JBoss XACML v2.0.1-GA news

NOTE: JBossXACML v2.0.3.CR1 is here. <========

The release was done a few days ago. Not much changed from the Beta that was released earlier. We are still working on a Policy Management Console that makes it easier to perform Policy Construction and Management. I do not have any concrete dates for any console at the moment. So stay tuned.

I know that many of you are eager to try out XACML with JBoss and have all types of questions about whether we will implement a PEP, PDP and PAP at JBoss. PEP and PDP are important for JBoss AS v5.x. I have added support for XACML at the web and EJB layers in JBAS 5.0.x coming out in the future. PAP will happen at leisure.

I did give a presentation on OASIS SAML2 and XACML2 at the Computer Security Institute (CSI) Annual Conference in Washington, DC this week.
Robust Web-Based Security Using OASIS SAML and XACML

Instance Based Security

I am getting some requests to produce code to handle Instance Based Security for Non Application Server related code aka Business Code. The projects that are directly affected are JBoss Rules or Drools, jBPM, JBoss Portal and JBoss Seam.

The idea is to be able to CRUD level access for data driven applications.

In the past, OSAccess from Open Symphony has tried to address this space. Acegi Security for Spring has some support for Instance Based ACL.

Authorization concepts and solutions for J2EE applications is a nice technical article that talks about Role Based Access Control and Instance Based Access Control.

An ACL implementation will be simple and performant in comparison to an XACML based implementation which does have a learning curve attached.