Home arrow Security arrow Page 5 - Trust, Access Control, and Rights for Web Services, Part 2

The XACML Data Model - Security

Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

  1. Trust, Access Control, and Rights for Web Services, Part 2
  2. The XKMS Services
  3. X-KRSS
  4. eXtensible Access Control Markup Language (XACML) Specification
  5. The XACML Data Model
  6. XACML Policy Example
  7. eXtensible Rights Markup Language (XrML) Management Specification
  8. XrML Use Case Example
  9. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 6
October 12, 2004

print this article



At the root of XACML is a concern with access policies—what XACML refers to as a Policy or a PolicySet. When XACML refers to "policy," it specifically means authorization policy. Each XACML policy document contains exactly one Policy or PolicySet root XML tag. A Policy represents a single access-control policy, expressed through a set of Rules. A Policy is intended to form the basis of an authorization decision. A PolicySet contains a set of Policy or other PolicySet elements and a specified procedure for combining the results of their evaluation. This is the standard means for combining separate policies into a single combined policy. A Rule contains a Boolean expression that can be evaluated in isolation as the basic unit of management; it can be reused in multiple policies.

A few more critical terms used in XACML need to be understood as well. A Target defines a set of resources, subjects, and actions to which a Rule is intended to apply. It is the set of decision requests that a Rule, Policy, or PolicySet is intended to evaluate. An Obligation is an operation specified in a Policy or PolicySet that should be performed in conjunction with the enforcement of an authorization decision. A Condition is an expression that evaluates to True or False or Indeterminate. The Effect is the intended consequence of a satisfied Rule—either Permit or Deny.

Figure 9.9 shows these XACML concepts.

Trust, Access Control, and Rights for Web Services

Figure 9.9  Core XACML constructs and their interrelationships.

XACML Operation

XACML defines a very granular set of "layers" to:

  1. Create policy.

  2. Collect the data required for policy evaluation.

  3. Evaluate policy.

  4. Enforce policy.

This much granularity enables interoperability for a wide variety of access control approaches. It is an architecture that maximizes flexibility.

Because a generic Policy or PolicySet may contain multiple policies or Rules, each of which may evaluate to different access control decisions, XACML needs some way of reconciling the decisions each makes. In XACML, this is done through a collection of Combining Algorithms. Each algorithm represents a different way of combining multiple decisions into a single decision to build up increasingly complex policies. XACML utilizes Policy Combining Algorithms (used by PolicySet) and Rule Combining Algorithms (used by Policy). The set of Combining Algorithms takes the form of deny-overrides, permit-overrides, first-applicable, and only-one-applicable. These are just a few examples, but an arbitrary set can be created from basic primitives.

XACML Not Really Ready for Prime Time Yet - XACML is intended primarily to be generated by tools. Its verbose syntax makes it hard to read and tedious to edit for other than very simple policies.

These tools, however, aren't available yet. Nonetheless, a few brave groups have provided a template and sample code for using XACML with Java.

Not many applications will actually require the kind of dynamic discovery provided by XACML. XACML experts suggest that developers think of XACML in relation to wire-formats such as WS-Security just as they do WSDL in relation to SOAP.

The home we expect XACML to find is as the tool to create SAML Policy Decision Points (PDP). PDPs will most likely communicate to back-end policy stores using the XACML access control/policy language.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

>>> More Security Articles          >>> More By Sams Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: