Google Site Search


Tuesday, August 31, 2010

PicketBox XACML from JBoss released

It took some extra time (other priorities took precedence). In the end, it all worked out fine.

LGPL licensed free open source project, PicketBox has released the XACML component   Please download it from PicketBox downloads.

Main Wiki Page

PicketBox XACML Dashboard Wiki Page

Main Features Added (compared to v2.0.4)

PicketBox JIRA

JBoss Integration

PicketBox XACML is integrated into JBoss Application Server v5.0 and beyond.  Additionally, it is available as part of the JBoss Enterprise Application Platform (EAP) v5.0 and beyond and JBoss SOA Platform v5.0 and beyond.

Release Notes

** Bug
  •     * [SECURITY-452] - Don't use Xalan classes directly. Use Java API instead
  •     * [SECURITY-461] - AttributeFinder:findAttribute method can throw an NPE if any of the attribute finder modules return null
  •     * [SECURITY-462] - JBossRequestContext should throw IllegalArgumentException for null inputstream
  •     * [SECURITY-507] - JBossXACML: anyURI mismatch
  •     * [SECURITY-518] - JBossPDP should be serializable

** Feature Request
  •     * [SECURITY-454] - Database Attribute Locator
  •     * [SECURITY-463] - AttributeValue.getValue abstract method * [SECURITY-455] - LDAP based attribute locator
  •     * [SECURITY-456] - File based Attribute Locator
  •     * [SECURITY-492] - JBossPolicySetLocator should gracefully handle policies
  •     * [SECURITY-516] - Create a LDAP policy provider for JBoss XACML
  •     * [SECURITY-521] - Decision Cache for constant XACML Requests
  •     * [SECURITY-522] - XACML add hashcode and equals to RequestCtx, Attribute
  •     * [SECURITY-525] - XACML Attribute Locator should support comma separated list of attributeSupportedIds                                                                                                         

Monday, August 30, 2010

XACML Design Considerations and Pointers

One of the challenges with XACML has been the deep knowledge/expertise required in understanding the XACML vocabulary. It can send shivers down anybody's spine when they come across a bunch of XACML policies. While the language is extremely powerful, lack of editors has been the bane.

While it is difficult to design a general purpose xacml editor without requiring the user to have extensive xacml knowledge, it should definitely be possible to create context based editors for XACML rules.  Suppose you are creating XACML policies for your web application, then you can have an editor that is specific to the web application domain.  This domain based editor approach will avoid the requirement of xacml knowledge. The policies can be designed in the domain semantics.

If you have some free time to kill and want to understand XACML better, I certainly recommend taking a peak at the Fedora XACML document ( I did not write it or was associated with the project).

Design Consideration

One of the favorite topics broached by XACML designers is the concept of date/time as part of the environment attributes.

You should be able to create XACML policies with rules such as:
  • Deny requests to web applications between 5pm and 8am CDT.
One point you need to note here is that if you are setting up automated tests to validate your policies, then the time at which the PDP is running your tests, can affect the outcome of the test result.

You should embed the current time as part of your XACML request during tests such that they simulate a request occurring at a particular time - rather than when the test is run. :)

You should definitely take a look at the XML Date and Time functions including Timezone configuration as listed here.