Sun Releases Open Source XACML Language

LowneWulf writes "An InternetNews.com article mentions that the OASIS standards group today ratified the Extensible Access Control Markup Language 1.0 specification. But even better, Sun Microsystems Labs has backed this up with an open-source version in Java on Sourceforge."

Re:How?

[TummyX]

A language doesn't need source; it's a syntax


Uh. And grammar.


Compilers need source, not languages. 'Open Source Language' sounds like more hype to me


Well open source language simply means a langauge where the compiler is OSS. It doesn't make less sense than saying "Perl is open source".

Re:"Open source" reference implementation

[JanusFury]

That would be a compiler/reference implementation.

A language can definitely be 'Open', but the term 'Open Source' has absolutely no meaning when attached to a language.

'Open Source English'.

That makes absolutely no sense. My point is not related to how useful or good this language is, I'm just annoyed at this example of Sun's generally confusing and strange marketing.

Re:What idiots

[JanusFury]

This seems to be a mostly server-side technology, and Java is generally accepted on the server, so I don't see it as a bad thing that it's in Java.

However, if this technology requires the client to implement some complex authentication stuff, you've got a problem. Exclusively tying your reference implementation to 'weighty' technologies like .NET or Java is a very negative thing, because many clients will either not have the necessary runtimes, or will have very outdated versions of them. Both .NET and Java weigh in at at least 10mb, and that will definitely hurt deployment of any technology.

XML stone soup

[alext]

Like so many other "XML-based" standards, XACML is horribly constrained by the lack of general logical or procedural primitives in XML. As we all know, XML is not a programming language - it was never intended to be computationally complete - yet there seem to be a neverending stream of attempts that effectively try to turn it into one.

It is a fundamental mistake to try to shoehorn semantics which will generally include logic - such as an access control decision - into a language which has no support for them. While XACML "is not intended to form the basis of an authorization decision by itself" it must of necessity include the means to combine and modify rules - hence requiring logical operators which of course have no standard representation in XML.

The specific result is that each attempt to use XML for anything other than the simplest semantics (SOAP, Schema, XSLT, JSP...) must invent its own representations of operators, variables, modules and so forth.

The general result is one unholy mess. We, the poor bloody coding infantry, have to face learning a dozen or more ways of representing the same fundamental concept in a multitude of languages, each supposedly specialized for a narrowly-defined task, but in reality incorporating almost-but-not-quite-all the features of a general purpose language. XML's ugly syntax becomes the least of our problems - that can always be hidden by visual tools or 'generators', but no tool is likely to be able to reunite fundamental concepts fragmented into so many different representations.

Standards such as these do not represent progress, they represent a growing mass of redundancy that one day will have to be refactored into more coherent form. Anyone who studied LISP, or some other language capable of representing the popular data and programming paradigms (logic, procedural, declarative...) will be aware that common ways of representing such semantics have been known for decades. The fact that the practice of XML continues to ignore such basic prior art is an extraordinary indictment of the state of our industry today.

I welcome any explanation from the individuals or organizations concerned as to what obliged them to make yet another idiosyncratic elaboration of the generally incoherent and unusable body of XML specifications.

Okay, an attempt to explain...

[Abcd1234]

This is really a bit of a niche domain (in that, system administrators and other folks are interested, most other people aren't).

Basically, in the world, there are many scenarios where it would be VERY useful to be able to enable access controls on various resources in a system. By "access controls", I mean rules which define who can perform actions on given resources. This sounds so general because it is very general. The purpose of XACML is to provide a language which allows you to specify these rules, or policies, in a nice format independant of the rest of the system (data storage, etc) for any number of domains, and provides software to implement the required components for such a system.

As a solid example, you could use XACML, a central PDP, and a PEP on a set of firewalls to control which IPs have access to what. You'd have to write a PEP for the firewalls, and set up a PDP to handle the requests, but once this is done, you could use XACML to write firewall rules!

Another example, suppose you have a user trying to access their email. You could have a PEP in the client which talks to a PDP to determine if the user is allowed to perform various actions on the mailbox (read, write, etc). In this case, you'd use XACML to determine who can perform what actions on the mailbox.

In both of these cases, XACML defines the language PEPs use to talk to PDPs, and also specifies a common XML language for defining the policies to determine who can do what.

In essence, XACML abstracts these concepts of policy enforcement, rule definitions, etc, and wraps them up in a nice XML language which can be used in any component which implements the XACML specificiations for a PDP and PEP. Why would you want to do this? Well, first, it allows you to use plug in in an access control system, rather than having to roll your own. This is good. Second, anyone who implements the XACML standard can interwork. So, I can write a PEP for my email client, and use Joe's PDP to enforce policy in my system. Third, because all your systems now use a single language, you can centralize the policy database and use common tools to manage all of them. An administrators dream!

Now, this is really important people, this has NOTHING TO DO WITH DRM! Or Palladium! Or any other conspiracy theory you want to come up with. This is simply a tool for software developers and system administrators to easily integrate a standard access control framework into their systems.

* Note, in the previous, PDP - Policy Decision Point, and PEP - Policy Enforcement Point.

On language-independent languages

[alext]

One of the beauties of XML is so many different language bindings exist.

That XML is a lingua franca is frequently asserted but can't be proved. The reason is that XML has no (or more strictly, very limited) semantics.

To say that your application can "understand" XML because it can use the DOM API doesn't mean that it can interpret XACML, or any other XML "ontology". You might just as well argue that you can understand Danish because you can parse the "å" character.

All you are saying when you assert that XML applications can be written in any language is that the semantics of XACML (or whatever) can be mapped to various programming languages.

This feature is shared by any machine-readable language, many of which are arguably better at representing XACML semantics than XML.

Re:What idiots

[angel'o'sphere]

Also, I have a word for people who can program Java but not C: dumbass. C is about programming a computer, Java is about using a computer.


If C is the only language you can write in, then every further word is wasted I guess.

Anyway:

The solution is a new language, written for the technology of today and backported to old computers. It would be as low level as C or lower, and have no functions that aren't reentrant. Perhaps a way of doing objects and better exception handling could be added: closer than Objective C is to C, but implemented on the next level with the new language.


Probably you might look at 'D', the language Walther Bright is working on? See www.digitalmars.com.

C might be an appropriated language for system programming, but that is more or less a shortcomming of our current computer architecture, not a feature of the language C.

Two simple 2 liners like:
int i = 4;
fwrite(FILE, &i, size_of(i), 1);

and
int i;
fread(FILE, &i, size_of(i), 1);

Thats not even portable over different system architectures. And sometimes not even over two different compilers on the same architecture.

If everything looks like a register or like memory your appropriated tool is .... well, assembler? Ok, just kidding ... use C.

But if your problem is not register or memory and not signal processing ... but: Customer, CustomerAdress, Order, DelieveryTime, DelieveryAdress, BillingAdress .... spread over 100-s of servers, integrated over industries, manufactored-just-in-time, to be delievered just-in-time, made from raw materials and premanufactored parts, delieverd just-in-time, to be adapted to changing business requirements - if possible in a timeframe of a month - then C is not the adequate language.

Neither is Java, but we have nothing wich is better ... well, this is a different topic.

At least a Java program or a server component running on an App Server is portable.

And Java offers hundreds of APIs, STANDARDS even, to cope with all cross architecture interoparability problems.

If you would say, PERL, ok, then I only could say: puh, a nerd, writing in a cryptic 'write once, never maintane' language.

But PERL indeed offers nearly everything Java offers. Easy web integration, DB access, portability, speed, text and XML processing etc.

But C?

BTW: writing a linux like kernal is to be done far easyer in Java then in C/C++.

Your post simply shows that you have no clue about Java and that you think you have a clue about C .... I hope the latter is true :-)

angel'o'sphere