OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] Rant continues...

Hi Sagar,

I will add few information relevant to WSO2, as I have worked with it and was part of development team.

Pushpalanka Jayawardhana
B.Sc.Eng. (Hons)
Facebook LinkedIn Twitter SlideShare Blogger

On Mon, Dec 25, 2017 at 1:09 PM, Sagar Limaye <sagarl3232@hotmail.com> wrote:

Hi, I just want to apologize for my harsh criticism of the standard. Maybe it’s not so bad. I do think the documentation for implementations can be improved, it is VERY boring to read

There are dead links on the list of implementations: http://www.herasaf.org





There are other implementations (and testing tools) which support only XACML 2.0 developed and abandoned years ago. All these need to go in a separate list so newcomers can easily understand the differences (and maybe not bother with them).


AuthzForce does not work on Eclipse EE Neon. I don’t know (and don’t care) why, but when I imported the JAR file AND set the path to the javadoc, I’m still getting compiler errors when I do BasePdpEngine.getInstance or evaluate(). Also “DecisionRequestBuilder” cannot be resolved to a type. The “documentation” tells you:


To get started using a PDP to evaluate XACML requests, instantiate a new PDP instance with one of the methods: org.ow2.authzforce.core.pdp.impl.BasePdpEngine#getInstance(...).


The best part is, getInstance is not even a method of BasePdpEngine, It’s actually a method of PdpEngineConfiguration, so this statement is completely wrong. It goes on to bore you further by saying:


As a result of getInstance(...), you get an instance of BasePdpEngine with which you can evaluate a XACML Request directly by calling the evaluate(Request...) methods; or you can evaluate a decision request (more precisely an equivalent of a Individual Decision Request as defined by the XACML Multiple Decision Profile) in AuthzForce's more efficient native model by calling evaluate(ImmutablePdpDecisionRequest) or (multiple decision requests with evaluate(List<ImmutablePdpDecisionRequest>)). In order to build a ImmutablePdpDecisionRequest, you may use the request builder returned by BasePdpEngine#newRequestBuilder(...).  Please look at Javadoc for more information.

What parameters does newRequestBuilder need? How does one set those up? These are mysteries that the Javadoc can solve, but like I said, Eclipse cannot recognize it (“This element has no attached Javadoc and the Javadoc could not be found in the attached source”) and the documentation doesn’t tell you how to use the Javadoc (which is a JAR file when it should really be a set of html files). What is needed is a SIMPLE step by step tutorial, and also how-to samples, and FAQs.


In Ws02, I kept getting the error: “Invalid request  : Request must contain at least one AttributesType,” even when my request specifies the DataType attribute for all my attributes element. The XML editor in Ws02 adds newline after access- in urn:oasis:names:tc:xacml:1.0:subject-category:access-


when a request is copy-pasted into it. For some requests, this error can be fixed by removing the whitespace.

​I assume you have been using XML editor here. Agree that editing facilities can be improved more to hide the complexity of XACML itself.
Anyway you can give a try on the existing UI editor as at [1] and see if you can get through the error. The error suggests some syntax error in request, which you will get over if tried from UI editor alone.​


I was frustrated with the documentation of AuthzForce and Balana and Ws02 because even after following everything step by step, I am running into issues. I couldn’t use WS02 because IIRC it does not have a programmer API for the evaluation of policies, and for my work I need that API so I can carry out automated testing of many policies.

​Just FYI, policy evaluation is exposed as a SOAP service and there is a REST API available as well.​
​Agree that documentation can be improved in these aspects. 
The SOAP service can be found at [2]. You can consume this with a Java client similar to what is explained at [3] (yes, it's bit old. But the approach is still same).
This [4] will take you through the REST API consumption.


I hope I never have to use XACML again. Sorry. I don’t think it is awful and I hope the API docs improves over time. (David, I never said “hope to die.” I said “I hope it dies,” meaning the standard)




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]