Category: XACML Discussions

XACML PAP PDP Separation

With my previous post,  i went through XACML PDP (Policy Decision Point) architecture by using WSO2 Identity Server.  In this blog post, i am hoping to go through how PDP and PAP have been separated each other. In some implementation (specially with older Identity server versions),  there is no any separation with PAP (Policy Administrator […]

XACML engine architecture (PDP)

In this blog post. We are going to visit some architecture design of a XACML engine. When it comes to XACML and Open source world, WSO2 Identity server is one of a major player. Latest release of WSO2 Identity Server support XACML 3.0 based on Balana XACML implementation. As source code, distribution and documents are […]

What is new with XACML 3.0

These day, i am working on opensource XACML 3.0 implementation, called  “Balana”.  You can find the project from here.  Balana is an improvement of sun-xacml.  However i am not going to talk about Balana today…  But just want to share some knowledge with XACML 3.0  When I go through the XACML 3.0  Core specification, following are […]

PDP PEP Communication – how WSO2 Identity Server defines

XACML specification clearly defines the externalized architecture, by separating the PDP PEP components. PDP decides authorization decisions where PEP can talk to PDP and get those decisions. Therefore it is better to have a standard way of doing PEP and PDP communication. Because in a deployment any application (PEP) could communicate with any PDP  irrespective […]

Understanding PIP (Policy Information Point)

According to the XACML reference architecture, PIP is the system entity that acts as a source of attribute values. Basically if there are missing attributes in the XACML request which is sent by PEP, PIP would find them for the PDP to evaluate the policy. To understand this better, lets go though sample XACML policy […]

XACML reference architecture

The reference architecture proposes a standard for deployment of necessary software modules within an infrastructure. Policy Decision Point (PDP)evaluates policies against access requests provided by Policy Enforcement Points (PEP). To provide the decisions, PDP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or any other missing […]

Why we need XACML ?

Most of the organizations are still using legacy system with in build authorization logics. Some times, one organization contains large number of information systems and applications that each system or application uses their own way of authorizing. When it comes to today, authorization has become more complex. Because users within organization as well as outside the […]

What is XACML ?

XACML(eXtensible Access Control Markup Language) is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is much popular as a fine grain authorization method among the community. But there are lot of aspect of XACML other than just a fine grain authorization mechanism. Although XACML was introduced as […]