OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Schema to Java binding

Thanks Fatih for the info.   It didn’t seem that permis is using SAML profile for XACML at this point.


Maybe I should turn my question to the vendors on this mailing list (e.g. oracle, axiomatic, etc).  Do you use SAML profile for XACML in your products?






From: Fatih Turkmen [mailto:fturkmen@gmail.com]
Sent: Tuesday, July 05, 2011 5:21 AM
To: Nick Duan
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Schema to Java binding


Hi Nick,


I myself haven't done it but Permis (http://sec.cs.kent.ac.uk/permis/) should have done it at a certain point.

I hope this helps.


Fatih Turkmen


On Sat, Jul 2, 2011 at 12:14 AM, Nick Duan <nduan@verizon.net> wrote:

Thanks for all your responses.  Actually  I am not trying to creating Java bindings for implementing the PDP, but to create a web service to communicate with the PEP.  The PDP part in our project is handled by sun’s xacml engine.  That’s why I had to deal with not just XACML, but also SAML and especially SAML profile for XACML.


Another particular problem I came across is the <xacml-saml:XACMLAuthzDecisionStatementType> in the SAML for XAMCL profile version 2.0.  It is defined as an extension of the saml:StatementAbstractType, i.e.:


<complexType name="XACMLAuthzDecisionStatementType">


            <extension base="saml:StatementAbstractType">


                    <element ref="xacml-context:Response"/>

                    <element ref="xacml-context:Request"  minOccurs="0"/>






But if you look at how saml:StatementAbstractType is defined in saml assertion schema, you will find it is just a place holder, i.e.

    <element name="Statement" type="saml:StatementAbstractType"/>

    <complexType name="StatementAbstractType" abstract="true"/>


I guess this is for potential substitutions for a concrete saml:Statement.  But there is no such a XACMLAuthzDecisionStatement element defined in xacml-saml.   My binding compiler just through errors at this point.   Shouldn’t there by a concrete XACMLAuthzDecisionStatement element defined in xacml-saml to make the schema complete?


Has anyone successfully used SAML profile for XACML 2.0 in their web services implementation?  If yes, please help!






From: Oleg Gryb [mailto:oleg_gryb@yahoo.com]
Sent: Friday, July 01, 2011 3:04 PM
To: Nick Duan; xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Schema to Java binding


Yes, it's a problem and I had to struggle with it in both Java (xml beans) and in Ruby. The code looked ugly in Java and in Ruby I've ended up with manual parsing and no binding at all. The other problem that you might face: memory consumption when you serialize XML with millions of nodes to Java classes. I believe some popular PDP implementations don't even do schema validation, which is dangerous in my view. XSD is unnecessary complicated in XACML and could/should be simplified. On the other hand, the engine that don't do schema validation should be considered as non-compliant with the spec.




From: Nick Duan <nduan@verizon.net>
To: xacml-users@lists.oasis-open.org
Sent: Fri, July 1, 2011 9:11:24 AM
Subject: [xacml-users] Schema to Java binding

Has anyone had any problems with XACML to Java data binding?  The complexity of the schema and the combination of them (with SAML, XML digital signature, XML encryption) really make the data binding very complicated.  For instance, the schema is using substitutionGroup quite extensively, and it was a nightmare to bind an element with an substitutionGroup to Java, especially when those types are defined in abstract.  The JAXB spec states that the element with substitutionGroup in the schema have to be mapped explicitly (e.g. via custom binding).  Another problem is that the xacml-context:AttributeValueType is define with xsd:any.   This is just a wildcard that no binding framework can deal by default and has to be defined via some custom binding.  If everyone is creating his/her own custom binding, there won’t be any assurance of interoperability.


I’d like to learn from the schema authors on any suggestions of how to deal with the binding issues.  Is this the intension that more concrete elements/types be defined in some derived schemas within some profile standards? 


Any comments/suggestions are highly appreciated.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]