Page 1

Use JAXB and Ant to generate Java POJOs for XACML 1.1, XACML 2.0, and XACML 3.0 policies

In a previous blog post, I mentioned that I was working on a conversion script for a client to migrate XACML 1.1 policies to XACML 3.0.

There are several ways this could be achieved. Here are the ways I have thought of:

  • Use XSLT to convert from the XACML 1.1 schema to the XACML 3.0 schema. This is possibly a purist’s way of approaching this. However support for XSLT has not always been great and it requires a lot of XML, XPath, and XSLT know-how.
  • Use the Java DOM model to parse XACML 1.1 XML and create XACML 3.0 XML.
  • Use JAXB to generate POJOs (plain old Java objects) that represent XACML 1.1 and XACML 3.0. I chose the latter approach. For a Java developer, this is perhaps the easiest way.

The first step of the conversion was of course to generate the POJOs that would let me manipulate the XACML policies. To do so, use the xjc utility that is now part of the Oracle JDK. Hereafter is a sample code snippet from my ant build script. You will need to have downloaded the XACML 1.1, 2.0, and 3.0 schemas first. Note that the XACML 1.1 and 2.0 schemas only include the policy definitions whereas the XACML 3.0 schema also includes the request / response schema.

	<target name="generate">
		<delete dir="generated" failonerror="false" />
		<mkdir dir="generated" />
		<taskdef name="xjc" classname="">
			<classpath refid="master-classpath" />
		<xjc schema="etc/schemas/cs-xacml-schema-policy-01.xsd" destdir="${src.gen.dir}" />
		<xjc schema="etc/schemas/access_control-xacml-2.0-policy-schema-os.xsd" destdir="${src.gen.dir}" />
		<xjc schema="etc/schemas/xacml-core-v3-schema-wd-17.xsd" destdir="${src.gen.dir}" catalog=""/>

And there we go, I ended up with a series of Java classes that I could use to marshall / unmarshall XML into/from Java objects. From there on, it was child’s play to write the conversion script. I’ll post a couple of interesting findings on the conversion. To test the conversion, I used the XACML 1.1 conformance tests which can be found here.


XACML 1.1 Class Diagram

I’ve been recently working on an interesting little project: converting XACML 1.1 policy (sets) to XACML 3.0 policies in order to help migrate a customer from a legacy environment to Axiomatics.

In order to proceed with the conversion, I decided to use stock tools available off-the-shelf and custom code as little as possible. Since I write in Java, I chose to go for JAX-B especially since the support for JAXB has become better and better over the years. XJC itself is part of the JDK and it makes generating Java classes from XML schemas a breeze.

I’ll talk some more about that in a separate post. In the meantime though, I wanted to share with you an old picture, the class diagram for XACML 1.1. I extracted it from the core specification documentation which can be found here.

XACML 1.1 Policy Language UML Class Diagram

This UML class diagram shows the elements of the XACML 1.1 policy language

In this class diagram, the structural elements of XACML are clearly shown:

  • PolicySet
  • Policy
  • Rule

I’ll keep you updated on the conversion progress.