设计 XACML API

发布于 2024-07-19 05:23:11 字数 194 浏览 7 评论 0原文

目前,XACML 规范定义了请求/响应协议,但如何将其集成到企业应用程序中需要解释。 我相信,除非创建一个新的开源项目来尝试围绕一组通用 API 进行开发/标准化,否则 XACML 的价值将无法实现。

对于那些熟悉 XACML 的人来说,我很想了解他们对创建这样一个项目的第一反应,他们是否愿意做出贡献以及他们认为 XACML API 会是什么样子?

Currently, the XACML specification defines a protocol for request / response but leaves it up to interpretation as to how it can be integrated into an enterprise application. I believe that the value of XACML won't be realized unless there is the creation of a new open source project that attempts to develop/standardize around a set of common APIs.

For those who are familiar with XACML, I would love to understand their first reactions to creation of such a project, whether they would be willing to contribute and what they believe an XACML API would look like?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

拍不死你 2024-07-26 05:23:11

也许我不明白这个问题,但是 XACML 的 SAML 配置文件不符合您的要求吗? 它定义了 authzDecisionQuery 和响应记录的 SOAP 格式,这应该是 WSDL 所需的全部内容。

我围绕 Sun 的 DOD/DISA 解释器(在 forge.mil 上)构建了其中一个版本,并且围绕完全编译的实现直接将 XACML 转换为 Java 代码构建了一个更快的版本(尚未发布)。 主要目标是可读性,而不是速度,但速度大约是速度的十倍。

IMO XACML 可以工作,但作为一种供人们观看的语言绝对是糟糕的。 我更感兴趣的是找到一种针对特定问题的语言来表达 XACML 的语义,以便人们能够理解它们。 Java 在这方面轻而易举地击败了 XACML,但 Java 作为一种特定于领域的语言相当笨拙。 也许是格罗维?

PS:作为我们的第一次尝试,我们尝试了尝试控制英语(ACE)。 当我们发现 ACE 无法表达深层嵌套条件(没有括号或大括号)时,我们很快就放弃了这个想法。 尽管美国国家安全局对基于英语的政策语言有着浓厚的兴趣,但我不确定英语是否是正确的想法。

Maybe I don't understand the question, but doesn't the SAML profile for XACML do what you want? It defines SOAP formats for authzDecisionQuery and response records, which should be all you need for the WSDL.

I built one of these around Sun's interpreter for DOD/DISA (its on forge.mil), and a much faster version (not relesed yet) around a fully compiled implementation that directly transforms XACML into Java code. The main goal was readability, not speed, but its about ten times as fast.

IMO XACML works but is absolutely terrible as a language for people to look at. I'm more interested in finding a problem-specific language for expressing XACML's semantics so that people can understand them. Java beats XACML for this hands down, but Java's pretty clumsy as a domain-specific language. Perhaps Groovy?

PS: As our first shot at this we tried Attempto Controlled English (ACE). We quickly dropped that idea when we found ACE has nothing viable for expressing deeply nested conditionals (no parentheses or braces). And I'm not sure English was the right idea for this anyway, inspite of strong NSA interest in english-based policy languages.

亣腦蒛氧 2024-07-26 05:23:11

Sun 的 XACML 实现没有为您提供可靠的 API 吗?

http://sunxacml.sourceforge.net/

(开发已回到正轨,网站应该更新很快就可以查看 sunxacml-devl 邮件列表。

Doesn't Sun's XACML Implementation give you a solid API?

http://sunxacml.sourceforge.net/

(The development is back on track and the site should be updated soon. Hava a look at the sunxacml-devl mailing list.

蘑菇王子 2024-07-26 05:23:11

sunxacml 没有得到积极维护。
页面/实现上的最后一次更新是从 2006 年开始的。HERAS

-AF XACML 核心是一个积极维护的开源 XACML 实现。

sunxacml is not actively maintained.
The last update on the page/implementation is from year 2006.

An actively maintained open source XACML implementation is the HERAS-AF XACML Core.

北方的韩爷 2024-07-26 05:23:11

XACML 的 SAML 配置文件和 WS-XACML 规范试图标准化 XACML PEP 和 PDP 之间的通信。 WSO2 Identity Server 是一个开源项目,并将在明年初添加此支持。

谢谢...

SAML profile for XACML and WS-XACML specifications are attempts to standardize the communication between XACML PEP and PDP. WSO2 Identity Server is an open source project and will adding this support by early next year..

Thanks...

时光无声 2024-07-26 05:23:11

不幸的是,WS-XACML 早已消亡。 XACML 的 SAML 配置文件是当今唯一的标准化方法,但这更多的是关于通信而不是 API 的易用性。

在 Axiomatics,我们确实开发了一个简单的 SDK,但它仍然是我们特定于供应商的。

我知道 Oracle 和 Nextlabs 推动了一个名为 OpenAZ 的强有力的倡议。 他们的目标是为 PEP 定义更简单的 API。 这可能就是您想要查看的内容。

链接:

James,我会认真考虑 OpenAZ。 每隔一周的星期四会有一次电话会议,欢迎您参加。

WS-XACML is long dead unfortunately. SAML profile of XACML is today the only standardized approach but that's more about the communication than the ease of use of APIs.

At Axiomatics we did develop a simple SDK but it remains our fairly vendor-specific.

I know that there is a strong initiative called OpenAZ pushed forward by Oracle and Nextlabs. They are aiming at defining simpler APIs for PEPs. That is probably what you would want to look at.

Links:

James, I would seriously look at OpenAZ. There is a call every other week on Thursdays which you are welcome to attend.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文