XACML implementation for .Net

A couple of days ago we had a long holiday down here in Argentina for easter and I had some free time. I was very busy in last months (you may notice my blogging absence) and I didn't had the chance to do something that exceeds my current projects (which are very interesting).

Browsing the web I found a very interesting specification of an Access Control mechanism based in Xml that was something new for me, called XACML, released by Oasis. I heared about WS-Security and some other specs in WS-* but none of them are based in Access Control, and I also love rule engines and this spec is something very similar to a rule engine. The spec is version 1.0 and a small update in a 1.1 version, the WG is currently working in the 2.0 version which is a draft but there are some public documents to see their work.

I liked the way the express the policies and the requests over that policy and how the scema can be extended with custom features. I also liked to experience what means implementing a speification. I always feel that some specifications does not covers all the questions you may had about the behavior or the implementation, and I wanted to experience by myself.

The results are very interesting, you may find the code here . The code is very draf but it's working, all ConformantTests are passed, it needs some documentation and I hope I have more time to add new functionality and start updating the engine to the the next version 2.0, probably working in Whidbey, using all the cool new features. And this is also the first .Net implementation and the only one supporting Hierarchical resources.

The code is in SourceForge so you can get the code and see how its working. And there's also a ZIP release you can download and execute the code using the ConformanceTests that you can find here.The project includes the Core code, a simple console test that can be executed specifying the Policy and the Request, and a set of NUnit tests that can be executed to test all the Conformance Tests.

Of course many issues were found in the specification:

Assumption of the resource-id dataType

There is only a single place in the document that makes reference the resource-id data type is a URI (line#4505), but many features like hierarchical resource depends on the data type. So if the attribute will always be a URI why specifying the dataype.

XPath current node assumption

The AttributeSelector element description does not describes what is the current node used for the XPath expressions. Many tests uses // which does not matters what is the current node, but many other uses ./ which means the current node is assumed to be some node, and there's no description about it. I used the ConformanceTests to guide me, but they are inconsistent, it means, if I set the current node to satisfy a test another test will fail.

Missing desription about how to determine the hierarchically relationship between resources

There's no description about how to determine the hierarchical relationship beteween two resources. And this is related the the first issue, if the resource-id is not a URI what happens.

Incorrect and incomplete ConformanceTests

The conformance tests are incomplete and they don't have much explanation about what is the expected behavior, and why that behavior is expected. Some others are inconsistent, for example the XPath sentences that start with ./

If during the evaluation there are two errors: missing attribute and processing error, which one should be notified in the status code?

There is not information about the precendence of the errors and I have to use the ConformanceTests to guide about them.

Match vs. Condition

Match can only be used with functions that receives 2 parameters (an AttributeValue and a chioce of a Selector or an AttributeDesignator), why this limitation? The same concept of the Condition can be used here and the implementations will look very clear, and also allows the usage of functions that have more than two parameters.

XSD difference in .Net

The XSD Schema included with the specification defines the ResourceContent element using the following: <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> but using the .Net schema validator elements fails because the contents of the RequestContents are not valid, so I have to change the processContents to "skip" in order to make them work in .Net. Probably this is because of my ignorance in XSD.


  • I've been looking closely at the Jiffy implmentation of the XACML standard, and how I would convert it to .NET.

    It appears from your exe that you have already accomplished this task. However, based on some of the &quot;TODO&quot; notes that you've listed here, it appears that there may be some extra work that needs to happen to make this a viable production product. I'm currently working on a project for the Washington State Department of Labor and Industries. (I'm a government employee.) I've been directed to find any way I can to use a standard like XACML and implement a Policy Execution Engine exactly like the one you've provided here. I was trying to read the source code off of SourceForge.NET, but I hate right-clicking on every single file to get the SLN, CPROJ, and CS files that I need.

    Is there any way that you could email me a ZIP containing these files to the Email account I provided above? I'd really appreciate it.


    Chad Stoker

  • Hi, I'm glad you are interested in the implementation. About the TODOs yes, i have a lot of pending tasks but the compiled version you can download is preety complete, I mean the implementation of the standard is complete, but of course software is a never ending task and you want always want to so something more.

    The most important missing piece about the implementation is stability and handling error situations correctly, for example type mismatchs.

    The project is very new, (in fact, it started 4 weeks ago wating for a plane after loosing a flight :) ), now I'm adding DataType extension mechanism which is an optional request in the specification, and I think this is very important for an extensible implementation.

    If you want you can get the code using CVS, there's a document about how to get it, I'll send it to you.

    Diego Gonzalez

    Lagash Systems SA

  • sorry, missing line:

    Of course if you are interested in the project you are invited to add your code to it so we can finish with it together. There's a lot of work to do to take it to the version 2.0 which the TC is working on it.

  • How can i open the source code??

  • Since v 2.0 has been out for some time now would you be interested in completing the implimentation for XACML 2.0? I can put some time into this if you are interested?

  • I am unable to download code from CVS...Can you please specify how to download.

  • hi,

    i could not find source code. can you help?

  • Hi, The CVS link for the source of the project is broken . Can u send me the source files or any can u update the link for the course files. my mail id is ila7goki@yahoo.com. Please respond to this mail.

Comments have been disabled for this content.