Bill Dettelback's Blog: Why can't we all just get along? We can- with XACML!

GET INVOLVED

New to Java?
Blogs
CodeShare
Newsgroups
Wiki
User Groups
Submit Content/Code

PRODUCT CENTERS

BEA AquaLogic
AquaLogic BPM Suite
AquaLogic Service Bus
WebLogic Platform
WebLogic Server
BEA Workshop
WebLogic Portal
WebLogic Integration
BEA JRockit
WebLogic Event Server
BEA WLCP
More Product Centers

TECHNOLOGY CENTERS

Controls
Web Services
Eclipse
XML
EJB
Persistence
JMS
Vertical Markets
Dev Toolbox

BROWSE BY ROLE

Platform Admin

RESOURCES

Dev2Dev Media Center
Article Index
Open Source
Security Advisories
Utilities & Tools
Events Calendar
About Dev2Dev

Dev2Dev Newsletter
RSS/XML Feeds

Dev2Dev > Community > Blogs

«Desperately Seeking Identity Services | Main | How To Become The Big Cheese »

Why can't we all just get along? We can- with XACML!

Bookmark Blog Post

	del.icio.us
	Digg
	DZone
	Furl
	Reddit

Bill Dettelback's Blog | July 17, 2007 10:59 AM | Comments (1)

A few weeks ago, at the Burton Catalyst Conference, we participated in the first XACML Interop event, sponsored by OASIS. It was an interesting experience attempting to prove that independently created vendor products could actually deliver what the standard promises. BEA was in attendance, as were our friends at Securent, IBM, CA, Oracle, RedHat, Jericho and Symlabs. The idea of the demo was to show that one vendor's Policy Enforcement Point (PEP) could work with another vendor's Policy Decision Point (PDP) using XACML. The use cases were based upon a fictitious stock trading application:

1. Authorization decisions- when the trader sends a trade, things like his trading limit and available credit are checked. The PDP will takes these factors into account when returning the grant/deny for the trade.

2. Policy exchange- making a change to the policy inside the PDP, exporting it as a XACML file and re-importing it into another vendor's PDP.

I'm happy to report that ALES was able to show both use cases and in the process we got some valuable interoperability testing that is going to help a future version of the product. I'll also take my hat off to our peers at the other companies- there was definitely a team spirit at work and none of the issues you might imagine when so many competitors all get into the same room. The event was well attended (we counted almost 400 people who came thru the door!) and overall the interest level was very high in XACML and how it can solve the problem of fine grained authorization.

I was curious what was driving most folks to the interop event (besides the free food), and it seemed like most of them were just interested to learn what XACML was all about. I was expecting to hear questions about what made our XACML implementation better than the others, but no one asked. I was also expecting to hear folks talk about how XACML is providing a level of investment insulation for their policies- but again it didn't come up. For the most part, it seemed like less of a statement on cross-vendor interoperability and more of a statement that XACML is real and ready today to be used. While it's sometimes hard to get into a deep discussion during these sorts of venues, there was a common lack of surprise in the interoperability itself. I find that interesting- it doesn't seem all that long ago that a J2EE web service being used by a .Net client was a rare sight. What does that say about the maturity of not only XML standards but also the software infrastructures behind them?

So- is XACML figuring into your Entitlements Management solution? Do you see XACML providing investment protection, interoperability, or just another standard to track? Let me know!

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

my concern with XACML is that how it is superior than the semantic web technologies (OWL, RDF, SWRL) based access control mechanism since semantic technologies have more expressive power and inferencing functionalities.
Posted by: sarfraz_paki on January 21, 2008 at 7:02 AM