OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] XACML and WS-Policy

Hi Jackson,

The XACML TC has indeed considered those potential benefits, and is in 
the process of standardizing a "Web Services Profile of XACML 
(WS-XACML)".  This profile defines two policy Assertions: 
XACMLAuthzAssertion and XACMLPrivacyAssertion.  These Assertions are of 
the type used in WS-Policy, although can also be used independently as 
metadata.  We will add the XML attributes, such as Optional and 
Ignorable, defined in WS-Policy once the W3C WS-Policy WG settles on 
what those are and what they mean.

The WS-XACML Assertions internally separate "Requirements" constraints 
from "Capabilities" constraints.  "Requirements" can include either a 
full XACML Policy or PolicySet or  a list of XACML <Apply> elements, 
representing a list of AND'ed constraints.  "Capabilities" can include 
either a full XACML Request or a list of XACML <Apply> elements, 
representing a list of OR'ed constraints.  Based on the old "WSPL" 
Working Draft and on the XACML core specification, the current draft 
specification gives algorithms for efficiently "matching" two Assertions 
containing any combination of these types of Requirements and 
Constraints with the exception of a list of <Apply> elements as 
Capabilities in one Assertion and a Policy or PolicySet as Requirements 
in the other Assertion.

The current Working Draft (WD 8) is available  under the "Work in 
Progress" section of the XACML TC's home page at 

I expect to issue a new Working Draft before the end of July, to include 
resolutions to several issues that are listed in the XACML Issues list 
at http://wiki.oasis-open.org/xacml/IssuesList.

If you have feedback on the current Working Draft, now would be a good 
time to submit it, in order to incorporate the feedback into the new draft.


Wynn, Jackson E. wrote:
> Hello,
> I'm trying to understand requirements for an integrated security policy
> language for web services that includes access control (XACML?), SOAP
> message security (WS-SecurityPolicy), message reliability
> (WS-ReliableMessaging), etc.
> XACML provides a generalized access control policy language. It is not
> designed is specifically for web services, but it can be used in that
> context, e.g., web service URL as a resource. 
> WS-SecurityPolicy and WS-ReliableMessaging are designed specifically
> for web services, being extensions of the W3C WS-Policy specification.
> The WS-Policy specification includes generic framework elements and
> alternative methodologies for attaching policies to web services.
> Because they both extend WS-Policy, it is possible to combine elements
> from WS-SecurityPolicy and WS-ReliableMessaging into a single,
> integrated web service security policy.
> Given that XACML does not extend WS-Policy, it does not appear possible
> to embed XACML rules governing web service access control into the same
> web service security policy describe above. 
> Is this correct??
> If so, has the XACML TC considered the potential benefits of defining a
> XACML subset, based on WS-Policy, that can be used specifically to
> enforce web service access??
> Thanks in advance,
> Jackson Wynn
> Lead Infosec Engineer - G026
> The MITRE Corporation
> Bedford, MA 
> (781) 271-3419

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]