Understanding eXtensible Access Control Markup Language (XACML)
Today with the advancement of e-commerce, Internet is a place flooded with lots of information and data. Sometime data is very sensitive and important and it needs security. So to ensure information security two things came into scenario.
First is access control and second is authorization. XACML or extensible Access Control Markup Language is a mechanism or a standard (developed by OASIS) which provides these two things which are very crucial for the secure transmission and usage of data over internet.
First of all, we will discuss the architecture of XACML. XACML API consists of policies which has sub components too. These are rules, targets and rule combining algorithms. A policy can have more than one rule but it can have only one rule combining algorithm. Rule is composed of three things: condition, effect and a target.
Conditions are evaluation statements and effect is their consequence. In the language of XACML, effect can acquire one of the following two values: PERMIT or DENY. In order to decide whether the policy (or rule) is applicable to the request, a target is used. In other words a target means a reference to invoke action on resources by people or any other subject.
Now we will discuss the basic protocol behind XACML. It is a request response based algorithm. According to the XACML specification, whenever a request is made for the authorization purpose it is diverted to the Policy Enforcement Point (PEP). This is the entry point which receives the access request, converts it into an XACML request and passes it to the Policy Decision Point (PDP).
So the main task of PEP is to convert simple request for authorization into a standard XACML request. Now PDP receives the XACML request and evaluates it. For evaluation it takes help from relevant policies. These policies are provided by Policy Access Point (PAP). Also there is Policy Information Point (PIP) which provides policy attributes values if required by the PDP.
So after gathering necessary information from PAP and PIP, PDP reaches to an authorization decision in response to the authorization request which is sent back to the PEP. This response of PDP can permit the access request and it can deny it too which depends upon relevant policies evaluation completely.
XACML is a general purpose language and there are different editors available for the development of XACML policies like UMU-XACML-Editor. Its simplicity and popularity lies in the fact that it adopts XML vocabulary to define rules which are used further for authentication and access control purpose.
| All About Different Types of XML Editors | Generating XML Document Using JSP | How to Retrieve an Email Message Using Java Mail API | How to Send an Email Message Using Java Mail API | Transforming XML Data with XSLT | Understanding Basic Components of a JMS Program | Understanding Basic Technology of ebXML | Understanding Deployment Descriptor in Reference with Servlets | Understanding eXtensible Access Control Markup Language (XACML) | Understanding the Design Goals of XML | Understanding XML Common Biometric Format |