Sun Microsystems Laboratories has published an open source implementation of the OASIS Open Extensible Access Control Markup Language (XACML) Standard. The implementation is written in the Java programming language and is available from SourceForge. XACML, recently approved as an OASIS Open standard, is "an XML-based language for access control that has been standardized in OASIS. XACML describes both an access control policy language and a request/response language. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses). XACML contributes to the simplification and cost reduction of developing and deploying secure web services -- or any application that requires secure access control. The Sun project provides complete support for all the mandatory features of XACML as well as a number of optional features. Specifically, there is full support for parsing both policy and request/response documents, determining applicability of policies, and evaluating requests against policies. All of the standard attribute types, functions, and combining algorithms are supported, and there are APIs for adding new functionality as needed. There are also APIs for writing new retrieval mechanisms used for finding things like policies and attributes. The project was developed in Sun Microsystems Laboratories, part of Sun Microsystems, Inc., and is part of an ongoing project on Internet Authorization in the Internet Security Research Group." The project team welcomes additional involvement from developers.

Announcement details

Sun Microsystems, Inc. has announced the release of its implementation of the new XACML OASIS Open Standard for security under an open source license. XACML contributes to the simplification and cost reduction of developing and deploying secure web services -- or any application that requires secure access control. Today's news demonstrates Sun's leadership role in the development of open standards and underscores Sun's continuing investment in the security space.

"Sun's XACML implementation heralds a necessary improvement in web services security and interoperability," said Larry Abrahams, Director, Identity Server and Liberty, Sun Microsystems, Inc. "We expect it to be very useful in creating an open source community around the technology and an important part in the development of future Sun products."

Sun's XACML Implementation was developed by the Internet Security Research Group (ISRG) within Sun Microsystems Laboratories and could have far-reaching impact on enterprise security as well as developer productivity. As XACML replaces the current patchwork of proprietary access control policy languages, administrators will no longer need to learn these many languages and translate policies between them. Software developers won't have to invent their own languages and write custom code to support them as they do today. Both will save time and money.

"Sun's decision to release an Open Source implementation of XACML 1.0 is both important and timely, and will certainly encourage rapid adoption of this standard," said Carlisle Adams, principal architect, advanced security, at Entrust, Inc. "Governments and businesses will benefit from the availability of this code because they will immediately be able to incorporate fully-compliant XACML 1.0 implementations into the comprehensive authorization architectures they deploy. Entrust is very pleased to have played a major role in the development of this standard."

Sun's release of this code under an open source (modified BSD) license coincides with approval of the XACML standard by OASIS, the Organization for the Advancement of Structured Information Standards, and is aimed at jump-starting the adoption of this standard throughout the open source and commercial software development communities.

"We're really pleased by the approval of the XACML standard by OASIS, and by Sun's open-source release of their XACML implementation," said RL "Bob" Morgan, chair of the Internet2 Middleware Initiative (http://middleware.internet2.edu/), which provides technology and guidelines to the 200+ Internet2 member organizations in making advanced Internet applications secure, manageable, and interoperable. "Access control is one of our major areas of activity, and XACML is likely to be a key technology. Sun's XACML implementation looks very complete and robust, and we're looking forward to using it in key projects. We depend on open standards and open implementations, and applaud Sun for their commitment to both."

XACML Overview

[From the Sun XACML Implementation website]

XACML (eXtensible Access Control Markup Language) is an XML-based language for access control that has been standardized in OASIS. XACML describes both an access control policy language and a request/response language. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses).

In a typical XACML usage scenario, a subject (e.g. human user, workstation) wants to take some action on a particular resource. The subject submits its query to the entity protecting the resource (e.g. filesystem, web server). This entity is called a Policy Enforcement Point (PEP). The PEP forms a request (using the XACML request language) based on the attributes of the subject, action, resource, and other relevant information. The PEP then sends this request to a Policy Decision Point (PDP), which examines the request, retrieves policies (written in the XACML policy language) that are applicable to this request, and determines whether access should be granted according to the XACML rules for evaluating policies. That answer (expressed in the XACML response language) is returned to the PEP, which can then allow or deny access to the requester.

XACML has many benefits over other access control policy languages:

• One standard access control policy language can replace dozens of application-specific languages.
• Administrators save time and money because they don't need to rewrite their policies in many different languages
• Developers save time and money because they don't have to invent new policy languages and write code to support them. They can reuse existing code.
• Good tools for writing and managing XACML policies will be developed, since they can be used with many applications.
• XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported.
• One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources.
• XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy.