A computer showing source code - Photo by Clément H on Unsplash

Use JAXB and Ant to generate Java POJOs for XACML 1.1, XACML 2.0, and XACML 3.0 policies

In a previous blog post, I mentioned that I was working on a conversion script for a client to migrate XACML 1.1 policies to XACML 3.0. There are several ways this could be achieved. Here are the ways I have thought of: Use XSLT to convert from the XACML 1.1 schema to the XACML 3.0 schema. This is possibly a purist’s way of approaching this. However support for XSLT has not always been great and it requires a lot of XML, XPath, and XSLT know-how. Use the Java DOM model to parse XACML 1.1 XML and create XACML 3.0 XML. Use JAXB to generate POJOs (plain old Java objects) that represent XACML 1.1 and XACML 3.0. I chose the latter […]

no smoking sign near green trees

What is a XACML Obligation?

Definition The XACML standard defines the concept of obligations which are elements which can be returned along with a XACML decision (either of Permit or Deny) in order to enrich that decision. Obligations are triggered on either Permit or Deny. The Policy Enforcement Point must implement and enforce obligations. If it fails to do so, it must deny access to the requested resource (in the case of a Permit). The XACML 3.0 standard defines obligations as follows: An operation specified in a rule, policy or policy set that should be performed by the PEP in conjunction with the enforcement of an authorization decision Where can I use an Obligation? Obligations can be defined in PolicySet, Policy, and Rule elements. This […]

house floor plan

XACML 1.1 Class Diagram

I’ve been recently working on an interesting little project: converting XACML 1.1 policy (sets) to XACML 3.0 policies in order to help migrate a customer from a legacy environment to Axiomatics. In order to proceed with the conversion, I decided to use stock tools available off-the-shelf and custom code as little as possible. Since I write in Java, I chose to go for JAX-B especially since the support for JAXB has become better and better over the years. XJC itself is part of the JDK and it makes generating Java classes from XML schemas a breeze. I’ll talk some more about that in a separate post. In the meantime though, I wanted to share with you an old picture, the […]

close up of railway tracks

What is a XACML condition?

It’s that time of the week when the creative juices go south and the urge to relax hits all-time records. And I know you are all craving for some XACML goodness before you head out for the weekend. After all, just a spoonful of XACML makes the… Uh who am I kidding? Let’s get on with this new episode of TGIF XACML. Today, let’s focus on a XACML condition. Definition A condition is an element of the XACML policy language. Unlike targets, it can only occur in rules. The condition is used to further define the scope of XACML rules. The scope defines when the rule will trigger. Both the target and the condition therefore help define the scope of […]

Free colorful crochet thread balls

What is a XACML combining algorithm?

Today’s Friday, the weather is definitely telling us winter is right around the corner. Morning temperatures have been heading south and are flirting with the freezing point. The skies are still clear and a bright blue.Before the weekend comes knocking, it’s this time of the week when I share a bit of XACML know-how to chew on over the next couple of days. In the training sessions we regularly give at Axiomatics, attendees sometimes struggle with the notion of authorization conflict resolution. At times, you might write policies that overlap or contradict one another. This is where combining algorithms come into play. Combining Algorithm Example Imagine the following use case: What happens if Alice, the purchasing manager from Vermont, is […]