Com.sun.xacml download

Should an implemenatation be exposed then multiple systems become vunerable. On language-independent languages Score: 3 , Interesting.

That XML is a lingua franca is frequently asserted but can't be proved. The reason is that XML has no or more strictly, very limited semantics.

All you are saying when you assert that XML applications can be written in any language is that the semantics of XACML or whatever can be mapped to various programming languages. Re:On language-independent languages Score: 2. XML is a data storage format, well-suited to data that has heirarchy and structure. Of course it doesn't necessarily know what to do from there -- because that's domain specific knowledge.

But no general API treats that, and that's why the analogy presented seems a little bit off to me Of course it doesn't necessarily know what to do from there -- because that's domain specific knowledge Only if you consider such general things as variables and operators to be domain-specific.

One standard access control policy language can replace dozens of application-specific languages One language to rule them all Come on guys Score: 2. Sun is providing Java programmers for easily accessing and mutating this new ACL standard. This has value since there are so many fucking Java programmers you morons.

Unfortunately not everyone "gets it" Score: 5 , Insightful. The requirement of having robust access control beyond simple enter your name and password is not very common outside the corp. So those who've not had to deal in that code would not fully understand how big of a deal that this markup language CAN be assuming it's adopted, robust, etc, etc. This is definitely one of those areas where "everybody rolls their own", or worse, they dumb down their access control to fit things like directory services and the ilk, that were never intended to do what this is trying to.

Re:Unfortunately not everyone "gets it" Score: 5 , Insightful. For instance to get mine I had to get inside the firewall with a vpn client, acess a controlled page with a DES access card, then provide my NT credentials to get access to my webmail which lead me through a link to a peoplesoft application with it's own access controlls so that I could sign up for SSO.

Providing a single set of credentials and having all of the services recognize me would have made life much easier. I dont get this Score: 2 , Insightful. What exactly is the need for this 'new' language.

I get the impression that really this system just defines some interfaces and uses XML to allow various aspects of the implementation to communicate. Not exactly rocket science and certainly not worthy of a new language IMHO. What exactly does it do that XML and some well defined schemas cant? Is this sone sort of bastard child from the slightly less than successful Liberty project? Interesting bit on OSL's Score: 2. Q: What Open Source license are you using? We are using a modified BSD license.

This is a true Open Source license with no "viral" effects. Almost sounds like they are either a trolling for liscensing wars or b trying to allay managerial fears about loss of code controll. Well, obviously if the Sun legal bigguns determined the GPL is viral then it probably is, no? You don't really think something goes on the web with 'Sun' plastered all over it without some sort of clearance from a lot of smart people, eh?

Weird, isn't it. Tell me, what motivates these pointless observations? Dear AC: If you grow some balls and log in, I'll enlighten you. Otherwise, please kindly FOAD.

Yes, I do it to burn karma when I'm bored. Hope your case of moronitis gets better. XML stone soup Score: 5 , Interesting. As we all know, XML is not a programming language - it was never intended to be computationally complete - yet there seem to be a neverending stream of attempts that effectively try to turn it into one. It is a fundamental mistake to try to shoehorn semantics which will generally include logic - such as an access control decision - into a language which has no support for them.

While XACML "is not intended to form the basis of an authorization decision by itself" it must of necessity include the means to combine and modify rules - hence requiring logical operators which of course have no standard representation in XML.

The general result is one unholy mess. We, the poor bloody coding infantry, have to face learning a dozen or more ways of representing the same fundamental concept in a multitude of languages, each supposedly specialized for a narrowly-defined task, but in reality incorporating almost-but-not-quite-all the features of a general purpose language.

XML's ugly syntax becomes the least of our problems - that can always be hidden by visual tools or 'generators', but no tool is likely to be able to reunite fundamental concepts fragmented into so many different representations.

Standards such as these do not represent progress, they represent a growing mass of redundancy that one day will have to be refactored into more coherent form. Anyone who studied LISP, or some other language capable of representing the popular data and programming paradigms logic, procedural, declarative The fact that the practice of XML continues to ignore such basic prior art is an extraordinary indictment of the state of our industry today. I welcome any explanation from the individuals or organizations concerned as to what obliged them to make yet another idiosyncratic elaboration of the generally incoherent and unusable body of XML specifications.

Re:XML stone soup Score: 2. I'm sure you're one of those people who insists on doing their configuration through a language specific construct, such as using eval in Perl. XACML, as well as a few other XML "languages" is useful in that the policy is portable and everyone can benefit from better tools to work with the language. XML provides a middle ground for these languages. Sure, it doesn't have operators or behave like a programming language Re:XML stone soup Score: 3.

Not sure I follow you - what kind of construct would not be language-specific? Unfortunately they mean very little. No doubt. And probably a means of reading CSV files too. If you are implying by this that the ability to read XML structures is a significant contribution to the generation or interpretation of such languages as XACML then I think we'd have to disagree.

By itself, does nothing to constrain or interpret the latter. To take a simple example from a guy called Philip Wadler, who has this on a T shirt 1. Start with a mathematical function, say 2x 2.

Re:XML stone soup Score: 1. I meant not specific to the programming language s with which the construct is being consumed. They actually mean quite a bit to some of us. If you've ever found yourself in the middle of a situation in which integration between a few complex systems is involved, all from different vendors, you would find reasons to overlook XML's warts.

XML or should I say: the software that has sprung up to support it does offer you a more accessable programming model, which leads to more productivity, quicker project cycles, etc. When performance and verbosity are big issues, such as is the case when using smart cards and limited resource devices, XML can be transformed easily to other formats, such as ASN. Yes, XCBF could have just done it all in CSV, but instead they chose something that has good schema definition languages, good processing tools, excellent coverage by the technical press, and dare I say -- unprecedented market acceptance.

XACML is about asserting policies. No one is trying to do mathematical calculations in it. I generally agree with you here, I've opted away from XML in cases where I had to describe methods moreso than properties. There is one exception, however. I find it more convienient that the. Well, you are simply shifting the problem from the programming language to the other, "language-independent" language.

In reality, there's no reason to privilege one language over another arbitrarily, and certainly not to mandate the use of multiple, highly redundant languages. Passing over the obvious question regarding the decisions never to address XML's admitted warts but always to effectively compound them, you refer again to the XML programming model and its supposed advantages.

Once again, I have to point out that the relevant language, the one actually expressing the information we are interested in, is not defined by constrained by the XML specification but by higher-level specifications such as XACML.

Any appeal to productivity, efficiency etc. Naturally this doesn't stop every new language "vocabulary" being described as "standard XML", but such descriptions are wholly misleading. You appear not to have read the specification. It looks as though someone has invested considerable effort in deciding how 2x should be expressed in this "Access Control Markup Language".

Make sure you format the paper in tex or groff or something else that doesn't use spurious ''. You are free to stay with the old school way if you like. The critical mass is with XML, and it will get better. XML is not a programming language. It's a file format. I may be being exceptionally thick, but I just don't get your example, you seem to be saying that just because turning Scheme code into an arbitary XML layout makes it take more space, XML is useless.

I'd argue that's completely irrelevent. XML is for representing data. I should use a counter example I guess. How about you have a trading system which passes details of trades to some backend accounts system. It uses good old csv, so you get a file like this: RHT, , 4. Sure, I don't have a big problem with XML being used to express data. I agree that would be bad, I'm not convinced that's what's happening here. I've only skim read the spec, but it basically looks to me like just a collection of schemas.

One describes what a request looks like, one describes what a response looks like, and one describes the format of what is basically a config file. The code which Sun have released takes a request, looks at the config, and creates a response. But is written in Java, not XML? If you decided not to use XML, but instead CSV for all your requests, responses and config, the Java code would stay the same, it would just need different file parsers.

I really fail to see what the problem is here. The last thing you want is to express authentication configuration in programmatic code!

I mean, you can't write a. Take a look at the appendix, you'll find pages on data types, expressions, operators etc. While I wouldn't call myself a big fan of XML, you're simply wrong in your example. XML is a data representation language. In most languages, data and expressions are more or less the same. That's bad. You appear to be under the same impression as AC above, that this is a debate about conciseness.

It's actually about coherence. You are welcome to express your logic in XML syntax, just don't invent a different syntax, grammar and feature set for each "application". Everyone is using XML to do away with specialized grammars for every problem domain. The human element is always the weakest and the slowest. If you can simplify things for the impementor by using a spec that is well known and in which it is relatively easy to reason, then you have eliminated a great problem. I would love it everyone would exercise a little brain muscle and just learn lambda calculus, but that probably won't happen any time soon.

So we'll just have to make due with the lowest-common denominator which is XML which is self-documenting if written properly - so that's ONE nice feature. The spec's pages describe this grammar - the mere fact that they say things like The MatchId attribute SHALL specify a function that compares two arguments, returning a result type of boolean.

Now if this spec was part of a coherent and properly factored set of XML standards the job of the implementor would be vastly easier, since implementations of things like expression evaluators would be common and could be shared - easier to learn, write and maintain. Rather than pretending to people that it's "relatively easy" to implement specs. Here's a great example of a use for XML-based language. I don't say it's better, I don't say it's anything new, it just helps in many ways making everything more standard.

Company A wants to exchange data ie order forms with Company B. Amazon and CDNow for a lack of better example. Now, if they used a proprietary format, it's all good, they make the specs together, then each implents it.

Then, Company C wants to be included in the exchange too. They send the specs of the file format and Company C implements it.

And so on. It could introduce many bugs since they don't have the same implementation details, if A and B want to add a field, but not C, C will still have to change it's implementation, unless the format allows additional field without breaking compatibilities with previous version of the file format. However, if they used a standard format, whether or not it's XML-based, they would only have to take a reference implementation to parse the data, and thus will probably have much less differences, bugs and security issues.

XML is just a nice way to make a standard, it always parses the same way, and don't care when you add new fields, you must really change the whole language to break compatibilies with previous versions.

XML is just that, a nice standard way of doing standard language for information exchange. You can create proprietary formats, but it will take more time, and each companies are likely to have to build the implementations themselves. With XML-based language, it's very easy to do a reference implementation since XML always parses the same way and is very flexible. Hope that helps. XML is not a programming language - it was never intended to be computationally complete Now repeat after me: XML is basically just a syntax.

It was never intended to be computationally complete in the same way as marking up things with balanced parentheses is not computationally complete. Yet you can map your favorite programming language into an XML representation, and vice versa.

The fact that someone tries to come up with a standard that would be widely accepted shows our industry as a maturing one.

Sorry, but Lisp doesn't cut it for the IT masses in general. It missed its chance back then. It's a generic language, with strong background in programming, and it doesn't have such an emphasis on validation of semantically-loaded subsets as XML applications had from the very beginning.

It was never intended to be computationally complete [ Your views on LISP per se are not particularly relevant, the point is that there are generic programming concepts in multiple XML specs. I did - I am actually listed as one contributor to it. It is nothing more then a thin XML layer on top. You can mark up LISP if you want - it means nothing exept you can use a lot of handy parsers to read it in.

However, there is probably a consensus that the best starting point is Scheme, the LISP-like teaching language. This starts from the basic principle that programs-are-data, meaning that Scheme can happily substitute for both Java and XML. More interestingly, there are some usable Scheme implementations around now, so it's a good time to play with it if you have some time.

Pointers are on the Schemers [schemers. Fair comment. I'm kind of hopeful about the current Scheme implementations becoming useful, particularly for implementing the kind of mini-languages as discussed here, but Allegro CL etc.

Okay, an attempt to explain Score: 4 , Interesting. Each operand within one of the predicates is compared with each operand of the other predicate s ; each operand comprises one or more XACML Apply elements, which may invoke various types of functions. If all operand combinations fail, the intersection fails and the predicates are not redundant. For combinations that evaluate to True for some subset of the attribute values supplied with a request, TABLE 1 demonstrates which of the two or more combined operands should be retained.

The first column from the left-hand side represents one of the operands being combined; the second column represents the second operand. The third column identifies any provision or condition that applies to the combination; the fourth column, where populated, indicates that the two operands are redundant and that all occurrences of the operands in the terms should be replaced by the indicated operand or value.

The preceding intersection algorithm may also be used, as far as possible, for computing intersections between different terms to help find redundancy between their corresponding Rules, as described above. In other cases in which a policy may have inconsistent rules, it must be considered that inconsistency is not always an error. In particular, a Policy may embrace inconsistent Rules and employ a Combining Algorithm to settle inconsistencies as they arise.

However, even though a Combining Algorithm is in effect, it may still be desirable to highlight the inconsistency for a programmer, system administrator or other analyst. To answer Question 4 for CASE 1, the intersection algorithm described above is executed to find intersections, to the extent possible, between all Rule pairings of the two Policies.

If two Rules do not intersect, they may be removed from consideration for this Question. Question 5 may be applied when a Policy needs to be restructured, perhaps to make it more efficient.

For example, an organization may have originally grouped its XACML policies based on the resource to which the policies applied. There would be a set of policies for each resource identifier or set of identifiers, and the top-level Target elements would be configured to select the set of policies to be used based on the input resource identifier. Later, however, the organization may have realized that it would be more efficient to group the policies according to the subject s to which they apply.

The same conditions apply for gaining access, but now the organization wants to factor those conditions based on subject rather than on resource. This can be done by constructing the DNF expression for the entire policy. Then, those terms that are True for each possible subject identifier are selected. The test for subject identifier becomes the Target element for a new Policy, and the remaining predicates in each such term become Rules under that Policy.

Then all the Policies are combined under a new PolicySet. The result is no change in who is allowed to access which resource under which conditions, but the evaluation may be more efficient because the conditions pertaining to a given subject vary more than the conditions pertaining to a given resource. In another embodiment of the invention, a refactoring process can be generalized as follows to focus on any number of Attributes referenced in a given Policy to be refactored.

Each Rule receives a Condition element with an empty OR function. Evaluate every predicate—in every DNF term derived from the original Policy—that references the combination of Attributes.

In some embodiments of the invention, analysis described in this section may be applied to a single Policy in which: a the Policy employs a Deny-overrides Combining Algorithm, and b at least one Rule has an Effect of Deny. These conditions allow the following observations and simplifications. One skilled in the art of XACML programming or analysis will recognize functions that may fail due to a problem with an Attribute.

If a function's Attribute is missing, each predicate that would fail or encounter an error because of the missing Attribute is marked. For the purpose of searching for redundancy by computing an intersection or examining equivalency e. To assist in the analysis of a Policy that includes one or more Rules with Effects of Deny, the DNF terms derived for all Rules of the Policy are combined into a single chain as follows.

The order in which Rules' DNF terms are imported into this united expression may not matter except for efficiency. For example, if it is desired to know which Rule of the Policy will first evaluate to a particular value Deny or Permit , the order of terms within the united expression may match the order in which the Rules are encountered when parsing the Policy.

In summary, the DNF terms for all Rules within the Policy or PolicySet currently being analyzed are combined into a single united expression. For a given set of Attributes and values of those Attributes, all terms in a DNF expression that correspond to Rules that have the Effect of Deny are evaluated.

Unless subsequent evaluation of the other terms of the DNF expression results in an error, access based on the given set of Attribute values is denied. However, terms of all such DNF expressions are labeled and evaluated. Any such terms that can be completely evaluated based on the Attribute values are removed from the DNF expression.

Unless subsequent evaluation of the resulting shortened DNF expression results in an error, access for the given set of Attribute values is denied. The environment in which a present embodiment of the invention is executed may incorporate a general-purpose computer or a special purpose device such as a hand-held computer. Details of such devices e.

The computer-readable storage medium includes, but is not limited to, volatile memory, non-volatile memory, magnetic and optical storage devices such as disk drives, magnetic tape, CDs compact discs , DVDs digital versatile discs or digital video discs , or other media capable of storing computer-readable media now known or later developed.

Furthermore, the methods and processes described below can be included in hardware modules. For example, the hardware modules may include, but are not limited to, application-specific integrated circuit ASIC chips, field programmable gate arrays FPGAs , and other programmable-logic devices now known or later developed. When the hardware modules are activated, the hardware modules perform the methods and processes included within the hardware modules. The foregoing descriptions of embodiments of the invention have been presented for purposes of illustration and description only.

They are not intended to be exhaustive or to limit the invention to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art. The scope of the invention is defined by the appended claims, not the preceding disclosure. All rights reserved. Login Sign up. Search Expert Search Quick Search. To facilitate such analysis and refactoring, every Rule in the collection of policies being analyzed is reduced to an equivalent expression in DNF Disjunctive Normal Form.

Some terms, predicates and other elements may be eliminated. Anderson, Anne H. Concord, MA, US. Click for automatic bibliography generation. Sun Microsystems, Inc. Download PDF What is claimed is: 1.

A method of analyzing XACML eXtensible Access Control Markup Language logic comprising one or more XACML policies, the method comprising: storing the code in an electronic memory; tagging one or more elements of the code; for each rule in the code, constructing in disjunctive normal form an expression of a path through the code to the rule; determining whether any rules in the code have an effect of deny; and for every XACML policy in the code, determining which type of combining algorithm the policy includes.

The method of claim 1, wherein said determining which type of combining algorithm the policy includes comprises: determining whether every XACML policy in the code includes a combining algorithm of the deny-overrides type. The method of claim 1, further comprising: determining whether the code comprises a policyset element. The method of claim 1, further comprising: identifying values for one or more attributes referenced in the code; and determining which actions, if any, are permitted by the code in association with the identified attribute values.

The method of claim 4, wherein said determining which actions are permitted comprises: for each disjunctive normal form expression of a rule, determining whether a condition of the rule is satisfied by the identified attribute values. The method of claim 1, further comprising: identifying values for one or more attributes referenced in the code; and determining whether any rules in the code are redundant. The method of claim 6, wherein said determining whether any rules are redundant comprises: for each pair of terms within each disjunctive normal form expression: comparing the terms for logical equivalence; and for each pair of disjunctive normal form expressions: comparing the expressions for logical equivalence; wherein two terms in a disjunctive normal form expression are equivalent if they return the same result for the identified attribute values; and wherein two disjunctive normal form expressions are equivalent if they return the same result for the identified attribute values.

The method of claim 1, further comprising: identifying values for one or more attributes referenced in the code; and attempting to determine whether any pair of the rules in the code are inconsistent.

The method of claim 8, wherein said determining whether any pair of the rules in the code are inconsistent comprises: for every rule that evaluates to deny for the identified attribute values, determining whether a different rule evaluates to permit for the identified attribute values.

The method of claim 8, wherein said determining whether any pair of the rules in the code are inconsistent comprises: for every rule that evaluates to permit for the identified attribute values, determining whether a different rule evaluates to deny for the identified attribute values.

Abstract XACML has become the de facto standard for specifying access control policies for various applications, especially web services. Keyphrases xacml policy sun pdp numerical policy scalable xacml policy evaluation engine critical issue web service first convert processing time complex structure performance difference web application extensive experiment normalized numerical policy data structure efficient processing request processing explosive growth various application access control policy textual xacml policy research community efficient xacml policy evaluation normalized structure large size experimental result synthetic xacml policy small size.

Powered by:.