XACML: A New Standard Protects Content in Enterprise Data Exchange

Print-friendly Version

With the ratification of XACML by the OASIS (Organization for the Advancement of Structured Information Standards) standards consortium, the world of e-business has taken a step forward. XACML (eXtensible Access Control Markup Language), the newest standard in encoded data exchange, makes possible a simple, flexible way to express and enforce access control policies in a variety of environments, using a single language. A new, open-source implementation of the standard -- Sun Microsystems Laboratories' Java technology-based XACML 1.0 -- is now downloadable and attracting the cooperation of the developer community.

The XACML language effectively protects content from unauthorized use in enterprise data exchanges. Here are three reasons why XACML may soon emerge as the single standard:

• XACML is designed around, and written in, XML, which enjoys a wide and expanding base in global enterprise environments.
• OASIS, which drives the development, convergence, and adoption of e-business standards, has ratified XACML.
• XACML places a set of powerful features at the disposal of developers. It allows a firm to create and deploy authorization policies to match its mix of assets and business use-cases, then plug in additional policies as the business and its standards evolve.

E-business Gets a Syntax It Can Trust

The issue of trust poses an intriguing problem for today's supply chains and federated networks: How does automated enterprise software "know" whether to trust requests for protected information, merchandise, or credit?

"It's about working safely across boundaries of trust," says Seth Proctor, a researcher at Sun Microsystems Laboratories in the Internet Security Research Group. In June, 2002, Seth and his colleagues dedicated themselves to a special project: creating a syntax of trust powerful enough to protect the most sensitive government documents, yet generic enough to interoperate across changing commercial environments.

Proctor, along with co-developers Steve Hanna, Yassir Elley, Anne Anderson, and intern Marco Barreno, set to work on XACML, then an emerging standard being developed by an OASIS technical committee. Less than a year later, on February 18, 2003, the XACML standard received the highest possible ratification by OASIS after passing an industry-wide peer review and meeting rigorous compliance benchmarks. The standard was hailed by OASIS XACML technical committee co-chair Carlisle Adams of Entrust, who called XACML "a key component in an authorization infrastructure that can span Web services, Java 2 Standard Edition (J2SE), and other e-business environments."

That same day, Seth and his colleagues open sourced their implementation of XACML to the developer community. Sun's XACML 1.0 implementation allows business and government organizations to use the new standard to create, deploy, and enforce polices that control access to trusted assets, and to information about those assets.

Proctor is quick to point out that XACML is only one of several irons his group has in the fire. "The group came together about five years ago to look at Internet-scale security problems," says Proctor. "We spend equal time working on concrete projects like our XACML implementation, working on evolving standards, and consulting on protocol design and system architecture." The group's XACML 1.0 release, he explains, "was a huge milestone for us."

Milestone in Secure Access

The impact of XACML 1.0 can be gauged by its relationship to the immense and still-growing base of XML in enterprise environments. XML has very quickly become the lingua franca of enterprise data exchange. Its success owes much to XML's inherent strength as a simple way to integrate data. It offers an extensible syntax for sharing documents by using tags and attributes to characterize content, thus enabling powerful search and storage capabilities.

XML's power and simplicity are often cited in research surveys as the leading reasons that corporations have adopted XML. But the drive to integrate and automate business-to-business and intranet-based enterprise systems behind XML has often stalled behind two roadblocks: proprietary XML implementations and security issues. The ratification of the XACML open source standard provides a way to get past these roadblocks.

Calling All Policies

Sun's XACML 1.0 implementation is a set of Java classes that read, write, and process the XACML language, thus allowing developers to exploit the rich attribute management techniques that have made XML so popular. The classes, which represent the structure of XACML (both the policies and the request/response format), let developers construct objects that represent Policies or Rules or Requests, or any other piece of the XACML standard using their XML form. Likewise, developers can encode request/response data; the XACML group is working on adding encoding for all the classes. In effect, a developer doesn't have to do any of the work to build applications that use XACML structures. The processing part refers both to the syntactic and semantic rules of XACML. "We can process input to make sure that it's valid XACML, and we can evaluate policies against requests," says Proctor.

Developers use XACML APIs to process two related languages: a policy language that defines access control, and a request/response language in which queries and decisions are conveyed.

A deployed XACML access control system works something like this: A person (or a machine) seeks access to sensitive data. Access to the data is controlled by something called a Policy Enforcement Point. It creates a request (using the XACML request/response language) and sends it to a Policy Decision Point. This entity scans the request, fetches and interprets any and all policies that are relevant to it, and returns a response for enforcement. Access is granted or denied based on XACML rules written into the policies.

XACML comes with a formidable set of data types and functions. "XACML defines several standard data types and functions," explains Proctor. "The data types are things like strings, integers, dates, and sets. The functions are operations over these types, like addition, equality checking, intersection, comparisons, and a host of other features. These give any policy writer a baseline for creating interoperable policies. While most policy writers won't need more than what's already defined, the specification allows you to define new functions and data types as needed. In our implementation, this involves defining a new class against an existing API and adding that class to a factory. It's pretty easy."

Combining

XACML is fairly unique in the way it supports rules that govern how to handle policies whose rules compete or overlap. This technique is known as combining. XACML comes with many standard algorithms that support combining, and developers can define their own as needed.

The combining system works as follows: A Combining Algorithm defines how to resolve a single result out of multiple results. "Suppose you have five policies, each of which returns an access decision," explains Proctor. "To determine whether access is granted, you need to consider each of the five results and come up with a single result. Developers might do this by denying if any one of the five results was deny, or by denying only if all the results were to deny."

There are standard algorithms that cover some of the common cases, but with XACML developers can define new algorithms and easily plug them into the implementation. Combining becomes particularly important with hierarchical policies or policies from different locations.

Setting Up a PDP and Evaluating a Request

import com.sun.xacml.*;
import com.sun.xacml.ctx.*;
import com.sun.xacml.finder.*;
import com.sun.xacml.finder.impl.*;
import java.io.FileInputStream;
import java.util.*;

public class SimplePDP {

    public static void main(String [] args) throws Exception {
        // load the policies
        FilePolicyModule policyModule = new FilePolicyModule();
        for (int i = 1; i < args.length; i++)
            policyModule.addPolicy(args[i]);

        // setup the policy finder
        PolicyFinder policyFinder = new PolicyFinder();
        Set policyModules = new HashSet();
        policyModules.add(policyModule);
        policyFinder.setModules(policyModules);

        // module to provide the current date & time
        CurrentEnvModule envModule = new CurrentEnvModule();

        // setup the attribute finder
        AttributeFinder attrFinder = new AttributeFinder();
        List attrModules = new ArrayList();
        attrModules.add(envModule);
        attrFinder.setModules(attrModules);

        // create the PDP
        PDP pdp = new PDP(new PDPConfig(attrFinder, policyFinder, null));

        // now work on the request
        RequestCtx request =
            RequestCtx.getInstance(new FileInputStream(args[0]));
        ResponseCtx response = pdp.evaluate(request);

        // for this example we'll just print out the result
        response.encode(System.out);
    }

}


  <?xml version="1.0" encoding="UTF-8" ?>
  <Request>
  <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:
  resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
  <AttributeValue>SampleServer</AttributeValue>
  </Attribute>
  </Resource>
  <Action>
  <Attribute AttributeId="ServerAction" DataType="http://www.w3.org/2001/
  XMLSchema#string">
  <AttributeValue>login</AttributeValue>
  </Attribute>
  </Action>
  </Request>


  <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:
  xacml:1.0:rule-combining-algorithm:first-applicable">
  <!--  This Policy only applies to requests on the SampleServer
  -->
  <Target>
  <Subjects>
  <AnySubject />
  </Subjects>
  <Resources>
  <Resource>
  <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:
  string-equal">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
  ">SampleServer</AttributeValue>
  <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" 
  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  </ResourceMatch>
  </Resource>
  </Resources>
  <Actions>
  <AnyAction />
  </Actions>
  </Target>
  <!--  Rule to see if we should allow the Subject to login
  -->
  <Rule RuleId="LoginRule" Effect="Permit">
  <!--  Only use this Rule if the action is login
  -->
  <Target>
  <Subjects>
  <AnySubject />
  </Subjects>
  <Resources>
  <AnyResource />
  </Resources>
  <Actions>
  <Action>
  <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
  ">login</AttributeValue>
  <ActionAttributeDesignator DataType="http://www.w3.org/2001/
  XMLSchema#string" AttributeId="ServerAction" />
  </ActionMatch>
  </Action>
  </Actions>
  </Target>
  <!--  Only allow logins from 9am to 5pm
  -->
  <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:
  time-greater-than-or-equal">
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
  <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/
  XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" />
  </Apply>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</
  AttributeValue>
  </Apply>
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
  <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#time" 
  AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" />
  </Apply>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</
  AttributeValue>
  </Apply>
  </Condition>
  </Rule>
  <!--  We could include other Rules for different actions here
  -->
  <!--  A final, "fall-through" Rule that always Denies
  -->
  <Rule RuleId="FinalRule" Effect="Deny" />
  </Policy>


  <Response>
  <Result>
  <Decision>Permit</Decision>
  <Status>
  <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
  </Status>
  </Result>
  </Response>

Globalized Enterprise Structures

The ability of XACML-based access control systems to resolve policies that refer to other policies makes XACML especially well-suited to globalized enterprise structures. For example, one firm's supply chain may have a country policy for domestic transactions. The country policy can refer -- and defer -- to an international policy when data types embedded in a request indicate an international transaction. This sort of extensibility matches the increasingly federated distribution of corporate assets in today's far-flung marketplace. XACML looks to replace the patchwork of proprietary access control languages that run against the spirit and syntax of XML-based data exchange. "XACML is a generic access-control system, and as such can be used with pretty much any system," explains Proctor. Not only is XACML written in the Java language, "which means that it can run on almost any platform," says Proctor, "it has a flexible plug-in system so you write custom extensions as the XACML specification allows. The XACML implementation supports the entire OASIS standard and passes all of the conformance tests, which means that it should work with future implementations without any trouble."

Plans are underway to integrate the Sun XACML implementation with several other emerging OASIS security standards. Among them: SAML (Security Access Markup Language), a secure mechanism to convey requests and responses, and XMLDSIG.

Best of all, Proctor says, "It's truly open sourced," under a BSD License. "For the present, I suspect that most people will just want to grab the code and play around with the language, but we're already getting mail from people who want to join in the project."

Street Credibility

Will its XML provenance and OASIS ratification create a snowball effect and drive rapid adoption of XACML? "OASIS ratification means a number of things, but most importantly it means that a large number of companies and individuals think the standard is ready for use," says Proctor. He notes the one-hand-helps-the-other effect that often accompanies ratification of a new standard. On the one hand, "XACML 1.0 is a frozen standard that people can start using to build interoperable policy systems," says Proctor. On the other hand, "people are more likely to want to incorporate XACML into their work because it's an official OASIS standard."

As for the Internet Security Research Group, Proctor and his colleagues are moving ahead to incorporate management tools, performance enhancements, and incremental API and feature improvements. "I'm hoping that a lot of future work will come from the open source developer community, but my group will certainly continue to be active in this project," says Proctor. In fact, a new version of the XACML implementation is already in the pipeline. In the meantime Proctor concludes, "there's a good deal of work underway in different standards bodies to define how XACML interacts with other standards (protocols, databases, authentication systems, and so on), and as these efforts become more mature, we'll be working to add support into our code."

See Also

Getting Started with XACML
(http://sunxacml.sourceforge.net/)

XACML Press Release
(http://www.sun.com/smi/Press/sunflash/2003-02/sunflash.20030218.1.html)

The Future of Web Services Security: A Conversation with Eve Maler
(http://java.sun.com/features/2003/03/webservices-qa.html)

Java Technology and XML
(http://java.sun.com/xml/)

OASIS
(http://www.oasis-open.org/home/index.php)

XMLDSIG
(http://www.w3.org/Signature)

Have a question about programming? Use Java Online Support.