...
- Need to map XACML attributes to the repository, given a context node.
- JCR query or XPath?
- How to determine XACML data type?
- Can we write a extensible "attribute finder" based on relative JCR XPath?
- Should we implement a local or remote PDP?
- Should we use the PicketBox JBoss XACML Engine?
- PicketLink and PicketBox projects use the same XACML PDP. PicketLink is a larger umbrella project of security services.
- APIs to look at:
- org.jboss.security.xacml.sunxacml.finder.PolicyFinderModule is used to find a policy (or policy set) that matches the request evaluation context. Also used to lookup a policy that is referenced within a policy set by ID.
- org.jboss.security.xacml.sunxacml.finder.AttributeFinderModule is used to find attribute values when evaluating a policy.
- Constructing a policy set for the JBOSS engine:
- see JCR 2.0 16.3 and JBossLDAPPolicyLocator as an example.
| Internal PDP (within ModeShape JVM) | External PDP (remote XACML service) |
|---|---|
Minimal administrative overhead through dependency injection, etc.. | Flexible, can be any XACML implementation |
| ModeShape cache will keep frequently used ACL metadata in memory. Removes the need for any additional cache. | Decent performance may require custom metadata caches. |
| No network overhead making connections or marshaling data. | Network latency, etc.. |
| Decision and policy cache invalidation may be based on events. | Cache invalidation requires wiring JCR or Fedora JMS specifics into the chosen XACML service. Cache invalidation would be asynchronous. |
Adds complexity to the core code base runtime webapp – moving closer to a monolithic, coupled application. |