OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] XACML JSON Profile

You're very welcome Nick - hope it helps!

Regarding the Node.js implementation, that is a good question.

At present it runs server-side with minimal Node.js support modules. The additional modules were
1) to enable the collection of service times with the necessary precision and
2) to provide a means to read from and write to the Redis database used as the policy repository

The logic in our PDP component is just plain old _javascript_ with no external dependencies, which could easily run in the browser. Policies, requests and responses are all in JSON format - modern browsers are very comfortable with this media type. Therefore, *in principle*, while rendering a page, it should be possible to intercept requests for content from within the browser. This applies to the PEP and PDP functions at least, but there are other aspects that need more thought.

As regards downloading the prototype, I suggest you should talk to Leigh (cc'ed in this mail) who is the expert on its implementation.... Leigh put some of the resources (example JSON-based policies, etc.) on github here:
https://github.com/lgriffin/JSONPL/tree/master/Resources

JSONPL = JSON Policy Language.... As you can see, its concepts are based on XACML, though the link is not a formal one at present.

The PDP itself is not in the github repository yet. Leigh was working on some enhancements and has not uploaded a version; he is keen to take it further.

Kind regards,
Bernard

On 03/22/2013 06:20 AM, Nick Duan wrote:

Thanks a lot Bernard for the info.   This is really encouraging to see someone actually has done this!  

 

So if you have implemented with Node.js, which is based on Chrome’s V8, does it mean that your PDP runs only in a browser environment?   So is this a PDP primarily for controlling your browser access to different GUI component?   This could be a very cool feature because my _javascript_ function could then control which div to turn on or off…

 

Is your prototype somewhere downloadable?

 

Thanks!

 

Nick

 

From: Bernard Butler [mailto:bbutler@tssg.org]
Sent: Friday, March 22, 2013 9:05 AM
To: Nick Duan
Cc: 'David Brossard'; xacml-users@lists.oasis-open.org; Leigh Griffin
Subject: Re: [xacml-users] XACML JSON Profile

 

Hi Nick (and David!),

My colleagues and I have already looked at the use of JSON as a format for representing access control policies. At the time, the JSON profile of XACML was not available to us, so we developed something similar:

1) we took some existing XACML policies (with associated requests) and translated them to JSON equivalents (keeping the decision semantics, but omitting advanced features like obligations)
2) we developed a prototype PDP using _javascript_ and deployed it to Node.js to work with these JSON-encoded policies and requests.

In relation to checking against a JSON schema, the prototype PDP does not attempt this. If there was a problem with the "schema", we just tweaked the translated JSON until it was accepted by the PDP. In practice, we found that checking the schema *syntax* was less helpful than checking that the policy semantics were correct. That is, supports for authoring policies are valuable but should be considered in their totality.

Our prototype PDP/encoding is just that - it falls far short of what is needed for a production deployment. However, we identified the following advantages
a) dramatic performance improvements compared to the reference SunXACML implementation
b) policies had much less "bloat" and became easier to read, even by non-experts. Of course, ALFA has similar advantages over XACML.
c) _javascript_ handles JSON natively (and so is "friction-free"): the PDP has much less code than an equivalent Java+XML implementation
d) The use of Node.js (to host the PDP) and Redis (to store polices for easy retrieval) is motivated by developments elsewhere on highly scalable web services.

For the prototype, we wanted to ensure that there was sufficient spare processing capacity, given limited computing resources,  that acceptable performance could be obtained even when requests arrived in large bursts. With sub-millisecond average response times on moderate hardware, the prototype succeeded in that regard!

We published a paper with our findings at IEEE POLICY 2012. The paper is available here
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6267997

Failing that, a preprint is available here:
http://repository.wit.ie/1739/

Comments welcome,
Bernard Butler
Waterford Institute of Technology.

On 03/18/2013 04:29 PM, Nick Duan wrote:

Thanks David!   Thanks for the info on ALFA.   

 

My use case is very straightforward.   I am trying to create a policy server that is easy to scale and distribute.   If policies can be jsonized, I would be able to utilize many NoSQL databases.    Combined with your PEP/PDP JSON profile, I could use JSON-api for all my XACML processing needs, with potential performance improvement.

 

I understand the validation challenge of JSON docs.   How about using JSON schema (http://json-schema.org/)?   Not sure it’s a standard yet or not…

 

ND

 

From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Monday, March 18, 2013 11:49 AM
To: Nick Duan
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] XACML JSON Profile

 

Hi Nick,

 

At the last RSA in February, some of us did discuss representing XACML policies in JSON. However it does require a bit more work. JSON lacks a proper schema which would make it hard to validate XACML policies in JSON. Also it's hard to see the value of encoding XACML policies in JSON.

 

Lastly, the point of using JSON is to make developers' lives easier. And developers don't usually write policies by hand. They would use UIs or dev tooling such as the ALFA plugin for Eclipse (see my video on youtube http://www.youtube.com/watch?v=OVY009YZMoQ and this article by Martin Kuppinger: http://blogs.kuppingercole.com/kuppinger/2012/08/14/simplifying-xacml-the-axiomatics-alfa-plugin-for-eclipse-ide/).

 

My goal with the JSON profile was really to let developers in any language (Java, C#, Python...) that may have support for XML or not easily produce a request and a response and send it off to a PDP using REST or any other protocol - but the point is the developer shouldn't care what the transport protocol is or what the policy format is.

 

What's your use case? Why would you like to see policies in JSON?

 

Cheers,

David.

On Mon, Mar 18, 2013 at 3:39 PM, Nick Duan <nduan@verizon.net> wrote:

The current XACML JSON profile was only for the authorization query request
and response.   Is there any effort by the XACML TC to jsonize the policy
request and reponse as well?   To do this, the entire policy document would
have to be jsonized.   Has anyone done this before?   Any thought and
suggestions on what the complexity may be involved in doing this?

Thanks!

ND


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org



 

--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics

 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]