Page 1

Authorization, it’s not just about who you are – feedback from JavaZone 2013

I was fortunate enough to be one the speakers at JavaZone 2013 in Oslo, a stone’s throw from the Axiomatics headquarters in Stockholm. One of the organizers, Ole-Alex had asked me to give an overview of XACML to a crowd of Java developers and architects.
I decided to focus on the consolidation and flexibility aspects of XACML. For a developer, the natural reflex when it comes to implementing authorization is to “do-it yourself” or at best to use a framework, e.g. Spring Security or JAAS. While these frameworks are great and the right step towards externalized authorization, they fall short of implementing truly dynamic authorization.
The first part of the presentation therefore covers the current state of the art before introducing Attribute-based access control (ABAC) and then diving into XACML, the eXtensible Access Control Markup Language.
The latter part of the presentation focused on hands-on examples of policy enforcement points for Java: servlet filters, JAX-WS handlers, and annotations-based enforcement courtesy of my colleague Andreas Sjoholm. We also looked into authoring policies using the ALFA plugin for Eclipse – a free tool to author XACML policies that uses an abstraction language called ALFA.
The slides are available on SlideShare as usual and are also embedded hereafter:
The video of the presentation will be made available shortly on JavaZone’s Vimeo album.
The presentation was well received and sparked some interesting questions around performance (yes, it’s possible to embed a PDP inside an application), attribute retrieval (yes, you can cache attribute retrieval), and database access control. Axiomatics whom I work for does provide an extension to XACML to be able to convert authorization policies into SQL statements.
Lastly, as mentioned before, this piece of work wouldn’t be possible without the XACML Technical Committee. So if you want to give back, feel free to join the conversation at OASIS.

EDIT September 16th
The video has now been put up online here.


TGIF XACML – What’s a XACML target?

Today’s Friday, the weather has been amazingly nice these past few weeks in Stockholm which is all the more surprising since September is on the slope down to darker, wetter, and colder days. The weekend ahead looks promising. I’ll be heading out to fellow colleague, Andreas’ summer house out in the archipelago.

The view from the Axiomatics offices towards Skeppsholmen and AF Chapman

The view from the Axiomatics offices towards Skeppsholmen and AF Chapman

But before I walk out the door, I thought I’d share a bit of XACML know-how to chew on over the next couple of days. In the training sessions we regularly give at Axiomatics, attendees often ask what a target is.

XACML Target


A target is an element of the XACML policy language. It can occur in policy sets, policies, and rules. The target is used to define their scope. The scope defines when the policy (set) / rule will trigger. For instance, for a rule to trigger and yield a Permit decision for managers in Greece, the target would have to contain two attribute matches:

  • role==manager, and
  • userLocation==Greece

There can be any number of matches. A match is always between an attribute (role, department, location, classification…) and a value. Matches can then be assembled together using logical operands (AND, OR).

Where can I use the target?

Targets can be used in:

  • Policy Set elements
  • Policy elements
  • Rule elements


The following uses the ALFA syntax. You can download the plugin for free from the Axiomatics website. Check out YouTube for a video example.

 * A user in Greece can read a document in the Greece region
 policy readDocument{
 	target clause actionId=="read" and resourceType=="document"
 	apply firstApplicable
 	rule allowReadIfCorrectRegion{
 		target clause userLocation=="Greece" and documentRegion=="Greece"

The above example will yield a Permit if and only if the user trying to read a document based in Greece is also based in Greece.


I hope this simple example helps to understand the XACML policy language. Stay tuned for more TGIF XACML tidbits.

Previously in TGIF XACML…

Previous tidbits can be found here:


Ready to roll at the Cloud Identity Summit 2013, Napa #CISNapa

It’s already day 2 of the Cloud Identity Summit. Day 1 focused on workshops and so will day 2 along with bootcamps and interops including workshops on Microsoft Identity & the Cloud. Standards will be hailed like never before: OAuth 2.0, OpenID Connect, and SCIM will be represented in a standards-focused workshop while SAML, the star of the conference, will be highlighted in a hands-on demo of PingFederate by John Da Silva.
In the afternoon, I will have the privilege of completing the standards quintet as I take on my developer hat to talk about XACML, and the latest efforts around REST and JSON APIs / encoding for XACML 3.0. I will be uploading my slides later for those of you who want to check them out.
Happy CIS 2013!


How to send a XACML request using Perl

In a previous post, I mention how I used cURL to send a XACML request to an Axiomatics XACML Policy Decision Point (PDP). My goal, however, wasn’t to use cURL but rather whip up a sample in Perl.
Perl is perhaps my third love in terms of programming languages. As a kid, I learned programming with Pascal. Later, as a teen, I went across to web programming and PHP. In my first uni. student placement I was tasked with writing Perl code which opened up a whole new world of scripting.
These days, most of what I do revolves around XACML, the eXtensible Access Control Markup Language. XACML defines an architecture to apply fine-grained, externalized authorization to any type of application. Typically, the customers I deal with at Axiomatics want to apply XACML to Java or C#. This entails writing policy enforcement points (PEP) in Java or .NET. Occasionally though, we do get requests for Perl. And so, on a flight back from a customer visit, I googled around for the latest in Perl and hacked a very simple example together.
To get running, I used

It was actually very quick and easy to test out the Perl PEP. This is what it looks like:

#!/usr/bin/perl -w

use strict;

use LWP::UserAgent;
use HTTP::Request::Common;

my $userAgent = LWP::UserAgent->new(agent => 'perl post');
$userAgent->credentials("localhost:8280","Axiomatics PDP",'pdp-user','password');
my $soapStartElement = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>
<soap:Envelope xmlns:soap=\"\">
<irc:AccessQuery3 xmlns:irc=\"\">
my $soapCloseElement = "</irc:AccessQuery3>
my $xacmlRequest = "<xacml-ctx:Request ReturnPolicyIdList=\"true\" CombinedDecision=\"false\" xmlns:xacml-ctx=\"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17\">
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:resource\" >
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:action\" >
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:environment\" >
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject\" >
      <xacml-ctx:Attribute AttributeId=\"urn:oasis:names:tc:xacml:1.0:subject:subject-id\" IncludeInResult=\"true\">
         <xacml-ctx:AttributeValue DataType=\"\">alice</xacml-ctx:AttributeValue>

my $response = $userAgent->request(POST 'http://localhost:8280/asm-pdp/pdp',
Content_Type => 'text/xml',
Content => ($soapStartElement.$xacmlRequest.$soapCloseElement));

print $response->error_as_HTML unless $response->is_success;

print $response->as_string;