEP,
  which can then allow or deny access to the requester.

XACML has many benefits over other access control policy languages: 

  * One standard access control policy language can replace dozens of
    application-specific languages
  
  * Administrators save time and money because they don't need to
    rewrite their policies in many different languages
  
  * Developers save time and money because they don't have to invent new
    policy languages and write code to support them. They can reuse
    existing code
  
  * Good tools for writing and managing XACML policies will be
    developed, since they can be used with many applications
  
  * XACML is flexible enough to accommodate most access control policy
    needs and extensible so that new requirements can be supported.
  
  * One XACML policy can cover many resources. This helps avoid
    inconsistent policies on different resources.
  
  * XACML allows one policy to refer to another. This is important for
    large organizations. For instance, a site-specific policy may refer
    to a company-wide policy and a country-specific
policy.                             
                           
Acknowledgments 

  This project comes from the Internet Security Research Group (ISRG)
  in Sun Microsystems Laboratories. The ISRG is Anne Anderson, Yassir
  Elley, Steve Hanna, Radia Perlman and Seth Proctor.

  We would also like to thank the following for their help, advice,
  contributions, and general sanity: Members of the OASIS XACML TC,
  Marco Barreno, Miriam Kadansky and Steve Heller.

Get Involved! 

  There is lots of cool stuff to work on in this project. If you'd
  like to get involved send mail to the project lead:
  sethp@users.sourceforge.net

---
end