Comments on: Finally: an open XACML API!

By: links for 2009-08-05 • Bare Identity

links for 2009-08-05 • Bare Identity — Thu, 06 Aug 2009 00:02:55 +0000

[...] Finally: an open XACML API! | Felix Gaehtgens "Microsoft has made it truly “dead easy” for developers to make their applications ready for externalised authentication and claims – with just a few lines of “plumbing code”. Externalising authorisation must be made just as simple. The XACML API is a great start to provide a foundation that can be used to connect simpler APIs and existing access control frameworks to XACML." (tags: kuppingercole felixgaehtgens xacml abac) [...]

By: Felix Gaehtgens

Felix Gaehtgens — Wed, 05 Aug 2009 09:26:28 +0000

Good point there, thanks Bjorn!

The JBoss XACML API is another good example of a XACML API that can be used from inside application servers. It support XACML v2.0 (at this point), and is specifically geared towards Java application servers. There are actually quite a few APIs out there – almost every XACML access/entitlement engine has its own set of APIs.

I continue to believe that we actually need a whole API stack: from a very low-level API that is very close to the XACML policy language up to a high-level API that makes it really easy for developers to externalise their authorisation decisions. I think the OASIS API is a very nice fit for the low-level API because it is very close to the actual XACML semantics. The JBOSS API is somewhere in the middle, allowing developers to use XACML directly by implementing also some convenience functions. I'm still looking for a high-level API, potentially with some tooling for common IDEs that make it virtually trivial for developers to separate authorisation out.

By: Bjørn Ola Smievoll

Bjørn Ola Smievoll — Tue, 04 Aug 2009 23:08:10 +0000

It's truly great that more impls exists, but shouldn't the JBoss XACML API also be considered as free and open source software? http://www.jboss.org/jbosssecurity/download/index...