问题
I am novice to XACML policies. Can you specify me how to implement XACML policies. I have tried different API's. But for my project I need to implement XACML evaluation engine. So, can you help me providing the implementation details. Which language will be best suitable for implementing the evaluation engine .
Thanks in Advance.
回答1:
I guess, Implementing a XACML evaluation engine is not an easy task. You need to go through XACML specification at https://www.oasis-open.org/committees/xacml/ and do the implementation based on it. It would be better, if you can find already implemented XACML based authorization engine.
"Balana" is one of the XACML implementation (with partial XACML 3.0 version) which is java based open source project.
Therefore you can use it freely and you can find the source core from https://svn.wso2.org/repos/wso2/trunk/commons/balana/.
Also if you really want to implement a new XACML engine, you can go through Balana source code and can get some idea implementation or reuse source code of it. More details on Balana and about XACML can be found from this blog post at http://xacmlinfo.com/. I guess, java would be easy language to deal with as you need to work with more XML stuff.
回答2:
You want to look at XACML implementations that exist today.
The following are all open source implementations available today:
- Sun XACML: provides partial XACML 2.0 implementation
- Heras AF: provides a conformant XACML 2.0 implementation (http://www.herasaf.org/heras-af-xacml.html)
- Balana: as previously mentioned, provides partial XACML 3.0 implementation
- AuthzForce: fully XACML 3.0 compliant (all mandatory features) (https://github.com/authzforce/core)
The following are vendor implementations:
- Axiomatics Policy Server: fully XACML 2.0 and XACML 3.0 implementation - also attested to conformance (this is where the XACML 3.0 editor works). Attestation of implementation: https://lists.oasis-open.org/archives/xacml/201010/msg00002.html
- IBM DataPower: contains a XACML 2.0 engine
- Quest: through their acquisition of Bitkoo, they also have XACML support.
- Oracle
All of the open source implementations cited above are Java. Axiomatics and Bitkoo also provide a C# engine.
If you wanted to go your own, you'd want to generate the XACML objects from the XACML schema using JAXB. But that wouldn't give you the evaluation logic though.
回答3:
Not sure what you mean by 'Evaluation'. Do you have access requests that need to be evaluated in order to determine whether or not access is granted?
For that purpose, I was able to run WSO2 Identity Server quickly, to compose XACML 3.0 policies and have it check the access control requests.
The server: http://wso2.com/products/identity-server/ The blog that helped my out: http://xacmlinfo.com/2012/06/13/pdp-pep-communication-wso2is/
回答4:
In terms of Policy Editing, there is a handy tool that you can use: ALFA(https://www.axiomatics.com/blog/how-can-i-use-policy-references-in-alfa/). This is an Eclipse plugin that enables you to covert the policy into XACML format.
来源:https://stackoverflow.com/questions/14590543/xacml-implementation