XACML for Authorization

standardized, attribute based, externalized, fine-grained and dynamic authorization for enterprise applications

“Balana” The Open source XACML 3.0 implementation

WSO2 Balana is the latest open source XACML implementation based on sun-xacml. Currently WSO2 Balana support XACML 3.0 specification with Multiple decision profile. You can find the Balana source from here.

When you just go through the source of Balana. It is just similar to sun-xacml source and XACML 3.0 specification has been implemented as extensions to existing model. I guess we could go through implementation details later…

Overall Balana project contains four modules.

  • Balana core – This is the actual implementation
  • Balana samples – This contains the samples
  • Balana Utils – This contains  some utility methods in Balana. Actually for now, it contains policy editor  utility methods that can use to create XACML 3.0 policies easily.  (This was added in Sep 2013)
  • Balana documentations – This contains docs
  • Balana distribution – This creates the zip file that contains runnable artifacts, samples and docs.

Some of the major things that can be seen with Balana when compare to sun-xacml.

1. XACML 3.0 support
2. Multiple decision profile support
3. File based policy finder module as default one
4. Proper logging with log4j
5. Maven support for compile with unit tests.
6. Samples
7. Utility methods to create XACML 3.0 policies and so on

Also there may be performance improvements with Balana. But still any performance comparison has not been done with Balana and sun-xacml.

More blog post on Balana is in the queue… :)

Discuss this article on Stack Overflow


Add a Comment
  1. Where can I report back bugs?
    There is one in the encoding of org.wso2.balana.xacml3.Attributes it shouldn’t check for “IncludeInResult”.

  2. I like that you declared that Balana supports both xacml 2.0 and xacml 3.0, here I have a question, is that possible to put the choice of XACML 2 or XACML 3 in the configuration file, then Balana code will generate correct version of XACML policy based upon the version configured inside the configuration file?

  3. Hi Duanhua,

    Actually, Balana support for all XACML version policies (3,2,1.1,1.0). you do not need to configure it in a file. Because all policies are map in to a common object model inside Balana and evaluation is done.

    1. thank you for answering my question, but that is not what I mean.

      I used to use sun-xacml java code to create my own new xacml policies. For example, as long as I know the attribute values for the subject, resource and action, I can write the java code which will generate the xacml policy for me. Of course, sun-xacml code only allow me to generate xacml 2.0 policies.

      Last year, SICS (Swedish ICT) released their sun-xacml 3.0 source code, they modified the sun-xacml 2.0 code. Add constructor wrapper around the existing classes, add the version as a new parameter, so that it will allow me to generate xacml policies for both xacml 2.0 and xacml 3.0 as long as I pass in the xacmlversion as a value. The following is the example piece of code to generate an AttributeDesignator.

      AttributeDesignator attributeDesignator =
      new AttributeDesignator(category, dataType, id, mustBePresent, issuer, xacmlversion);

      Actually, I try to use Balana code to do the same, but I feel that it won’t work, that is why I post this question. Can you tell me if I didn’t do the correct way?

  4. Hi Duanhua,

    Sorry for misunderstanding. Thanks for great clarification. I (anyone ?) have not tried this with balana. But i guess, it may work : ) because encode() method (that encoded in to a XML String) has been implemented in all element and we are keeping the XACML policy version as policy metadata. Therefore i guess, we can get this work. But there may be bugs or improvements to be done. I have already create a jira to tract this [1]. We will surely take this for next release of Balana. Thanks you again.

    [1] https://wso2.org/jira/browse/COMMONS-93

  5. You may try Target, for example:

    Target target = new Target(targetSectionList, xacmlversion);

    If you feel I make the wrong call, please show me the correct call.


  6. Hi Duanhua,

    Yes you are correct. But if you go through the code, this in some element encoding method has not been implemented. So there are issues. We can fix them for next release. Btw is there any special reason for creating XML policies using object model? If you can give us exact requirement, We can probably help you on this.

  7. the one requirement is from OpenAz. The OpenAz shorthand notaion, is using the object model to generate policy. the another use case is The ALFA Plugin for Eclipse, intruduced by Axiomatics. Actually there are many if you do a search in google.

  8. Yes. Actually Balana has not written aiming the above purpose. But we can make it work. However, Balana is used by WSO2 Identity Server product. This product has Web based UI component to create XACML policies in easier manner. It also based on a simple object model. I have written some blog on creation of XACML policies using it. please refer this [1]. But it is for 3.2.3 release. However you can try out latest release UI also. You can check the code from SVN , how they have mapped object model in to create the XML policies

    [1] http://xacmlinfo.com/2012/05/02/xacml-policy-editor-in-wso2-identity-server/

  9. You mentioned the new release is version 3.2.3, but I still see that Subversion is 1.0.0, my question: is Balana a real open source? or only partially open source? for example, 1.0.0 release will be open source but 3.2.3 will not be open source. Can you clarafy?

    Another question, is xacml-policy-editor in wso2-identity-server open source as well?

  10. Sorry. I guess , you have got my comment wrong. Balana is only a XACML (2.0/3.0) implementation library (like sunxacml) and it is totally opensource with apache 2 license. Balana has been used by WSO2 Identity Server as its library for XACML implementation (before Balana, WSO2 used sunxacml) to act as its entitlement engine. WSO2 Identity Server is also a fully open source project [1] with apache 2 license. What i meant is, Balana has been written as only an evaluation engine (basically java library for XACML specification). If you are looking for advance capabilities such as policy creation, management (PAP capabilities) and production PDP (caching, high availability, clustering and so on). It is better to look for open source product like WSO2 Identity Server. Balana is a new project. It has only a 1.0.0 version. But WSO2 Identity Server is old project and its new version is 4.0.0. I have written this blog post [2] for WSO2 Identity server 3.2.3 version [2]. WSO2 Identity server 4.0.0 is using the Balana 1.0.0 version. Before the WSO2 Identity Server (version older than 3.2.3) used sunxacml as XACML library.

    [1] http://wso2.com/products/identity-server/
    [2] http://xacmlinfo.com/2012/05/02/xacml-policy-editor-in-wso2-identity-server/

  11. Hi Duanhua,

    Also, If you are interest in contributing to the Balana. You can create jiras and and do improvements and bug fixings. Still there are only few contributors (except people from WSO2). As this project , has been started on few month back. Actually there are very few active open source project for XACML (specially XACML 3.0 ). Therefore it would be great to have an active project in this space, then people can use this as free library for their own projects. We are really hoping to move this project as Apache project. But there are some process for that and it would take some time. Please visit Balana issue tracking from here [1] (i guess you need to create an account and login)

    [1] https://wso2.org/jira/browse/COMMONS/component/10871

  12. What about if I feel the design is wrong? for example: I don’t think the Target class should appear in 2 different package, such as xacml2 package and xacml2 package. I think it should stay in it is original sunxacml package. Just modify it so that it can deal with both xacml version 2 and xacml version 3. Do you think this is a bug fixing or it is a design changing? Can I go ahead and do it?

    1. Sorry for late reply….. It is a design change. Both Target in xacml2 and xacml3 packages are implemented the abstract class “AbstractTarget” and We have the “TargetFactory” that would create the correct Object.

  13. Hi Yusuf,

    Balana is not supporting that…. supports core specification, multiple decision and hierarchical resource profile… However, we are hoping add it soon…

  14. Hi All,
    While the process is writing the data to to file(XACML), the process is killed. And the file is corrupt.
    And the whole authorization system goes for a toss. Do we have a solution for this issue?

    We faced this problem some time back and we had to open each file, debug and fix.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

XACML for Authorization © 2015 Frontier Theme