I am working on a ABAC project and am using ALFA plug-in in eclipse to to write the policies and am enforcing the same through a java program. Instead of that I want to make use of the open source XACML implementations available to simulate a PDP,PAP and PEP. How to solve the issue ?
Open source XACML 3.0 implementations:
AuthzForce
WSO2 Balana
(EDIT based on David's comment:) AT&T XACML.
More info on the XACML wikipedia page.
(Heras-AF and SunXACML are XACML 2.0 only.)
Related
I have a knotty problem (at least for me) to solve
In a nutshell:
A web server exposing a single URL (static page)
the URL should only be accessible between 9 am and 5 pm
(everyday)
the whole thing should be implemented through XACML
Questions
What actually do I need in order to accomplish my objective?
Is there any Oracle implementation of XACML which I should install? Is it by any chance free?
Could other XACML implementation be suitable? I'm refering to WSO2 Balana
Which tools should I use?
How should I start with?
Thanks a lot
You'll need:
a PEP (policy enforcement point) to intercept the request to the server. In your case you are controlling access to a web server. If you're using a Java web server e.g. Tomcat, you can implement a Servlet Filter PEP.
a PDP (policy decision point) to receive the request from the PEP and return a decision (either Permit or Deny). Oracle used to have a PDP solution called Oracle Entitlements Server (OES) but it was discontinued. Nowadays you have several options
Balana, an open-source XACML engine
AuthZForce, the latest and possibly most complete open-source XACML 3.0 PDP
Axiomatics, a commercial solution that provides you with turnkey PDP, PEP, and policy authoring (aka PAP)
a PAP (policy administration / authoring point): you need to write your policy. I typically use alfa which is easy-to-read shorthand notation for XACML.
In your case, the policy would look like the following:
policy allowOfficeHours{
apply firstApplicable
rule allowOfficeHours{
target clause current_time>"09:00:00":time and current_time<"17:00:00":time
permit
}
}
Plan of action
Start
Start with downloading the PDP of your choice. If you need free, then go to AuthZForce. You can ask and tag questions with authzforce here. Their main architect / dev is active here.
Then download the ALFA plugin for Eclipse to start writing some policies.
Finally, use AuthZForce's PEP SDK to write your own PEP. Look at Java servlet filters as an easy means to write a PEP. Check out this post and that one for tips.
I have installed Balana correctly and run mvn clean install with no error,
How can I get benefit from Jar file?
How can I test the policy that I have written in XACML?
Balana is just the engine. Once you Balana compiled (and presumably jarred), you need to start it and pass it the XACML policies you wrote. Now, at start-up, Balana should validate that the files are valid XACML 2.0 or XACML 3.0 files.
What you want to do next is send an authorization request using a tool e.g. SoapUI or Postman to the endpoint Balana exposes (if any that is). That will help you validate the endpoint.
PS: I have limited experience with Balana. I work mostly with Axiomatics Policy Server (disclaimer: it's where I work).
PS2: if you want to stay down the path of open source, check out AuthZForce. It's much more active.
When WSO2 Implements open standard protocols like XACML, SCIM they do not tightly coupled implementation with WSO2 platform components. For EX: Balana for XACML [2], Charon for SCIM [1]. Inside WSO2 Identity Server [3] you will find two artifacts org.wso2.balana_1.1.5.jar, org.wso2.balana.utils_1.1.5.jar which are relevant to WSO2 XACML implementation. If you want to make use of Balana artifacts pls refer [4].
[1] https://github.com/wso2/charon
[2] https://github.com/wso2/balana
[3] https://docs.wso2.com/display/IS570/
[4] https://docs.wso2.com/display/IS570/Working+with+XACML
I am using XACML 3.0 for authorization in my project is their any open source policy editor tool so that I can create policies on the fly.
There are several open source policies editors. As i know,
UMU XACML editor
WSO2 Identity Server
OpenAM Server
Also Non open sources, but you can download freely such as
ALFA Plugin by Axiomatics (non-commercial use)
Free GUI based XACML Editor (XACML2.0 to XACML3.0 conversion)
If you want to integrate policy creation in to your project. I guess, best approach is to use Balana utils library. It is a library that can be used to create XACML 3.0 policies and XACML 3.0 request using an simple object model. You find the source code of Balana util from here. Basically WSO2 Identity Server policy editors are used this library to build the policies.
The RESTful Web service APIs are implemented using Restlet. I need to generate the API documentation for these. Rather than starting with a separate document, I am evaluating if this can be generated from the source code annotations itself.
I looked at Swagger and enunciate. Swagger seems to be based on the JAX-RS specification. Enunciate looked a little more promising as there is an FAQ that mentions how to generate for non JAX-RS implementations but there is no help.
Are there any tools (or if the community has used any) for generating API documentation from Restlet annotations?
Has anyone integrated Restlet with enunciate for generating documentation?
Restlet now supports the ability to generate either corresponding Swagger and RAML contents based your application at runtime.
Following docs could help you:
For Swagger (extension org.restlet.ext.swagger): see http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/swagger
for RAML (extension org.restlet.ext.raml): see http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/raml
You can then leverage tools from the tool community to generate your API documentation. You could consider Swagger UI that is a great tool to display online what an API provides and interact with it.
Hope it helps you,
Thierry
Is XACML supported by Restlet? If so, how is it used?
XACML is not currently supported by Restlet.
There is an open issue on the matter, but it hasn't been touched in 4 years. It's currently considered a low priority enhancement.
You do not particularly need support from Restlet itself. You can use Java XACML PEP SDKs to write the enforcement point that will filter within the Restlet apps.
Have a look at WSO2 (open source) or Axiomatics (vendor). They are the main XACML 3.0 implementations and they both have Java SDKs to implement your own PEPs including support for Restlet.