OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Schema to Java binding


The following comes straight from the attestion email sent by Ludwig Seitz (http://markmail.org/message/5lr7vvl54b2rzjvf) with regards to Axiomatics's attestation of XACML 3.0 implementation:
Axiomatics AB has successfully implemented the SAML 2.0 Profile of XACML, Version 2.0 in accordance with the conformance clauses specified therein and OASIS policy.

In particular, with regards to PEP - PDP communication, Axiomatics provides a SAML-based PDP interface which can be used to send a XACML request inside a SAML assertion over SOAP.† This is described in the profile (http://docs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cs-01-en.pdf) in chapter 4.

This interface has been used to integrate with other products such as XML gateway vendor products.

Kind regards,

On Tue, Jul 5, 2011 at 5:02 PM, Nick Duan <nduan@verizon.net> wrote:

Thanks Fatih for the info.† †It didnít seem that permis is using SAML profile for XACML at this point.

Maybe I should turn my question to the vendors on this mailing list (e.g. oracle, axiomatic, etc).† Do you use SAML profile for XACML in your products?



From: Fatih Turkmen [mailto:fturkmen@gmail.com]
Sent: Tuesday, July 05, 2011 5:21 AM
To: Nick Duan
Cc: xacml-users@lists.oasis-open.org

Subject: Re: [xacml-users] Schema to Java binding

Hi Nick,

I myself haven't done it but Permis (http://sec.cs.kent.ac.uk/permis/) should have done it at a certain point.

I hope this helps.

Fatih Turkmen

On Sat, Jul 2, 2011 at 12:14 AM, Nick Duan <nduan@verizon.net> wrote:

Thanks for all your responses.† Actually† I am not trying to creating Java bindings for implementing the PDP, but to create a web service to communicate with the PEP.† The PDP part in our project is handled by sunís xacml engine.† Thatís why I had to deal with not just XACML, but also SAML and especially SAML profile for XACML.

Another particular problem I came across is the <xacml-saml:XACMLAuthzDecisionStatementType> in the SAML for XAMCL profile version 2.0.† It is defined as an extension of the saml:StatementAbstractType, i.e.:

<complexType name="XACMLAuthzDecisionStatementType">

††††††† <complexContent>

††††††††††† <extension base="saml:StatementAbstractType">

††††††††††††††† <sequence>

††††††††††††††††††† <element ref="xacml-context:Response"/>

††††††††††††††††††† <element ref="xacml-context:Request"† minOccurs="0"/>

††††††††††††††† </sequence>

††††††††††† </extension>

††††††† </complexContent>

††† </complexType>

But if you look at how saml:StatementAbstractType is defined in saml assertion schema, you will find it is just a place holder, i.e.

††† <element name="Statement" type="saml:StatementAbstractType"/>

††† <complexType name="StatementAbstractType" abstract="true"/>

I guess this is for potential substitutions for a concrete saml:Statement.† But there is no such a XACMLAuthzDecisionStatement element defined in xacml-saml.†† My binding compiler just through errors at this point.† †Shouldnít there by a concrete XACMLAuthzDecisionStatement element defined in xacml-saml to make the schema complete?

Has anyone successfully used SAML profile for XACML 2.0 in their web services implementation?† If yes, please help!



From: Oleg Gryb [mailto:oleg_gryb@yahoo.com]
Sent: Friday, July 01, 2011 3:04 PM
To: Nick Duan; xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Schema to Java binding

Yes, it's a problem and I had to struggle with it in both Java (xml beans) and in Ruby. The code looked ugly in Java and in Ruby I've ended up with manual parsing and no binding at all. The other problem that you might face: memory consumption when you serialize XML with millions of nodes to Java classes. I believe some popular PDP implementations don't even do schema validation, which is dangerous in my view. XSD is unnecessary complicated in XACML and could/should be simplified. On the other hand, the engine that don't do schema validation should be considered as non-compliant with the spec.


From: Nick Duan <nduan@verizon.net>
To: xacml-users@lists.oasis-open.org
Sent: Fri, July 1, 2011 9:11:24 AM
Subject: [xacml-users] Schema to Java binding

Has anyone had any problems with XACML to Java data binding?† The complexity of the schema and the combination of them (with SAML, XML digital signature, XML encryption) really make the data binding very complicated.† For instance, the schema is using substitutionGroup quite extensively, and it was a nightmare to bind an element with an substitutionGroup to Java, especially when those types are defined in abstract.† The JAXB spec states that the element with substitutionGroup in the schema have to be mapped explicitly (e.g. via custom binding).† Another problem is that the xacml-context:AttributeValueType is define with xsd:any.†† This is just a wildcard that no binding framework can deal by default and has to be defined via some custom binding.† If everyone is creating his/her own custom binding, there wonít be any assurance of interoperability.

Iíd like to learn from the schema authors on any suggestions of how to deal with the binding issues.† Is this the intension that more concrete elements/types be defined in some derived schemas within some profile standards?†

Any comments/suggestions are highly appreciated.



David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]