Sun's XACML Implementation

Project Links

 Programmer's Guide
 Project Page
 CVS Tree
 Developer Info Logo

Hosted By

June 21, 2006 UPDATE

Sorry it's been so long without updates to this page! The good news is that there's been a lot of work recently, and progress is being made towards a 2.0 release. If you haevn't done so recently, check out the news postings or the discussion list for details on recent enhancements. Full support the 2.0 policy-related features are available in the CVS tree, and the remaining features are close on the heels. Look for some new developers to join the project in the next month, and of course get in touch if you want to help out too!

Welcome to Sun's XACML Implementation!

This is an open source implementation of the OASIS XACML standard, written in the JavaTM programming language. For more information about XACML look at our FAQ, the Programmer's Guide or the XACML TC web page. Sun's XACML Implementation requires the Java 2 Platform, Standard Edition version 1.4.0 or later.

This project provides complete support for all the mandatory features of XACML as well as a number of optional features. Specifically, there is full support for parsing both policy and request/response documents, determining applicability of policies, and evaluating requests against policies. All of the standard attribute types, functions, and combining algorithms are supported, and there are APIs for adding new functionality as needed. There are also APIs for writing new retrieval mechanisms used for finding things like policies and attributes.

This project was developed in Sun Microsystems Laboratories, part of Sun Microsystems, Inc., and is part of an ongoing project on Internet Authorization in the Internet Security Research Group. Going forward, we have a host of features we'd like to add to this project, including better configurability, support for some of the up and coming standards to connect XACML and things like SAML or LDAP, and strong tools support. If you'd like to get involved please mail the project administrator.

Introduction to XACML

XACML (eXtensible Access Control Markup Language) is an XML-based language for access control that has been standardized in OASIS. XACML describes both an access control policy language and a request/response language. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses).

In a typical XACML usage scenario, a subject (e.g. human user, workstation) wants to take some action on a particular resource. The subject submits its query to the entity protecting the resource (e.g. filesystem, web server). This entity is called a Policy Enforcement Point (PEP). The PEP forms a request (using the XACML request language) based on the attributes of the subject, action, resource, and other relevant information. The PEP then sends this request to a Policy Decision Point (PDP), which examines the request, retrieves policies (written in the XACML policy language) that are applicable to this request, and determines whether access should be granted according to the XACML rules for evaluating policies. That answer (expressed in the XACML response language) is returned to the PEP,  which can then allow or deny access to the requester.

XACML has many benefits over other access control policy languages:

  • One standard access control policy language can replace dozens of application-specific languages
  • Administrators save time and money because they don't need to rewrite their policies in many different languages
  • Developers save time and money because they don't have to invent new policy languages and write code to support them. They can reuse existing code
  • Good tools for writing and managing XACML policies will be developed, since they can be used with many applications
  • XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported.
  • One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources.
  • XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy.

In Flux...

This web site is undergoing a long-needed update. Now that the 1.2 release is available, expect to see more details showing up here soon, including pointers to some projects where XACML is being using today!

Get Involved!

There is lots of cool stuff to work on in this project. If you'd like to get involved send mail to the project lead and take a look at the Developer Info pages for information about how to get involved. There are already a bunch of simple and complex projects to work on, so check it out.

Copyright 2003-2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.

Sun, Sun Microsystems, the Sun Logo, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the US and other countries.

Last Updated On: July 16, 2004