OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] json policy profile?

Hi Rich, all,

This is a recurring question. It's been asked on Stackoverflow. If you remember, there was a lab in Ireland that had worked on a JSON format. Bernard Butler wrote on this mailing list about it. See here. In the Stackoverflow question I linked to above, Cyril Dangerville mentions that they used a direct XML-to-JSON mapping to achieve XACML policies in JSON:

there are well-known conventions to convert XML to JSON (with limitations), mostly used by REST API frameworks. So if you know the XML format, the convention tells you the JSON format. For example, Apache CXF used to support two conventions: Badgerfish and the mapped convention. Badgerfish is no longer maintained in CXF therefore the mapped convention is preferred now.Â
The mapped convention is what AuthzForce Server - another ABAC/XACML implementation - uses for the RESTful PAP (Policy Administration Point) API, so that you can manage XACML policies in either XML (standard XACML) or JSON format. We used the JSON format for _javascript_-based apps (e.g. web user interface) in particular.

That being said, I do not see the value of expressing policies in pure JSON. The storage / serialization format is irrelevant. What matters is providing an easy means to write policy-based access control. That could either be via a UI (vendor/implementation-specific such as Axiomatics Policy Server) or via a lightweight syntax that is easy to read and write. This is why I think we should focus our attention on ALFA instead. It's look more like a programming language that JSON does (JSON being declarative). The ALFA Profile is here. Also, we've put a lot of efforts into samples on Wikipedia. Our customers all use ALFA and we are aware of other third parties using ALFA on their own e.g. theÂOpen Justice Broker Consortium and even WSO2.

Also, while we're at it, shouldn't we consider streamlining the policy language e.g.:
  • have conditions anywhere, not just rules
  • get rid of targets and only have conditions
  • do away with PolicySet > Policy > Rule and provide a simple Policy element whereby a Policy either contains a decision or a set of children
  • many more things...

On Thu, Oct 25, 2018 at 10:59 AM rich levinson <rich.levinson@oracle.com> wrote:
To TC:

Have we had any discussion on converting the whole XACML Policy spec
to JSON? Currently, only the request and response are documented
in json form?

Have there been any requests for this capability?

ÂÂ Thanks,
ÂÂ Rich

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:

David Brossard
VP of Customer Relations
+1Â312 774-9163
+1 502 922 6538

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]