Archives / 2004 / April
  • XACML implementation for .Net

    A couple of days ago we had a long holiday down here in Argentina for easter and I had some free time. I was very busy in last months (you may notice my blogging absence) and I didn't had the chance to do something that exceeds my current projects (which are very interesting).

    Browsing the web I found a very interesting specification of an Access Control mechanism based in Xml that was something new for me, called XACML, released by Oasis. I heared about WS-Security and some other specs in WS-* but none of them are based in Access Control, and I also love rule engines and this spec is something very similar to a rule engine. The spec is version 1.0 and a small update in a 1.1 version, the WG is currently working in the 2.0 version which is a draft but there are some public documents to see their work.

    I liked the way the express the policies and the requests over that policy and how the scema can be extended with custom features. I also liked to experience what means implementing a speification. I always feel that some specifications does not covers all the questions you may had about the behavior or the implementation, and I wanted to experience by myself.

    The results are very interesting, you may find the code here . The code is very draf but it's working, all ConformantTests are passed, it needs some documentation and I hope I have more time to add new functionality and start updating the engine to the the next version 2.0, probably working in Whidbey, using all the cool new features. And this is also the first .Net implementation and the only one supporting Hierarchical resources.

    The code is in SourceForge so you can get the code and see how its working. And there's also a ZIP release you can download and execute the code using the ConformanceTests that you can find here.The project includes the Core code, a simple console test that can be executed specifying the Policy and the Request, and a set of NUnit tests that can be executed to test all the Conformance Tests.

    Of course many issues were found in the specification:

    Assumption of the resource-id dataType

    There is only a single place in the document that makes reference the resource-id data type is a URI (line#4505), but many features like hierarchical resource depends on the data type. So if the attribute will always be a URI why specifying the dataype.

    XPath current node assumption

    The AttributeSelector element description does not describes what is the current node used for the XPath expressions. Many tests uses // which does not matters what is the current node, but many other uses ./ which means the current node is assumed to be some node, and there's no description about it. I used the ConformanceTests to guide me, but they are inconsistent, it means, if I set the current node to satisfy a test another test will fail.

    Missing desription about how to determine the hierarchically relationship between resources

    There's no description about how to determine the hierarchical relationship beteween two resources. And this is related the the first issue, if the resource-id is not a URI what happens.

    Incorrect and incomplete ConformanceTests

    The conformance tests are incomplete and they don't have much explanation about what is the expected behavior, and why that behavior is expected. Some others are inconsistent, for example the XPath sentences that start with ./

    If during the evaluation there are two errors: missing attribute and processing error, which one should be notified in the status code?

    There is not information about the precendence of the errors and I have to use the ConformanceTests to guide about them.

    Match vs. Condition

    Match can only be used with functions that receives 2 parameters (an AttributeValue and a chioce of a Selector or an AttributeDesignator), why this limitation? The same concept of the Condition can be used here and the implementations will look very clear, and also allows the usage of functions that have more than two parameters.

    XSD difference in .Net

    The XSD Schema included with the specification defines the ResourceContent element using the following: <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> but using the .Net schema validator elements fails because the contents of the RequestContents are not valid, so I have to change the processContents to "skip" in order to make them work in .Net. Probably this is because of my ignorance in XSD.