The OASIS standards consortium
Tuesday took another leap forward toward securing Web services with the
ratification of Extensible
Access Control Markup Language 1.0 (XACML) as an OASIS Open Standard.
XACML is a security standard which allows developers to write and enforce
information access policies, making it a key component in the development
of authorization infrastructures and a foundational step in the creation of
federated authentication environments.
The XACML specification describes both an access control policy language
(which allows developers to specify who can do what and when), and a
request/response language which expresses queries about whether a
particular access should be allowed and describes the answers to those
queries.
In a typical XACML usage scenario, a subject (e.g. human user, workstation)
wants to take some action on a particular resource. The subject submits its
query to the entity protecting the resource (e.g. file system, web server).
This entity is called a Policy Enforcement Point (PEP). The PEP forms a
request (using the XACML request language) based on the attributes of the
subject, action, resource, and other relevant information. The PEP then
sends this request to a Policy Decision Point (PDP), which examines the
request, retrieves policies (written in the XACML policy language) that are
applicable to this request, and determines whether access should be granted
according to the XACML rules for evaluating policies. That answer
(expressed in the XACML response language) is returned to the PEP, which
can then allow or deny access to the requester.
“XACML is designed to enable the interoperability of a broad range of
administration and authorization products by providing a universal language
for authorization policy,” said Hal Lockhart of BEA Systems , co-chair of the OASIS XACML Technical Committee. “Its
flexibility and features for supporting large scale, federated environments
will literally set the standard for the next generation of authorization
products.”
Sun Microsystems followed up on XACML’s approval Tuesday with the release
of its implementation of the
standard under an open source license.
“Sun believes that flexible and interoperable access control standards are
critical for the future of network computing and for the development of
secure Web services,” said Mark Bauhaus, vice president of Java Web
services at Sun. “That’s why we have supported and continue to support the
XACML standard.
According to Sun, XACML has a number of advantages over other access
control policy languages, including:
- One standard access control policy language can replace dozens of
application-specific languages - Administrators save time and money because they don’t need to rewrite
their policies in many different languages - Developers save time and money because they don’t have to invent new
policy languages and write code to support them; they can reuse existing
code - Good tools for writing and managing XACML policies will be developed,
since they can be used with many applications - XACML is flexible enough to accommodate most access control policy
needs and extensible so that new requirements can be supported - One XACML policy can cover many resources; this helps avoid
inconsistent policies on different resources - XACML allows one policy to refer to another; this is important for
large organizations, for instance, a site-specific policy may refer to a
company-wide policy and a country-specific policy.
Developed by a team which includes Entrust , IBM
, OpenNetworks, Quadrasis, Sterling Commerce, Sun Microsystems
, and BEA, XACML joins the recently approved Security
Assertion Markup Language (SAML) in the OASIS security portfolio.
Developing specifications include WS-Security, Service Provisioning Markup
Language (SPML), Digital Signature Services (DSS) and Public Key
Infrastructure (PKI).
