XACML 102 – Pimp my XACML – Part I: with CSS

Have you recently looked at the XACML 2.0 schema? Or perhaps the newborn, XACML 3.0? Well as far as babies go, it ain’t the cutest. Sure, it’s not XACML’s fault. It’s just that XML and in particular schemas have never really been that friendly to read. But don’t worry, we can help. When it comes to cosmetic surgery, there are quite a few ways to enhance XML representation. Read on to learn how to visualize XACML with CSS. There are two ways – grossly speaking – to make XML more user-friendly: These techniques are by no means specific to XACML. You could apply them to any XML language e.g. WS-Policy, SAML, etc… Let’s have a look at a sample XACML […]

Access Control (or the lack thereof) in litterature: how not to implement border control…

I have started reading Hemingway’s masterpiece “Fiesta, the sun also rises” during my commute to/from work. Apart from being an interesting insight into post-war Europe, it also gave a brilliant example of access control being overturned… Just then an old man with long, sunburned hair and beard, and clothes that looked as though they were made of gunny- sacking, came striding up to the bridge. He was carrying a long staff, and he had a kid slung on his back, tied by the four legs, the head hanging down. The carabineer waved him back with his sword. The man turned without saying anything, and started back up the white road into Spain. “What’s the matter with the old one?” I […]

XACML, transports, crypto, and management – a dev’s view

Travis Spencer (@travisspencer) with whom my colleague Gerry (@ggebel) and I have had chats over the past few months, recently published an interesting article on XACML, its shortcomings, and the possible solutions. Travis structured his ideas around 3 main points: transport / communication protocols, trust, and management. Following this, Gerry had a bit of chat with our folks in Sweden (@axiomatics) and came up with a response which you can read on his blog. I wanted to take a few minutes to look back at the challenges from a developer’s / architect’s perspective. It’s worth remembering that XACML define 3 particular areas: the policy language; the request / response protocol; and the architecture. A XACML request by any other protocol […]

Free strawberry ice-cream melting image

XACML 101 – A quick intro to Attribute-based Access Control with XACML

Acronym XACML: eXtensible Access Control Markup Language. Highlights XACML: What’s ABAC? ABAC stands for attribute-based access control. It is a natural evolution from role-based access control which itself is a natural evolution from access control lists. Access Control History in a Nutshell Once upon a time, there were access control lists. Once a user authenticated, its identity was known and could be used in such lists. Think of clubs and VIP lists. If you appear on a VIP list, the bouncer (enforcer) will let you in. It doesn’t matter what your role in life is… Then someone realized that the right to do something (authorizations, entitlements…) should rather be linked to a role. Bus drivers can drive public transport buses. […]

Enhancements and new features in #XACML 3.0

I recently had a chat with the editor of XACML 3.0, Erik Rissanen – also the CTO of Axiomatics – about the latest news on XACML 3.0: the enhancements the standard has gone through and the new features we can look forward to. Multiple Decision Profile: Multiple resource request (XACML 2.0) was renamed Multiple Decision Profile (XACML 3.0) and enhanced with new variants. This profile lets a requestor –typically the Policy Enforcement Point (PEP) ask several questions in one go to which the Policy Decision Point (PDP) returns one answer with multiple decisions. This profile is particularly useful in web-portal-based scenarios where decisions have to be reached for different parts of a portal within a given page for a given […]