谁使用 XACML?
除了 Sun XACML 实现和 XEngine 之外,还有人编写过 XACML 实现吗?
谁在他们的产品中使用它们?
哪些供应商提供 PDP?我读过一些有关 WebLogic XACML Provider 的内容。还有哪些其他产品支持 XACML?
Has anyone written XACML Implementations other than the Sun XACML Implementation and XEngine?
Who uses them in their products?
Which vendors provide a PDP? I read something about a WebLogic XACML Provider. What other products support XACML?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(14)
这个问题已经在 XACML TC 列表中得到了回答:http://markmail.org/message/w7msffsbi6qzgfoj
如今,XACML 已广泛应用于各个行业。尝试总结一下刚才所说的内容
目前有两种类型的实现:
开源实现
它们要么得到商业组织、基金会或大学的支持。
其中包括:
商业产品
还有其他供应商,例如 Jericho Systems 和 Nextlabs提供 XACML。 Securent(后来被 CISCO 收购)也提供了 XACML 产品。
最后,我建议您访问 XACML TC (http://www.oasis-open.org/委员会/xacml/),您可以在其中看到其贡献成员。其中包括 Oracle、Axiomatics、波音、退伍军人管理局、EMC 等定期撰稿人。
This has been answered on the XACML TC list already: http://markmail.org/message/w7msffsbi6qzgfoj
XACML is used in a wide variety of industries today. Trying to summarize what's been said
There are 2 types of implementations today:
open-source implementations
They are either backed by commercial organizations, foundations, or universities.
These include:
Commercial products
There are other vendors such as Jericho Systems and Nextlabs that offer XACML. Also Securent (later bought by CISCO) had a XACML offering.
Lastly I recommend you visit the XACML TC (http://www.oasis-open.org/committees/xacml/) where you can see its contributing members. Those include Oracle, Axiomatics, Boeing, Veterans Administration, EMC who are regular contributors.
我是 IBM 团队的成员,该团队构建安全策略管理解决方案,包括用于授权策略的 XACML;我曾经是 XACML 运行时组件本身的团队负责人。该产品称为 Tivoli Security Policy Manager,并且正在积极开发中。
WebLogic 曾经由 BEA 构建,后来被 Oracle 收购。我不确定 Oracle 是否还出售它。
Axiomatics 和 Jericho Systems 也有 XACML 解决方案。
I'm a member of the team at IBM that builds a security policy management solution, including XACML for authorization policy; and I used to be the team lead for the XACML runtime component itself. The product is called Tivoli Security Policy Manager, and is definitely under active development.
WebLogic used to be built by BEA, before they were acquired by Oracle. I'm not sure if Oracle still sells it or not.
Axiomatics also has a XACML solution, as does Jericho Systems.
WSO2 Identity Server (http://wso2.org/) 是一个基于 sunxacml 的开源授权引擎。 WSO2 Identity Server 包含一个很好的 XACML UI 策略编辑器,可以轻松用于创建复杂的 XACML 策略。有一个 PIP 层可以插入任何属性查找器模块。因此,您可以从任何数据库、LDAP 用户存储、Web 服务等中找到您的属性。此外,还有决策缓存、策略缓存和 PIP 级别属性缓存来提高性能。您可以从这里参考实现源代码 [1]
[1] https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/identity/org.wso2.carbon.identity.entitlement/
WSO2 Identity Server (http://wso2.org/) is a open source entitlement engine which is based on the sunxacml. WSO2 Identity Server contains a nice XACML UI policy editor which can be easily used to create complex XACML policies. There is a PIP layer to plug any attribute finder module with it. Therefore you are able to find your attribute from any database, LDAP user store , web services and many more .... Also there are decision caching, policy caching and PIP level attribute caching to improve the performance. You can refer the implementation source code from here [1]
[1] https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/identity/org.wso2.carbon.identity.entitlement/
DATEV(一家德国 IT 服务提供商,拥有 5800 名员工)宣布于 2010 年他们将使用 XACML。瑞典软件公司 Axiomatics 将开发其身份管理解决方案的 Datev 版本。
DATEV (a german IT service provider w 5800 employees) announced in 2010 that they will use XACML. Swedish software company Axiomatics will develop a Datev version of its identity management solution.
XACML 实现(Sun、XEngine 和 EnterpriseXACML)目前是解释器,这使得调试如何达成决策变得困难,因为调试器显示解释器的内部代码,而不是策略本身。
我为 DOD/DISA 编写了一个编译器,可以将 XACML 直接转换为 Java 代码。我们的目标是让策略更容易理解,而不是速度,但令人欣慰的是,编译后的策略的运行空间和时间仅为 Sun 解释器的十分之一左右。
该编译器现已通过使用 Sun 解释器所使用的相同 Oasis 合规性测试进行了验证。在大约 400 项测试中,除了 8 项之外,它都通过了。当前的问题领域是标准不明确的情况;主题类别和策略集 IdReferences 就是其中的两个。
本周末我将把它连接为 SAML-P 服务。发布计划尚未最终确定,但一旦 SOA 版本稳定,我们可能会在 forge.mil 上以开源方式发布它。
添加注释:有一个关于 AFCEA 论文的链接 http://bradjcox.blogspot.com/2011/03/compiling-xacml-to-java-source.html
XACML implementations (Sun, XEngine, and EnterpriseXACML) are currently interpeters, which makes it hard to debug how a decision was reached since debuggers show the interpreter's internal code, not the policy itself.
I've written a compiler for DOD/DISA that transforms XACML directly to Java code. The goal was making policies easier to understand, not speed, but it is gratifying that compiled policies run in about a tenth the space and time as Sun's interpreter.
The compiler has now been verified by using the same Oasis compliance tests that Sun's interpreter uses. Out of ~400 tests, it passes all but 8. Current problem areas are cases the standard isn't clear on; Subject Categories and PolicySet IdReferences to name two.
I'm wiring it up as a SAML-P service this weekend. Release plans aren't final yet but we'll probably release it as open source on forge.mil as soon as the SOA version stabilizes.
Note added: There's a link to an AFCEA paper about it at http://bradjcox.blogspot.com/2011/03/compiling-xacml-to-java-source.html
BiTKOO (http://bitkoo.com) 将 XACML 3.0 集成到其 Keystone 授权管理产品系列中。我是BiTKOO XACML核心技术(PDP、PAP、PEP)的架构师。
现在,许多组织都在使用基于 XACML 的解决方案进行授权管理。大多数是大型组织——政府机构(外国、国内、军队和国家)、大学、媒体公司、工业公司等。
BiTKOO (http://bitkoo.com) has XACML 3.0 integrated into its Keystone family of authorization management products. I'm the architect of BiTKOO's XACML core technologies (PDP, PAP, PEP).
A wide variety of organizations are now using XACML based solutions for authorization management. Most are large organizations - government agencies (foreign, domestic, military, and state), universities, media companies, industrial companies, etc.
我知道这个问题是几年前发布的,但它现在可能与寻找开源 XACML 实现的人们相关。
AuthZForce 项目提供了一个开源 XACML 3.0 实现,其中包含多租户 REST API 以及基于 Java 的 API。它还提供 XACML SDK。
AuthZForce 可在 github、OW2 存储库和 docker 容器以及 debian 包上使用
我是该项目的核心开发人员之一,因此如果您有任何疑问,请随时与我联系。
I'm aware that this questions was posted a few years ago but it can be relevant right now to people looking for open source XACML implementations.
The project AuthZForce provide an opensource XACML 3.0 implementation with a multi tenant REST API along with a java based API. It also provide an XACML SDK.
AuthZForce is available on github, on the OW2 repository and a docker container as well as a debian package are available
I'm one of the core developper of the project so feel free to reach me if you have any questions.
这可能没有帮助,因为它不是 COTS 产品,但您或其他人可能会对它感兴趣。
http://code.google.com/ 上有一个开源 XACML 实现p/enterprise-java-xacml/ 我最近用过。它涵盖了整个规范,并且考虑到它尚未优化,因此具有相当不错的策略评估性能。
This may not be helpful as it's not a COTS product, but it may be of interest to you or others.
There is an open-source XACML implementation at http://code.google.com/p/enterprise-java-xacml/ which I've used recently. It covers the entire specification and has pretty decent policy evaluation performance considering it's not optimised.
您可以查看 http://www.herasaf.org/ 。这是一个高度开发的开源项目(虽然我不知道它们使用的是哪个许可证),我看起来确实很有前途,但仍有很多工作要做。
You can have a look at http://www.herasaf.org/ . It is a highly developed open source project (Although I don't know which license they are under) I looks really promising, but there is still a lot of work to do.
如果您正在寻找 Sun XACML 的替代方案,您确实应该看看 HERAS-AF (www.herasaf.org)。这是一个非常活跃的项目,他们的支持非常好且响应迅速(例如forum.herasaf.org)。代码质量很好,并且提供了很多扩展点。 API 很清晰并且非常易于使用。请查看入门指南。它是在 Apache2 许可下开发和发布的。
If you are looking for an alternative to Sun XACML you should really have a look at HERAS-AF (www.herasaf.org). It's a very active project and their support is very good and fast responding (e.g. forum.herasaf.org). Code is in good quality and it provides very much extension points. The API is clear and very easy to use. Have a look at the getting started guide. It is developed and published under Apache2 license.
OpenAM 是一种开源访问管理和 Web 单点登录解决方案(以前称为 OpenSSO),提供 PDP 并支持用于导入和导出策略的 XACML 3.0。
更多信息请访问 openam.forgerock.org。
OpenAM, an open source access management and web Single Sign On solution, previously known as OpenSSO, provides a PDP and has support for XACML 3.0 for importing and exporting policies.
More information at openam.forgerock.org.
PicketBoxXACML,以前的 JBossXacml 也包装了 SunXacml 的实现并提供更新的 PDP。关于它的文档并不多,但它是开源的。
PicketBoxXACML, formerly JBossXacml also wraps SunXacml's implementation and provides an updated PDP. There's not alot of documentation out there on it, but it's open source.
您好,您可能还想看看 ViewDS 身份解决方案(请参阅 http://www.viewds.com) 。 ViewDS 有两种 XACML 解决方案。 Access Sentinel 通过 PDP/PIP 和两个 PAP(DortNet 和 Java)以及各种 PIPS 提供外部化授权服务。他们的产品还支持委派、角色管理和角色管理。义务。 ViewDS Identity Solutions 还拥有一个带有自己的集成搜索和匹配引擎的 LDAP 目录,并且该目录启用了 XACML。也就是说,他们使用 XACML 提供基于策略的授权系统,用于通过 Web 访问目录信息。
Hi you might also want to have a look at ViewDS identity Solutions (see http://www.viewds.com). ViewDS have two XACML solutions. Access Sentinel which provides for externalised authorisation services with a PDP/PIP and two PAPs (DortNet & Java) and a variety of PIPS. Their product also supports Delegation, Roles Management & obligations. ViewDS Identity Solutions also have an LDAP Directory with its own integrated searching and matching engine and have XACML enabled the Directory. That is they use XACML to provide the Policy based authorisation system for accessing Directory information over the Web.
Forrester 博客中有一个有趣的讨论 http://blogs.forrester.com/andras_cser/ 13-05-07-xacml_is_dead 实际上更新了截至 2013 年的 XACML 状态。请务必阅读评论。
Here's an interesting discussion at Forrester blog http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead that actually updates the state of XACML as of 2013. Be sure to read the comments as well.