Sun Releases Open Source XACML Language

LowneWulf writes "An InternetNews.com article mentions that the OASIS standards group today ratified the Extensible Access Control Markup Language 1.0 specification. But even better, Sun Microsystems Labs has backed this up with an open-source version in Java on Sourceforge."

frist ps0t

fuck france.

As Mr. Spock would say...

Fascinating.

hmm

firstpost?

3rd post!

[thr0d+ps1t]

This thr0d ps1t is brought to you by the Sirius Cybernetics Corporation's Model Thr00 Thr0d Ps1t Generator.

Share and enjoy!

Re:3rd post!

y41 f0uled. :-P

wow

[unterderbrucke]

YAUML (Yet Another Useless Markup Language) should become more commonly used around here.

Re:wow

[Mas3]

sounds like the name of an aztec god ...

--
Stefan

DevCounter - An open, free & independent developer pool
created to help developers find other developers, help, testers and new project members.

How?

[JanusFury]

How can a language be open source? A language doesn't need source; it's a syntax. Compilers need source, not languages. 'Open Source Language' sounds like more hype to me. I may be stupid, but I don't know of any truly open source implementations of the Java that this 'Open Source Language' is in (Last I checked, Sun had a pretty strict licensing scheme going for Java implementations)

Re:How?

[TummyX]

A language doesn't need source; it's a syntax


Uh. And grammar.


Compilers need source, not languages. 'Open Source Language' sounds like more hype to me


Well open source language simply means a langauge where the compiler is OSS. It doesn't make less sense than saying "Perl is open source".

Re:How?

[binaryDigit]

I assume that they mean that Sun tools that support the language are in Java and are OS, not the language itself.

Re:How?

[wilhelm9]

Today Open Source is like any buzzword we have come across in history. In the 80-ies AI was the hot thing. "Everything" was to be AI and everyone wanted to be associated with the word, but eventually the hype backfired and today no one cares. Now that Open Source is a mainstream word it is only a matter of time before this buzzword gets outdated too.

Re:How?

[cyba]

> > A language doesn't need source; it's a syntax
> Uh. And grammar.

Wrong. Grammar simply describes language's syntax.

Re:How?

[nullard]

>>> A language doesn't need source; it's a syntax
>> Uh. And grammar.
>Wrong. Grammar simply describes language's syntax.

I thought that the grammar described the language's semantics. It's been a while since I took either Algorithms or Programming Languages, but that's what I recall.

Re:How?

[axxackall]

The project page explicitely says:

This is an open source implementation of the OASIS XACML standard, written in the Java (TM) programming language.

It doesn't say that the standard is open source. It doesn't say that Java is open source. It says the implementation in Java is open source.

Of course, it doesn't prevent from creating close-source implementations of the same standard. But XACML standard specs by themselves are openly available from OASIS.

JAY! Another language!

[eddy]

Jee-aah! Another language! That's great, because we can never have too many of these. I was just thinking to myself, "Gee, I wish I had another markup language to learn".

(obl: karma to burn)

Re:JAY! Another language!

[atomray]

Umm, the entire purpose of XML is to define custom vocabularies for specific applications. You don't have to learn it, it's for computers to use to communicate with one another in a heterogenous environment. Sun has provided an API and implementation for you to use.

Do you have a learning disability?

Re:JAY! Another language!

[alext]

"it" referring to XML, or to XACML?

Presumably a heterogenous environment wouldn't be an entirely Java environment?

If so, I think I am obliged to learn both.

OH, THANK GOD!!!

I was just nearly out of languages. Sun saves the day again.

What will become of Java?

Is this the replacement for Java? Should I shove my Java book up my asshole sideways? Should I grind it up and try to make coffee out of it? I fear for the future of all coffee beans. I care not of the cost, I will use Javascript until the end!

I like butt sex!
http://www.goatse.cx

DRM?

[yerricde]

What application does this language have in digital restrictions management of copyrighted works?

Re:DRM?

I'm not sure, but I can tell you this: the RIAA sucks, the MPAA sucks, M$ sucks. The DMCA sucks a fat cock. DRM sucks mucho.

Finally, Linux rules and BSD is dying. Unless you like Mac OS X, in that case it rules more and BSD is not dying, however in this case you must remember that the GPL sucks big time.

Also, if you like RMS, he certainly doesn't suck, but if you don't, he definitely does.

I hope that cleared things up for you.

Thank you.

Re:DRM?

Access controls can be used to keep you out of your own computer, or to keep hackers out of your computer.

When they keep you out, it's DRM. When they keep hackers out, it's security.

So this could be used for DRM, or it couldn't. So can chmod. Don't worry, it can all be broken. Thank you, move along.

sun rapes people

... They release it open source, let morons and free volunteers fix the code and then they close the source again. Same happened with various other sun products... I would take any bets for this to happen again.. The reason why they open source is because they need said people to fix and enchance it. Then they take it and sell it commercially again. Well I like such a business too..

Re:sun rapes people

off topic ? this was more ontopic than the comment above with goatse. freaking stupid moderators.

oss'ed DRM?

If I get this right, XACML ist yet another way of realizing digital rights management (DRM). Who will use it, and for what purposes??

None

[M.C.+Hampster]

Not everything is about DRM. Move along.

Re:None

[The+Bungi]

Spare the poor sod, he was trying to get some karma. It was a decent attempt, but it would have been even better if it had the word "Linux" or "GNU" somewhere along with "DRM". "RIAA" and "M$" also have mystical effects over moderators.

Not with *your* dick!

Them Frogs be SKANKY!

What idiots

[Reality+Master+101]

But even better, Sun Microsystems Labs has backed this up with an open-source version in Java on Sourceforge."

Does it ever occur to Sun that Java is not the answer to all problems? That maybe, just maybe, an implementation in C would be more generally useful as a reference implementation?

Java is not a bad language, but it's a niche language. I love Perl, but I wouldn't write an operating system in it.

This is why Sun is going to ultimately fail as a company. They are more interested in political solutions (e.g., write everything in Java whether it's appropriate or not) rather than producing real technology.

Re:What idiots

[angel'o'sphere]

Does it ever occur to Sun that Java is not the answer to all problems? That maybe, just maybe, an implementation in C would be more generally useful as a reference implementation?


I know more Java programmers than C programmers .... and all C programmers I know program Java now.

All industry software projects I'm involved in are in ... ah forgett it you wont belive it anyway ...

HINT: its not C and its not C++.

angel'o'sphere

Re:What idiots

So you would rather Sun write all the necessary authentication and identity management support in C? I'm no C programmer, but doing network+authentication in C is not easy. Java isn't the answer to everything, but the source is available. If you're so eager for a C implementation, go download the source and port it. Bitching is easy. How about contributing?

Re:What idiots

[JanusFury]

This seems to be a mostly server-side technology, and Java is generally accepted on the server, so I don't see it as a bad thing that it's in Java.

However, if this technology requires the client to implement some complex authentication stuff, you've got a problem. Exclusively tying your reference implementation to 'weighty' technologies like .NET or Java is a very negative thing, because many clients will either not have the necessary runtimes, or will have very outdated versions of them. Both .NET and Java weigh in at at least 10mb, and that will definitely hurt deployment of any technology.

Re:What idiots

In their latest report sun made a 2.3 BILLION dollar loss in the last quarter alone!!! Thats just plain crazy.

Why the hell do they have people doing stuff for free? Some executives inside sun needs to wake up and make sure every employee does something that actually makes money.

Re:What idiots

All industry software projects I'm involved in are in ... ah forgett it you wont belive it anyway ...

HINT: its not C and its not C++.

Visual Basic?

Re:What idiots

[perdelucena]

I don't think so.

Can't you see Java is the default language for XML technology since its beginning?

When you think to create web services using all infrastrctute such as provided by Sun One , you think Java, not C, nor Perl.

It's necessary to have frameworks to build complex applications, unless you think its worth to start from scratch. In this case you can implement all the standards on your favourite language.

Re:What idiots

[jilles]

Hey, it's just a prototype/demo application that conforms to the standard. If you don't like it write your own in your favorite language (and feel free to borrow as much as you like from the source code).

Besides, this kind of thing would typically be used in a web application environment, where C typically is not the language of choice (mostly because core dumps are not acceptable in a server environment). And guess what, sun happens to produce some of the most popular tools and techniques for web applications (mostly Java based).

Re:What idiots

[binaryDigit]

Does it ever occur to Sun that Java is not the answer to all problems

Did it occur to you that Sun would write the code to match whatever use fits THEM the best. The fact that they then turn around and make the code OS is a gesture on their part. Did you think they sat around and said "hey, lets write an implementation of this for the masses"? Nope, their needs came first, as it should be.

Re:What idiots

[Dynedain]

All industry software projects I'm involved in are in ... ah forgett it you wont belive it anyway ...

HINT: its not C and its not C++.

is it C# ?

Re:What idiots

[The+Bungi]

HINT: its not C and its not C++.

Intercal? BrainF*ck? Fundies? Well for god's sake man, do tell!!

Re:What idiots

Ah yes, you mean OCaml.

The reason they can use languages like OCaml for doing work like this is because the underlying system has already been implemented in C, and there's a regular interface for OCaml or other high level language to use. Most languages even go so far as to provide ways to use C libraries, which should show just how powerful C is.

Even so, C has some shortcomings, mostly related to many (some/a lot) of the functions in the standard library not being thread safe. A good example of this is strtok(), which isn't reentrant. The solution for fixing this was to add a function, strtok_r() that is reentrant. This works just fine, but overall isn't a good idea, because what happens next time when strtok_r won't cut it? Will strtok_r_x be added? It becomes a nightmare, because you still have to support strtok in your compiler to stay compatible with old code. C is by far the best language for programming a computer, but it's starting to pick up some baggage after 30 years of change in an industry where five years can make something obsolete (not obsolete in and of itself, just in comparison to the ``next new thing'').

The solution is a new language, written for the technology of today and backported to old computers. It would be as low level as C or lower, and have no functions that aren't reentrant. Perhaps a way of doing objects and better exception handling could be added: closer than Objective C is to C, but implemented on the next level with the new language.

As for other languages, they really don't cut it for down and dirty programming. Without a low level language, we could find ourselves in a postition similar to those people in Star Trek:TNG that had all this nice technology that nobody knew how to use. C++ really doesn't have any uses. A quote in the recent funniest nerd joke thread perfectly describes C++.

"C++: an octopus made by nailing extra legs onto a dog" -- Steve Taylor, 1998

Also, I have a word for people who can program Java but not C: dumbass. C is about programming a computer, Java is about using a computer.

It's a testament to C's power that it's been around for 30 years, but in that time, the way computers work hasn't changed all that much. Now they're starting to change, and adapting C to them is going to be more difficult and require clunky kludges that will eventually end in C being used like Java, rather than C used to control a computer-machine. That's why now is a great time to write a language to replace C. There are people out there with Linux kernel programming experience that know what this language needs to be, and everybody has 30 more years of experience to use to write the language.

As a bonus, if it were finished soon enough, the Hurd people would have to start over and rewrite everything in the new language. :)

Re:What idiots

Yeah, and this will make it's way to iPlanet or whatever it is they call it these days and that'll be that. If it makes it to core Solaris as Java I'm spitting my dummy and changing OS.

Re:What idiots

[WhaDaYaKnow]

I know more Java programmers than C programmers .... and all C programmers I know program Java now.

All industry software projects I'm involved in are in ... ah forgett it you wont belive it anyway ...

HINT: its not C and its not C++.

Maybe in the world you are in, but if I look on my PC there's not one single application that's written in Java. I write software for embedded systems and that mostly still C and C++ (with a touch of assembler).

Furthermore, an implementation in C would be more useful because practically any platform supports a C compiler, whereas by far not all do support a Java VM.

Not that I think an implementation in Java is bad though. It may be that the majority of apps needing this technology are actually written in Java...

Re:What idiots

[angel'o'sphere]

Also, I have a word for people who can program Java but not C: dumbass. C is about programming a computer, Java is about using a computer.


If C is the only language you can write in, then every further word is wasted I guess.

Anyway:

The solution is a new language, written for the technology of today and backported to old computers. It would be as low level as C or lower, and have no functions that aren't reentrant. Perhaps a way of doing objects and better exception handling could be added: closer than Objective C is to C, but implemented on the next level with the new language.


Probably you might look at 'D', the language Walther Bright is working on? See www.digitalmars.com.

C might be an appropriated language for system programming, but that is more or less a shortcomming of our current computer architecture, not a feature of the language C.

Two simple 2 liners like:
int i = 4;
fwrite(FILE, &i, size_of(i), 1);

and
int i;
fread(FILE, &i, size_of(i), 1);

Thats not even portable over different system architectures. And sometimes not even over two different compilers on the same architecture.

If everything looks like a register or like memory your appropriated tool is .... well, assembler? Ok, just kidding ... use C.

But if your problem is not register or memory and not signal processing ... but: Customer, CustomerAdress, Order, DelieveryTime, DelieveryAdress, BillingAdress .... spread over 100-s of servers, integrated over industries, manufactored-just-in-time, to be delievered just-in-time, made from raw materials and premanufactored parts, delieverd just-in-time, to be adapted to changing business requirements - if possible in a timeframe of a month - then C is not the adequate language.

Neither is Java, but we have nothing wich is better ... well, this is a different topic.

At least a Java program or a server component running on an App Server is portable.

And Java offers hundreds of APIs, STANDARDS even, to cope with all cross architecture interoparability problems.

If you would say, PERL, ok, then I only could say: puh, a nerd, writing in a cryptic 'write once, never maintane' language.

But PERL indeed offers nearly everything Java offers. Easy web integration, DB access, portability, speed, text and XML processing etc.

But C?

BTW: writing a linux like kernal is to be done far easyer in Java then in C/C++.

Your post simply shows that you have no clue about Java and that you think you have a clue about C .... I hope the latter is true :-)

angel'o'sphere

Re:What idiots

[angel'o'sphere]

Yes, you are right.

Java is just emerging in the embedded system area.

I consult in writing enterprise wide IT solutions. If the desktop is involved in that, then Visual Basic is the prefered solution(not by me, but by the customers).

Why? Well, the desktop is Windows, sadly ... so Java makes no sence. Not because of technology but because of support and installation and configuration.

On my PC the only Java applications are CASE tools written in Java, the IDE, written in Java and the tools, written in Java, like ant, tomcat etc.

angel'o'sphere

Re:What idiots

Surf the web a little,
do some e-commerce.

Java is all over the place, not in the form of applets, but server side j2ee stuff.

Ever work for anyone that uses Oracle? Well, several thousand companies conduct all of there business with Oracle financial applications. Guess what? There applications use java clients.

Java is definetly not the answer to everything, and I still fail to see its benefit for embedded systems (other than it being an easy language to write with). But it does have its place, and anyone paying attention can see that its still gaining steam.

Re:What idiots

I had a huge rambling reply to this, but Phoenix screwed up and I lost it, so I'll summerize.

First, you personally don't know me, so don't make stupid assumptions about what you think I know. You're completely wrong.

Second, programmers who only learn Java miss out on the closeness-to-hardware that C offers, and can manage (if they're not careful), to never learn anything about how a computer actually works. You can code Java with no understanding of how a computer works. You can't pull that lazy-shit stuff with C, or at least you can't and write effective C code.

Third, your example of the nonportability of C is not representitive of the language. There are many programs out there that could only successfully be written in C, and they are quite nice and portable. Mplayer is my current favourite example of a C program. It even manages to use the MMX instructions on my PII. Furthermore, that code snippet will work on practically every 32-bit processor (remember, code runs on a processor eventually, no matter how far away from the hardware you try to abstract it) there is, which isn't bad. Java runs only on systems Sun has ported the bytecode compiler/JVM to.

Fourth, with respect to the following statements:

And Java offers hundreds of APIs, STANDARDS even, to cope with all cross architecture interoparability problems.

BTW: writing a linux like kernal is to be done far easyer in Java then in C/C++.

Yes, Java has many, many, many APIs, but it still isn't viable for systems programming for various reasons. I don't know the status of native Java compilers, but I don't think any are complete yet. Also, while doing an OS kernel in Java might be easier, it still would have performance overhead (in garbage collection, array bounds checking, etc) that C just doesn't have. C is the language of choice for anything that touches hardware in some way.

Fifth deals with:

But PERL indeed offers nearly everything Java offers. Easy web integration, DB access, portability, speed, text and XML processing etc.

Yes, but a lot of that sounds like frontend stuff to something implemented in C (incidentally, when I think of fast languages, Java is pretty far down the list).

Sixth deals with:

Probably you might look at 'D'

I looked at D a while back when I was on a frustrated-language kick. I stopped looking when I saw it had garbage collection. I want a language that adds no overhead for something like garbage collection or array bounds checking but doesn't have the reentrancy problems C does. You didn't mention reentrancy in your post. Do you know what it is? I believe all reentrancy troubles have been abstracted away in Java (at what hidden cost?). Other languages look neat, but each of them adds overhead in some way. There's a great big list of programming languages at Google. Most of them are either very high level with lots of hidden overheard, or tailored to a specific purpose. You should look at E; it has some neat features for parallel processing, and I hope it gets to the native-code point soon.

Finally, it's important to remember that at some point, all these nice programs everybody can write have to run on hardware. If everybody only knows Java, who's going to write the bytecode compiler? For touching hardware, C is the best option, and C can do everything else as well.

Re:What idiots

[flakac]

I know more Java programmers than C programmers .... and all C programmers I know program Java now.
All industry software projects I'm involved in are in ... ah forgett it you wont belive it anyway ...

Absolutely... I love C/C++, but haven't done anything work-related in it for at least two years now.

Re:What idiots

[angel'o'sphere]

Well,

some of your words are true some not.

E.g. Bertram Meyer, the inventor of Eiffel, made researches about the efficency of garbage collection by comparing C programs without GC to similar written Eiffel programs with GC.

He found in his researches that the GC of the Eiffel programs where faster (and bug free) than the C programs with hand crafted memeory management.

His conclusion was that a good GC(adapted to the program structure), often based on a gloabl optimization, done by the Eiffel linker, is very much faster than hand crafted code.

If I remeber right, all C programs had memory allocation/deallocation errors anyway ...

Well, that research is ten years old ... so plenty of time for the /. readers to have picked it up.

Your word about speed ... well, Java is meanwhile quite speedy.

Of course you are right, if you need to access certain hardware you likely will need C. However your assumption that everyone using Java never has learned how a computer works is wrong.

Everybody studying CS at a university in germany learns how a computer works. I asume other universities in the world teach that as well.

I conclude you refer to "self tought" Java programmers. Well, gladly those ignorant self declared develoers use Java and not C, don't you agree?

Some more of your wrong assumptions:
A lot of embedded systems in our days are written in Java ... not in C. An example are mobile phones.

I know what reentrant means. Just for your reference :-)

No, Java has not abstracted reentrance problems away. However it offers language level constructs to tackle it. (the synchronized keyword)

Java to native compilers exist since the first days of Java.

Java VMs exist for nearly any thinkable platform, however Sun only offers 3, as far as I know.

Surely you are still right, as you get C for realy every platform.

Most VMs compile byte code on the fly to native code ... so a native compiler is only interesting under special constraints.

If you need an embedded VM and like to talk to Java people who are fully aware of how a machine works, you probably should visit the Wonka web site.

http://wonka.acunia.com/

By googling for "Embedded Java VM" you find a lot of vendors offering similar products.

Anyway, I don't challange your reputation as C developer. However I hope you will meet some profound java developers as well in your life :-)

angel'o'sphere

P.S. I only used C for 2 years and switched to C++ then ... wich I used about 10 years.

Javanator

[YourMissionForToday]

I've been coding with Sun's Java Nation since early last fall, and I have to be the first to say: I love it!

The tools are so full-featured, smooth integration with Swing/HST and flawless bounds checking!

For more information, check this out!

Re:Javanator

It's not difficult to check bounds, it just adds an "if" statement before every index is used in the C the compiler is probably written in.

MOD PARENT UP!

The parent post is terribly underrated. The french are self absorbed assholes and this needs to be acknowledged!

I'd hardley say useless

there are real reasons why this new markup language is needed. It is intended for complex distributed processes that cross several application domains. the common example is a travel agent, who needs to book travel plans for a customer. The booking includes, flights, trains, cars, hotels and motels. Given the complexity of booking that many items in one single transaction across multiple booking systems, you need a common authentication mechanism. What would you prefer? Everyone write their own authen scheme, which may be secure, but will take a couple months to implement. Multiply by the number of companies the travel agent connects to book reservations.

there are those who disagree, but those whose jobs require complexity, it is a step towards easier integration. Microsoft should just go with the architecture Oasis has laid out for ebXML and dump their piece of junk which originally had no concept of coreography.

Re:I'd hardley say useless

[JVert]

Sounds like what XML was supposed to do in the first place.

Hey I renember you people... I gave you a project and you gave me all these reasons why it will work...

It didn't work. But you gave me twice as many reasons why the next try it will work. So you tried again.

Eventually it was obvious that the world was just not ready for every arctitecture to seamlesly integrate with others.

I'm not touching it!

I'm going back to post it notes, you guys call me when you figure it all out.

Re:I'd hardley say useless

[smccrory]

No, no, no. Humor aside, XML was never supposed to behave as an access control system. It WAS intended to be a self-describing and self-validating way of encapsulating lots of different kinds of data. It's succeeded, is popular because of that fact, and XACML is an example of how you can even store entitlement logic in XML. Now, with XACML you can implement that same logic not only in Java but also C, C#, PHP, ASP, VB, Perl, and anything else you desire because the rules are stored in a language-independant and platform-independant format. THAT's the main benefit, and Sun should be given credit where credit is due.

Re:I'd hardley say useless

[pmz]

It is intended for complex distributed processes that cross several application domains.

Yes, and so are the other 3,142 languages that came out last month and the 2,675 languages from the month before that. Don't get me started on the 15,476 .NET languages...I'll pass out!

Re:I'd hardley say useless

What would you prefer? Everyone write their own authen scheme...

I would prefer that the person offering the service determines the authentication implementation, and I, as a user of their service, would be subject to same. Trying to force a single authentication system is nothing more than you jockeying for control of a namespace.

Got really excited

[vivek7006]

Sun Microsystems Labs has backed this up with an open-source version in Java

I got excited for second, incorrectly reading this as.. Sun Microsystems Labs has backed this up with an open-source version of Java

Re:Got really excited

yep - i too.

it would really be nice if sun opensource java. but after all - who cares...

i have my objective c/cocoa and python knowledge and i'm happy with it :)

Re:Got really excited

Most of the source code to the Java language is available. The only thing lacking is the VM. Before anyone says that the VM is java, a majority of the language is implemented IN java and is freely available.

"Open source" reference implementation

[yerricde]

How can a language be open source?

I consider a language to be "open source" if it has a reference implementation available to the public as OSI Certified(TM) open source software.

Re:"Open source" reference implementation

[JanusFury]

That would be a compiler/reference implementation.

A language can definitely be 'Open', but the term 'Open Source' has absolutely no meaning when attached to a language.

'Open Source English'.

That makes absolutely no sense. My point is not related to how useful or good this language is, I'm just annoyed at this example of Sun's generally confusing and strange marketing.

Re:"Open source" reference implementation

Actually, it does in this case, if you look at in the context of things like ebXML, which has patented information in it from IBM, iirc (but in IBM's defense, I think the agreed to not ask for licensing fees from implementers), even though it is "only" an XML schema (which seems to make it more like a protocol than a language to me)...

Re:"Open source" reference implementation

[JamesOfTheDesert]

OT, trolling, flamebait, whatever:

Sun is quite good at this sort of bullshit wordplay (though far from being the only ones). They really like to throw around the woprd "standard", conflating quite different meanings of the word to suggest that what they offer is not proprietary. For example, J2EE is "standards based", but only in the sense that a sole company (Sun) can define the standard.

They refer to the use of some XML syntax as using a standard, but as the W3C is not a true standards body ( as, say ISO is), XML is only a standard by general consensus.

Sometimes they refer to a something that's actually defined by a standards body. But that's rare.

Re:"Open source" reference implementation

[aled]

That's just plain wrong. Enter Java Community Processand check for yourself the list of participants. Like IBM, BEA, Apache, Apple, etc. That is if you like to know what you are talking before posting.

From the home page: "Java Community Process is the way the Java platform evolves. Its an open organization of international Java developers and licensees whose charter is to develop and revise Java technology specifications, reference implementations, and technology compatibility kits. Both Java technology and the JCP were originally created by Sun Microsystems, however, the JCP has evolved from the informal process that Sun used beginning in 1995, to a formalized process overseen by representatives from many organizations across the Java community."

Re:"Open source" reference implementation

[JamesOfTheDesert]

True. But who has final, legal say? If there is a disagreement between the JCP and Sun Inc, who wins?

Basically, Sun gets to pick people's brains, and see what major vendors are willing to support. But Sun gets the final say. Notice how all the copyright and trademark notices for Java(tm) refer to Sun, not the JCP or some other independant organization.

lunix alreaIE has drm

chmod -r 000 *.ogg *.mp3.
chown riaa *.ogg *.mp3.

Your philez are n0w 0wn3d by the R144, go to jail j00 theivning hax0rz!

<sigh>

You're all a bunch of idiots. If you don't understand the technology and it's ramifications, please just STFU.

Just more pseudo-Open stuff from Sun like...

[meme_police]

...this.

In Soviet Russia...

[-1bynextweek]

only language required for "access control" was RUSSIAN!

Jesus Saves!

He passes to Moses! Moses passes to Buddha! Buddha shoots! He scores!!!

The force has light and dark sides

[yerricde]

Who will use it, and for what purposes??

A generic digital restrictions management component such as XACML, TCPA, or the technology formerly known as Palladium can be used for good (protect the privacy and integrity of personal information) or for evil (deny fair uses of copyrighted works).

Such prosaic names and acronyms...

[Consul]

The subject submits its query to the entity protecting the resource (e.g. file system, web server). This entity is called a Policy Enforcement Point (PEP). The PEP forms a request (using the XACML request language) ... (snip)

They should have called its language PEP Talk. ;-)

Re:Such prosaic names and acronyms...

[kietscia]

Now I can call my Software Development Team the PEP Squad (tm).

XACML is

[WetCat]

just l33t version of HackML - a language
made specially for hackers!

Damn US Patriot..

calm down, GI.
I for myself would be quite happy to live in either France, Germany or Belgium these days...

Re:Damn US Patriot..

I also would be quite happy for you to live in either France, Germany or Belgium these days...

Every language is a niche language.

[pHDNgell]

C is definitely not as good of a general-purpose langauge as Java is. The fact that people use it for general programming does not make it appropriate.

C is a low level language that nearly nobody understands. Sure, anyone can look at the language as a whole and think they ``get it,'' but the number of buggy C applications out there speak for its complexity.

Java is a good high-level language. Most applications need to be written in high-level languages. That means that most developers should be using high-level languages to get these things written.

C is good for writing the low-level portions of operating systems, and perhaps some embedded work.

For those who still complain about the speed of java, look to languages like ocaml and the bigloo scheme compiler. In my tests, they both produce insanely fast code (slightly slower than the C from which I translated it, faster than anything else), but are high-level languages well suited for general application development.

Re:Every language is a niche language.

I would disagree that C is a complex language. Look at K&R's C book, compared to any Java 2 programming book.

So C has some language features that allow you to write very elaborate (Rube Goldberg?) code that could be called complex does not make C a complex language...

Re:Every language is a niche language.

The pattern doesn't a Dragon, it needs the Dragon, and it's going to keep throwing up false ones until it gets the right one. Then, all these shitty high level languages won't be here to divide my attention, I'll just write in the NewC, and it'll do everything I need to do, from OS writing to moving little mouse tails around webpages.

Re:Every language is a niche language.

[alext]

Java is a good high-level language.

Are you sure?

Then why do the access control rules need to be specified in another language (XACML)?

And why can't users work with Java code?

Re:Every language is a niche language.

[smccrory]

alext, you're completely missing the point. Java users have been able to do this for quite some time now. Take a look a JAAS - it is an excellent solution if all you do is Java. But the purpose of describing the access control policies in something language-independant like XML is that, we'll, you can implement it in other languages without having to rewrite both the rules and the access control mechanism. This is darn good stuff actually, and lots of readers here are completely missing it. You and many others are blaming Sun for developing something that can be used for more than just Java! Incredulous...

Re:Every language is a niche language.

[larry+bagina]

C is a low level language that nearly nobody understands. Sure, anyone can look at the language as a whole and think they ``get it,'' but the number of buggy C applications out there speak for its complexity.

I disagree. The number of buggy programmers speak for the number of poor programmers, and/or legacyt code/programmers. 10, 20 yeas ago, people were writing shitty code (static buffers, not validating every parameter) because that's how people coded, whether it was in C or pascal, or cobol, or fortran... Memory and CPU cycles were a lot scarcer.

Sure, java or ocaml, or ml, or perl, or scheme make buffer overflows impossible. That's great. Show me an operating system written in perl, though.

Interesting twist, the sourceforge bit

[jaiger]

First, synchronize watches - how long before JBOSS integrates this?

Now on to more serious commentary. This story is interesting in that Sun might actually be "getting it". Sure they've been saying "we get it" for some time but that crappy Sun license...that's just what we needed, YACL (Yet Another Community License).

This project is actually on Sourceforge, and with a BSD-looking license no less!! I like what I'm seeing, Sun.

-joe

Re:Interesting twist, the sourceforge bit

[matt[0]]

http://ebxmlrr.sourceforge.net/

Another Sun initiative on SF.

RTFP people

[f00zbll]

For those who are too damn lazy to read what the language does and why Sun wrote a reference implementation.

* One standard access control policy language can replace dozens of application-specific languages

* Administrators save time and money because they don't need to rewrite their policies in many different languages

* Developers save time and money because they don't have to invent new policy languages and write code to support them; they can reuse existing code

* Good tools for writing and managing XACML policies will be developed, since they can be used with many applications

* XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported

* One XACML policy can cover many resources; this helps avoid inconsistent policies on different resources

* XACML allows one policy to refer to another; this is important for large organizations, for instance, a site-specific policy may refer to a company-wide policy and a country-specific policy.

Before someone else rants about copy protection, find out what it is before you start typing. I'm guitly of it in the past, but this is a useful language will real benefits.

Re:RTFP people

[Timesprout]

I dont agree with these reasons. Why should peple have to rewrite their security implementations just because SUN came up with a new, unnecessry markup. One of the beauties of XML is so many different language bindings exist. If the various aspects of my security use XML to communicate then I can write them in just about any language I please.

Secondly what do people feel about having a system like this in the public domain? I am not an advocate of security through obscurity but with this system the bad guys will have a very good understanding of how the whole system works. Should an implemenatation be exposed then multiple systems become vunerable.

Re:RTFP people

The language existed before Sun got involved. So Sun didn't come up with it. Let's give the credit and blame where it is due. Oasis has been working on this for a long time, way before Sun decided webservices was a good thing.

Re:RTFP people

Why should peple have to rewrite their security implementations just because SUN came up with a new, unnecessry markup.

One could just as easily say, "Why should developers and integrators write many different security interfaces for many different implementations?"

If we eliminate all the time spent re-inventing the wheel, we'll have more time to focus on building the next killer app...

Your argument makes about as much sense to me as this one.

Re:RTFP people

[cachorro]

One standard access control policy language can replace dozens of application-specific languages...

One XACML policy can cover many resources...

One language to rule them all...

Come on guys

[dubbayu_d_40]

Sun is providing Java programmers for easily accessing and mutating this new ACL standard. This has value since there are so many fucking Java programmers you morons.

English, a dialect of SQL

[yerricde]

'Open Source English'. That makes absolutely no sense.

The PICK operating system had a database query language called English, a dialect of SQL. I'd consider the English programming language (not the English natural language in which this comment is written) an "open-source language" if one of the major free databases (MySQL, PostgreSQL, SAP DB, etc) introduced PICK interoperability through support for English queries.

If you're worried about my use of "open-source language" to refer to "computer language with a widely used open-source implementation", don't worry too much. Such "overloading" is common in computer jargon.

Unfortunately not everyone "gets it"

[binaryDigit]

The requirement of having robust access control (beyond simple enter your name and password) is not very common outside the corp. world. So those who've not had to deal in that code would not fully understand how big of a deal that this markup language CAN be (assuming it's adopted, robust, etc, etc). This is definitely one of those areas where "everybody rolls their own", or worse, they dumb down their access control to fit things like directory services and the ilk, that were never intended to do what this is trying to.

Funny how in many posts this has degenerated into either "we don't need no more stinkin languages" or "Sun/Java sucks, yadda, yadda".

Re:Unfortunately not everyone "gets it"

[afidel]

Oh this is SO true, for instance my last employer was GE, within GE there are probably at least 100 different authentication domains (this is being conservative, there are probably several hundred) in the last couple of years they have tried to unite a large % of these under an SSO policy, only problem is to even get your SSO information you might have to travel across 3-4 domains. For instance to get mine I had to get inside the firewall with a vpn client, acess a controlled page with a DES access card, then provide my NT credentials to get access to my webmail which lead me through a link to a peoplesoft application with it's own access controlls so that I could sign up for SSO. Providing a single set of credentials and having all of the services recognize me would have made life much easier. Of course a good counterpoint is that anyone who was able to spoof my credentials would then have acess to all of those resources, but this was generally true of the cumbersome system, as long as you had access to the email password you could retrieve/reset most of the others.

You and Alec Baldwin

Funny how folks like you never seem to get up and go away....

oh cool

[zephc]

just when I thought security-related articles couldn't get any more boring, Sun releases XACML.

[/tongue-firmly-in-cheek]

I dont get this

[Timesprout]

What exactly is the need for this 'new' language. I get the impression that really this system just defines some interfaces and uses XML to allow various aspects of the implementation to communicate. Not exactly rocket science and certainly not worthy of a new language IMHO. What exactly does it do that XML and some well defined schemas cant?

Its some what strange that given the recent 'commitment' from SUN to clean up the J2EE API's they want to foist this on us as I assume the enterprise is where it will see most usage.Is this sone sort of bastard child from the slightly less than successful Liberty project?

I read it but didn't understand it

[yerricde]

One standard access control policy language can replace dozens of application-specific languages

But what is an "access control policy language"? Is it the language used to write ACLs on files and folders, or is it a language used to write copyright management information as defined in 17 USC 1202?

Re:I read it but didn't understand it

[H310iSe]

One standard access control policy language to rule them all, One standard access control policy language to find them, One standard access control policy language to bring them all and in the darkness bind them.

Err eh ?

[MosesJones]

You mean like Ada used to be, Java is etc etc etc..

How is this getting modded up in a place where Java is constantly criticised for being closed source. If a company creates a document it owns the copyright on that document, if it trademarks a name it owns that name. If you create a language that has the same syntax with the same meaning then you are breaking those "rights".

UNLESS you can create a Clean Room implementation ala the original IBM Bios clones. And who would want to do that for a language.

Re:Err eh ?

If you create a language that has the same syntax with the same meaning then you are breaking those "rights". UNLESS you can create a Clean Room implementation ala the original IBM Bios clones. And who would want to do that for a language.

If that language happens to be Java, then the answer is of course Microsoft..

Interesting bit on OSL's

[afidel]

Q: What Open Source license are you using? We are using a modified BSD license. This is a true Open Source license with no "viral" effects.

Almost sounds like they are either a)trolling for liscensing wars or b)trying to allay managerial fears about loss of code controll. While I would agree with them that for their purposes (and the purposes of any project/standard which needs to be integrated into the core of both commercial and non-commercial code) that the BSD liscense makes more sense I don't think they have to implicitly slam other liscenses like the GPL through use of MS like terms.

Re:Interesting bit on OSL's

[The+Bungi]

Well, obviously if the Sun legal bigguns determined the GPL is viral then it probably is, no? You don't really think something goes on the web with 'Sun' plastered all over it without some sort of clearance from a lot of smart people, eh?

This will get just a blip here but when "Micro$oft" says the GPL is viral then all hell breaks loose.

Weird, isn't it.

Re:Interesting bit on OSL's

Dear The Bungi:

I have noticed you are part of a group of folks on /. who seem to have no purpose except to point out the /. stereotypes. And as such, become a stereotype yourself.

Usually you folks like to take two different things that have something in common, point out that the average slashdot post will treat them differently, then sit back and gloat. Example:

Whenever teh slasdhot mentions teh M$ suxxor, everybody agrees and u mod up. But when teh slahsodt says teh *linux* suxxor, u mod down? Your teh hypocrites!

Tell me, what motivates these pointless observations?

Re:Interesting bit on OSL's

[The+Bungi]

Tell me, what motivates these pointless observations?

Dear AC:

If you grow some balls and log in, I'll enlighten you. Otherwise, please kindly FOAD.

Re:Interesting bit on OSL's

Dear The Bungi:

If you grow some balls and have your dog lick them while giving yourself head, I'll continue this conversation with you. I mean, hey, if we are going to try and enforce rules on each other, why not?

Re:Interesting bit on OSL's

[The+Bungi]

Thought so =)

Re:Interesting bit on OSL's

What do you have against anonymity? Maybe (obviously) I don't want to be associated with Linux and its zealous fan-boys.

Re:Interesting bit on OSL's

[morie]

must be tiresome, discussing something with yourself and having to remember whether to log in or not at the next post...

Re:Interesting bit on OSL's

Calling the GPL "viral" is a sure sign of a Microsoft employee.

Has Sun become a Microsoft subsidary?

Re:Interesting bit on OSL's

[The+Bungi]

Yes, I do it to burn karma when I'm bored.

Hope your case of moronitis gets better.

Re:Interesting bit on OSL's

[morie]

keep on burnin', you're still at +2.

Copyright and specifications

[yerricde]

If you create a language that has the same syntax with the same meaning then you are breaking those "rights".

If I don't call it Java(TM) brand then I'm not infringing Sun's Java mark. Stating that something "interoperates with programs that use Java(TM) technology" is fair use of Sun's technology.

Likewise, if I write my own spec without using any of Sun's expression, I break no copyright. There is currently no U.S. copyright on facts (1y7 USC 102(b); Feist v. Rural).

UNLESS you can create a Clean Room implementation ala the original IBM Bios clones.

The dirty/clean process used to write the clone of IBM PC BIOS involved one "dirty" team that turned the BIOS code and its observed behavior into a specification and another "clean" team that turned the specification into a computer program. It was designed to defeat any accusation of access to the original work, without which there is no copying and thus no infringement. Anybody who has never seen Sun code and works only from the published specification is already "clean".

Re:Copyright and specifications

The main reason that Java can't really be considered an "open standard" (in the old Sun Micro sense) is that it's got patents up the wazoo, and Sun only grants a licence if you are in their community process.

Stay tuned for when a cleanroom Java-like implementation (MS .NET) gets sued for patent violations.

HEY SUN microsystems when will java be open ?

[zymano]

open sourced? Why is java now a 100 meg download ? Why are there 100 versions? Why can't someone build a faster better language than java? XBASIC ?

No.

[eddy]

No.

eat shit nerd fag commies

eat shitnerdfaggotcommiecommandertacokillinpussyshitea tingfagdicksuckers
San Dimas Football rules!!!!!!!!

Re:oss'ed DRM? - NEWS FLASH

The Unix passwd file is DRM! Down with the passwd file!!!

Not a drop to drink

I believe exocamels will become important when we're exploring harsh extraterrestrial environments like Mars. Think about it - terrestrial camels are the best-suited ride for the harshest places on Earth. It only stands to reason that the same would apply to their offworld relatives.
I think the idea of using exocamels to explore the Sun is ridiculous, though. I mean there's a difference between the Sahara and the plasma skin of a 6000 degree fusion furnace. They're tough critters, but really.
I have no idea what open source has to do with any of this. But then I find that with most slashdot stories.

YES! Finally some software news on slashdot....

[pepper_pusher]

That's how I like my /.!

jeeez...

I go to the OASIS site to have a look at the spec and find it's only available in MS Word format!!!!

So much for "open" standards....

Re:jeeez...

[matt[0]]

http://www.oasis-open.org/committees/xacml/reposit ory/oasis-xacml-1.0.pdf

Here is a PDF, I found it in, oh, 2 seconds. Granted, Docbook would have been better seeing as its an OASIS Specification itself.

XML stone soup

[alext]

Like so many other "XML-based" standards, XACML is horribly constrained by the lack of general logical or procedural primitives in XML. As we all know, XML is not a programming language - it was never intended to be computationally complete - yet there seem to be a neverending stream of attempts that effectively try to turn it into one.

It is a fundamental mistake to try to shoehorn semantics which will generally include logic - such as an access control decision - into a language which has no support for them. While XACML "is not intended to form the basis of an authorization decision by itself" it must of necessity include the means to combine and modify rules - hence requiring logical operators which of course have no standard representation in XML.

The specific result is that each attempt to use XML for anything other than the simplest semantics (SOAP, Schema, XSLT, JSP...) must invent its own representations of operators, variables, modules and so forth.

The general result is one unholy mess. We, the poor bloody coding infantry, have to face learning a dozen or more ways of representing the same fundamental concept in a multitude of languages, each supposedly specialized for a narrowly-defined task, but in reality incorporating almost-but-not-quite-all the features of a general purpose language. XML's ugly syntax becomes the least of our problems - that can always be hidden by visual tools or 'generators', but no tool is likely to be able to reunite fundamental concepts fragmented into so many different representations.

Standards such as these do not represent progress, they represent a growing mass of redundancy that one day will have to be refactored into more coherent form. Anyone who studied LISP, or some other language capable of representing the popular data and programming paradigms (logic, procedural, declarative...) will be aware that common ways of representing such semantics have been known for decades. The fact that the practice of XML continues to ignore such basic prior art is an extraordinary indictment of the state of our industry today.

I welcome any explanation from the individuals or organizations concerned as to what obliged them to make yet another idiosyncratic elaboration of the generally incoherent and unusable body of XML specifications.

Re:XML stone soup

It's a good point, but what are the alternatives?

I've just bough myself a book on XML, and while I can see the idea it's far to bloated, computationally and financially expensive* to use day to day. It seems that it's been taken and Sure, XML as a data interchange method is useful, add a DTD and you can do some validation.

* I worked for a company that was crippled by a management descissions to use Java/XML. We were quite happy with mod_perl before. The bill came in at ~2,000,000 plus a stock control system at ~7,000,000. All singing and dancing, when the bespoke stuff we had before did the job fine.

Re:XML stone soup

[alext]

Yeah, that doesn't surprise me at all, I'm sure you're right in your diagnosis that a somewhat higher-level language - Perl - can be more productive, and occasionally more efficient, than Java+XML.

I don't think there is a mainstream attempt to unify languages like Java, XML, XSLT etc. However, there is probably a consensus that the best starting point is Scheme, the LISP-like teaching language. This starts from the basic principle that programs-are-data, meaning that Scheme can happily substitute for both Java and XML. This has led people to provide mappings between XML, XSLT etc. and Scheme.

More interestingly, there are some usable Scheme implementations around now, so it's a good time to play with it if you have some time. Grab, say, DrScheme and/or SISC (Scheme on top of Java) and go through the famous Structure and Interpretation of Computer Programs book - I found it very enlightening and not too dry, despite some reviews to the contrary.

Pointers are on the Schemers site.

Re:XML stone soup

[matt[0]]

I'm sure you're one of those people who insists on doing their configuration through a language specific construct, such as using eval() in Perl.

XACML, as well as a few other XML "languages" is useful in that the policy is portable and everyone can benefit from better tools to work with the language. XML provides a middle ground for these languages. Sure, it doesn't have operators or behave like a programming language...but every programming or scripting language has several means of reading XML.

Re:XML stone soup

[alext]

I'm sure you're one of those people who insists on doing their configuration through a language specific construct, such as using eval() in Perl.

Not sure I follow you - what kind of construct would not be language-specific?

XML provides a middle ground for these languages.

"middle ground", "vocabulary" and "ontology" are certainly the kind of phrases you see in conjunction with XML. Unfortunately they mean very little.

every programming or scripting language has several means of reading XML.

No doubt. And probably a means of reading CSV files too. If you are implying by this that the ability to read XML structures is a significant contribution to the generation or interpretation of such languages as XACML then I think we'd have to disagree.

XML here is a simple "wrapper" or syntax abstraction for the concrete syntax underlying XACML (or whatever). By itself, does nothing to constrain or interpret the latter.

To take a simple example (from a guy called Philip Wadler, who has this on a T shirt)

1. Start with a mathematical function, say 2x

2. Now represent it in a convenient programming language, say Scheme: (lambda (x) (* 2 x))

3. But in XML, the syntax has to be explicitly flagged in frequently gruesome detail:

<abstraction>
<var>x</var>
<expression>
<appl ication>
<const>*</const><arguments>
<const>2</c onst>
<var>x</var>
</arguments>
</application>
</expression>
</abstraction>

For any non-trivial language, XML is just baggage, it doesn't add anything useful.

Re:XML stone soup

[matt[0]]

Not sure I follow you - what kind of construct would not be language-specific?

I meant not specific to the programming language(s) with which the construct is being consumed.

"middle ground", "vocabulary" and "ontology" are certainly the kind of phrases you see in conjunction with XML. Unfortunately they mean very little.

They actually mean quite a bit to some of us. If you've ever found yourself in the middle of a situation in which integration between a few complex systems is involved, all from different vendors, you would find reasons to overlook XML's warts. XML (or should I say: the software that has sprung up to support it) does offer you a more accessable programming model, which leads to more productivity, quicker project cycles, etc. When performance and verbosity are big issues, such as is the case when using smart cards and limited resource devices, XML can be transformed easily to other formats, such as ASN.1. Look at OASIS XCBF.

Yes, XCBF could have just done it all in CSV, but instead they chose something that has good schema definition languages, good processing tools, excellent coverage by the technical press, and dare I say -- unprecedented market acceptance.

2. Now represent it in a convenient programming language, say Scheme: (lambda (x) (* 2 x))

I think thats a slightly different use case than XACML is addressing. XACML is about asserting policies. No one is trying to do mathematical calculations in it. I generally agree with you here, I've opted away from XML in cases where I had to describe methods moreso than properties. There is one exception, however. ANT. I find it more convienient that the .sh files or make files I used to use.

Re:XML stone soup

[alext]

I meant not specific to the programming language(s) with which the construct is being consumed.

Well, you are simply shifting the problem from the programming language to the other, "language-independent" language. In reality, there's no reason to privilege one language over another arbitrarily, and certainly not to mandate the use of multiple, highly redundant languages.

"middle ground", "vocabulary" and "ontology" [...] actually mean quite a bit to some of us. If you've ever found yourself in the middle of a situation in which integration between a few complex systems is involved, all from different vendors, you would find reasons to overlook XML's warts.

Passing over the obvious question regarding the decisions never to address XML's admitted warts but always to effectively compound them, you refer again to the XML programming model and its supposed advantages.

Once again, I have to point out that the relevant language, the one actually expressing the information we are interested in, is not defined by (constrained by) the XML specification but by higher-level specifications such as XACML. Any appeal to productivity, efficiency etc. must therefore show how XML tools help manage XACML semantics specifically, in comparison to standard language processing tools such as YACC.

Any transformation from XACML using standard XML tools cannot, by definition, improve on a representation of the underlying concrete syntax of XACML, since they know nothing about it.

Similarly, any appeal to authority regarding the acceptance of XML is no more relevant than the acceptance of ASCII. Naturally this doesn't stop every new language ("vocabulary") being described as "standard XML", but such descriptions are wholly misleading.

(lambda (x) (* 2 x))

I think thats a slightly different use case than XACML is addressing. XACML is about asserting policies. No one is trying to do mathematical calculations in it.

You appear not to have read the specification. Section A 14 describes the logical, arithmetic and other functions of XACML in some detail. It looks as though someone has invested considerable effort in deciding how 2x should be expressed in this "Access Control Markup Language".

Re:XML stone soup

[matt[0]]

*sigh*

Why don't you write a paper on how much better specialized grammars and scripting is than XML, then present it to the industry?

Make sure you format the paper in tex or groff or something else that doesn't use spurious ''.

I've been down the yacc route, and JavaCC, in the past and I am happy to use XML from now on wherever I can. You are free to stay with the old school way if you like. The critical mass is with XML, and it will get better.

Re:XML stone soup

[matt[0]]

oops...

s/spurious/spurious < & >/

Re:XML stone soup

Your analysis is misleading.

Your general disliking of XML is solely based
on its verbosity.
XML is like any other Dyck-Language and has
the same expressiveness.

The example you gave is also misleading, as I could rewrite the XML so that is more understandable
to non-geeks than (lambda(x) (* 2 x)):

<method var="x">
<multiply number="2" with="x" />
</method>

Note that I provided more "semantical" hints
than your version and I bet it is more understandable.

It is also parseable by any XML-parser and then easy to interpret.

Sure, XML is much more verbose, but hey, who cares. As long as I can parse it and specify validity constraints using DTDs or Schemas, I'm fine.
This takes out 80% of the hassle you have when dealing with languages.

Re:XML stone soup

[radish]

OK, I'm just a Java hack who's used XML in a bunch of places, but, errrm... XML is not a programming language. It's a file format. You don't do maths in XML, it doesn't replace C or Lisp or asm, it replaces .xls and .csv, hell even .jpg if you want.

I may be being exceptionally thick, but I just don't get your example, you seem to be saying that just because turning Scheme code into (an arbitary) XML layout makes it take more space, XML is useless. I'd argue that's completely irrelevent. XML is for representing data.

I should use a counter example I guess. How about you have a trading system which passes details of trades to some backend accounts system. It uses good old csv, so you get a file like this:

RHT, 300, 4.51, JBLOGG, JDOE, 19-2-03
IBM, 10000, 1.06, JDOE, JBLOGG, 19-2-03

Transform that to XML:

<txn>
<stock>RHT</stock>
<quan>300</quan>
<pric e>4.51</quan>
<buyer>JDOE</buyer>
<seller>JBLOGG </seller>
<date>19-2-03</date>
</txn>
<txn>
<s tock>IBM</stock>
<quan>10000</quan>
<price>1.06< /quan>
<buyer>JBLOGG</buyer>
<seller>JDOE</selle r>
<date>19-2-03</date>
</txn>

(apologies for random spaces and semicolons slashcode seems to want to add)

Now, I'm not saying the latter is smaller. If data size matters, don't use XML. It doesn't matter to me (usually). But it's more human readable (which is sometimes nice). It's more flexible (when the sending system adds an extra field it just does so, the recieving system just ignores it - try that with csv!). It's more easily describable (want to tell people what format you use? just mail them the schema and voila - they can read your data). I don't believe XML is a massive leap forward, but it simplifies a lot of things and removes a lot of potential confusion. Standards are a good thing.

I can't see any reason (other than size, and you can always zip your files) not to use XML in the vast majority of applications which transfer/store textual (non-binary) data. You get free tools, you get free parsing/writing libraries.

Re:XML stone soup

[Karhgath]

Here's a great example of a use for XML-based language. I don't say it's better, I don't say it's anything new, it just helps in many ways making everything more standard.

Company A wants to exchange data(ie order forms) with Company B. (Amazon and CDNow for a lack of better example).

Now, if they used a proprietary format, it's all good, they make the specs together, then each implents it.

Then, Company C wants to be included in the exchange too. They send the specs of the file format and Company C implements it.

And so on. It could introduce many bugs since they don't have the same implementation details, if A and B want to add a field, but not C, C will still have to change it's implementation, unless the format allows additional field without breaking compatibilities with previous version of the file format.

However, if they used a standard format, whether or not it's XML-based, they would only have to take a reference implementation to parse the data, and thus will probably have much less differences, bugs and security issues.

XML is just a nice way to make a standard, it always parses the same way, and don't care when you add new fields, you must really change the whole language to break compatibilies with previous versions.

XML is just that, a nice standard way of doing standard language for information exchange. You could do it in CVS for example, but it's hardly flexible like XML. You can create proprietary formats, but it will take more time, and each companies are likely to have to build the implementations themselves. With XML-based language, it's very easy to do a reference implementation since XML always parses the same way and is very flexible.

Hope that helps.

Re:XML stone soup

[alext]

Sure, I don't have a big problem with XML being used to express data. The problem with XACML and its ilk is that people are trying to use XML to express logic, maths, control etc. just like a real programming language. Worse, the way they do this is usually partial and specific to every Tom, Dick and Harry XML "vocabulary".

Re:XML stone soup

Common Lispers might disagree somewhat. Scheme suffers from some of the same problems as XML - yes, scheme is a lisp, but scheme's "unblemished diamond" approach means that to get anything done in scheme, you end up using loads of non-standard stuff in the end (SRFIs are slowly helping, but the ANSI Common Lisp standard is still ahead, despite being nearly a decade old... and it's not like the CLers aren't producing new community standards...)

Scheme is a great pedagogical language. Common Lisp is better for getting things done.

Re:XML stone soup

[radish]

I agree that would be bad, I'm not convinced that's what's happening here. I've only skim read the spec, but it basically looks to me like just a collection of schemas. One describes what a request looks like, one describes what a response looks like, and one describes the format of what is basically a config file. The code which Sun have released takes a request, looks at the config, and creates a response. But is written in Java, not XML (?). If you decided not to use XML, but instead CSV for all your requests, responses and config, the Java code would stay the same, it would just need different file parsers.

I really fail to see what the problem is here. The last thing you want is to express authentication configuration in programmatic code! I mean, you can't write a .htaccess file in C can you?

Re:XML stone soup

[21mhz]

XML is not a programming language - it was never intended to be computationally complete

Now repeat after me: XML is basically just a syntax. It was never intended to be computationally complete in the same way as marking up things with balanced parentheses is not computationally complete. Yet you can map your favorite programming language into an XML representation, and vice versa.

Anyone who studied LISP, or some other language capable of representing the popular data and programming paradigms (logic, procedural, declarative...) will be aware that common ways of representing such semantics have been known for decades. The fact that the practice of XML continues to ignore such basic prior art is an extraordinary indictment of the state of our industry today.

The fact that someone tries to come up with a standard that would be widely accepted shows our industry as a maturing one. Sorry, but Lisp doesn't cut it for the IT masses in general. It missed its chance back then. It's a generic language, with strong background in programming, and it doesn't have such an emphasis on validation of semantically-loaded subsets as XML applications had from the very beginning.

Re:XML stone soup

[lkaos]

While I wouldn't call myself a big fan of XML, you're simply wrong in your example. XML is a data representation language. In most languages, data and expressions are more or less the same. For instance, take your example

f(x) = 2x

Now, you converted to Scheme/LISP and then to XML. That's bad. A more fluid translation to XML could be:

<function name="f">
<arguments>
<symbol name="x"/>
</arguments>
<body>
<operator name="*">
<constant value="2"/>
<symbol name="x"/>
</operator
</body>
</function>

Compared to C:

int f(int x)
{
return 2 * x;
}

Scheme/LISP:

(defun f (x) (* 2 x))

C++:

struct
{
typedef int results;
typedef int argument_type;

int operator()(int x)
{
return 2 * x;
}
} f;

The XML isn't really that bad.

Re:XML stone soup

[naasking]

Everyone is using XML to do away with specialized grammars for every problem domain. The human element is always the weakest and the slowest. If you can simplify things for the impementor by using a spec that is well known and in which it is relatively easy to reason, then you have eliminated a great problem. I would love it everyone would exercise a little brain muscle and just learn lambda calculus, but that probably won't happen any time soon. So we'll just have to make due with the lowest-common denominator which is XML (which is self-documenting if written properly - so that's ONE nice feature).

Re:XML stone soup

[alext]

it basically looks to me like just a collection of schemas

It isn't. Take a look at the appendix, you'll find 30-40 pages on data types, expressions, operators etc. - deja vu all over again.

Re:XML stone soup

[alext]

Fair comment. I'm kind of hopeful about the current Scheme implementations becoming useful, particularly for implementing the kind of mini-languages as discussed here, but Allegro CL etc. would be great for application-building.

Re:XML stone soup

[alext]

You appear to be under the same impression as AC above, that this is a debate about conciseness. It's actually about coherence.

The fact that XACML invents most of a full programming language, as does XSLT, JSP ad nauseam results in massive duplication and hence confusion, lost productivity, efficiency and flexibility.

You are welcome to express your logic in XML syntax, just don't invent a different syntax, grammar and feature set for each "application".

Re:XML stone soup

[alext]

This is nonsense both in theory and in practice - XACML has a grammar, and it isn't XML. The spec's 220 pages describe this grammar - the mere fact that they say things like

The MatchId attribute SHALL specify a function that compares two arguments, returning a result type of boolean.

instead of providing a formal definition such as a BNF can't disguise this.

Now if this spec was part of a coherent and properly factored set of XML standards the job of the implementor would be vastly easier, since implementations of things like expression evaluators would be common and could be shared - easier to learn, write and maintain.

Rather than pretending to people that it's "relatively easy" to implement specs. like XACML using standard XML tools, a more useful contribution would be showing how useable Scheme, Haskell or other language semantics can be mapped to XML (if required), so helping rationalize the situation.

Re:XML stone soup

[alext]

It was never intended to be computationally complete [...] The fact that someone tries to come up with a standard that would be widely accepted shows our industry as a maturing one

I agree with your first statement, which is not surprising as I stated it in my first message, but I don't think many will agree that any set of standards, no matter how redundant, inflexible and unmaintainable, represent progress in the industry.

Your views on LISP per se are not particularly relevant, the point is that there are generic programming concepts in multiple XML specs. that can and should have been factored out. XML is not, as you say yourself, an alternative to LISP, but XML with appropriate coherent extensions could well be.

Re:XML stone soup

[21mhz]

XML is not, as you say yourself, an alternative to LISP, but XML with appropriate coherent extensions could well be.

I think there is no reason for such things. Even XSLT, the most "programmatic" XML spec I know, doesn't bind itself to a particular programming paradigm, it just describes what is to be done. This, actually, can be considered a strength.
And, i guess, no living soul would want to program in XML.

Re:XML stone soup

[Axe]

Before writing all this, it would be helful to actually read the XACML spec. (I did - I am actually listed as one contributor to it). It is nothing more then a thin XML layer on top. You can mark up LISP if you want - it means nothing exept you can use a lot of handy parsers to read it in.

Okay, an attempt to explain...

[Abcd1234]

This is really a bit of a niche domain (in that, system administrators and other folks are interested, most other people aren't).

Basically, in the world, there are many scenarios where it would be VERY useful to be able to enable access controls on various resources in a system. By "access controls", I mean rules which define who can perform actions on given resources. This sounds so general because it is very general. The purpose of XACML is to provide a language which allows you to specify these rules, or policies, in a nice format independant of the rest of the system (data storage, etc) for any number of domains, and provides software to implement the required components for such a system.

As a solid example, you could use XACML, a central PDP, and a PEP on a set of firewalls to control which IPs have access to what. You'd have to write a PEP for the firewalls, and set up a PDP to handle the requests, but once this is done, you could use XACML to write firewall rules!

Another example, suppose you have a user trying to access their email. You could have a PEP in the client which talks to a PDP to determine if the user is allowed to perform various actions on the mailbox (read, write, etc). In this case, you'd use XACML to determine who can perform what actions on the mailbox.

In both of these cases, XACML defines the language PEPs use to talk to PDPs, and also specifies a common XML language for defining the policies to determine who can do what.

In essence, XACML abstracts these concepts of policy enforcement, rule definitions, etc, and wraps them up in a nice XML language which can be used in any component which implements the XACML specificiations for a PDP and PEP. Why would you want to do this? Well, first, it allows you to use plug in in an access control system, rather than having to roll your own. This is good. Second, anyone who implements the XACML standard can interwork. So, I can write a PEP for my email client, and use Joe's PDP to enforce policy in my system. Third, because all your systems now use a single language, you can centralize the policy database and use common tools to manage all of them. An administrators dream!

Now, this is really important people, this has NOTHING TO DO WITH DRM! Or Palladium! Or any other conspiracy theory you want to come up with. This is simply a tool for software developers and system administrators to easily integrate a standard access control framework into their systems.

* Note, in the previous, PDP - Policy Decision Point, and PEP - Policy Enforcement Point.

Re:Okay, an attempt to explain...

[alext]

This sounds so general because it is very general

So why not use a general-purpose language rather than inventing your own?

Re:Okay, an attempt to explain...

[smccrory]

Because there's no such thing.

I work in a place that's responsible for software with complex business rules surrounding access control (authentication and authorization), written in ASP, Java, Perl, C#, and VB. So then what would YOUR solution be for me? To write separate access control mechanisms for each one in their own languages? Or scrap all of the existing code and pick one language? Or have then all connect externally to a "general-purpose language" and end up dumping all of the dissimilar access control rules into one container and struggle with how to consistently store and implement them?

Sun's done much of that with their new "language" (although I disagree with that description). XML is perfect for storing this kind of information because you have to be able to not only self-describe the access control rules, but also have the flexability to define them in complex and embedded ways.

Looks like an interesting technology to me, and certainly a compliment (if not extension) to JAAS, which is a arguably the most popular public application development security schema around. Unfortunately, it describes its access control rules in Java, not the language-independant XML format in Sun's new technology.

Re:Okay, an attempt to explain...

So, a packet comes in, and to check if this packet should be allowed through, the firewall generates an XACML request that the firewall needs to send to the PEP. This bloated XML-file generates four outgoing packets, and for each of those, an XACML request is generated to see if they should be allowed through. These four request each use four packets, and to see if these sixteen packets should be allowed to go out through the OUTPUT chain, the firewall needs to generate sixteen XACML requests.

a few seconds later, the outgoing queue is full, and the firewall starts dropping packets.

Two Words:

FRAC-TAL

On language-independent languages

[alext]

One of the beauties of XML is so many different language bindings exist.

That XML is a lingua franca is frequently asserted but can't be proved. The reason is that XML has no (or more strictly, very limited) semantics.

To say that your application can "understand" XML because it can use the DOM API doesn't mean that it can interpret XACML, or any other XML "ontology". You might just as well argue that you can understand Danish because you can parse the "å" character.

All you are saying when you assert that XML applications can be written in any language is that the semantics of XACML (or whatever) can be mapped to various programming languages.

This feature is shared by any machine-readable language, many of which are arguably better at representing XACML semantics than XML.

Re:On language-independent languages

[namespan]

To say that your application can "understand" XML because it can use the DOM API doesn't mean that it can interpret XACML, or any other XML "ontology". You might just as well argue that you can understand Danish because you can parse the "å" character.
XML is a data storage format, well-suited to data that has heirarchy and structure. The DOM API could well be said to "understand" XML in the sense that it knows what it needs to know in order to directly translate an XML document into a data structure.

Of course it doesn't necessarily know what to do from there -- because that's domain specific knowledge. But no general API treats that, and that's why the analogy presented seems a little bit off to me.... talking about "understanding" in any case when it comes to modern computing technology isn't right.

Re:On language-independent languages

[alext]

Of course it doesn't necessarily know what to do from there -- because that's domain specific knowledge

Only if you consider such general things as variables and operators to be domain-specific.

"General APIs" are probably not a useful concept here. It's possible to view DOM (but not SAX) as an AST, but this just serves to show how limited the grammar of XML is in relation to a conventional language.

Sorry, but grammar == syntax

[Obligatory body]

Java is not a high level language

[dmeranda]

C is a low level language that nearly nobody understands....Java is a good high-level language.

When will the myth ever die? Java is not a high-level language. Neither is C nor C++. They are all categorized as low-level languages. Being high or low-level has nothing to do with how "good" a language is or how much hype or popularity or evangelism it has. Go study the theory of programming languages.

The level of a language has to do with the expressiveness of the paradigms (concepts) you can use directly in the language. In this regard it can be easily argued that C++ is of a higher-level than Java because it supports the programing paradigm of generics, whereas Java in it's current form does not. But then look at something like Python and it's many higher-level features such as dictionaries (associative arrays), generators, or even built-in infinite-precision numbers and imaginary numbers. In those cases the language allows you to directly express those complex concepts that you have to "program" yourself (or use libraries) using lower level languages. And then you can progress up to languages like Haskell and so forth which are higher-level still.

As another example, it should be obvious that within it's intended problem domain even a language like SQL is of a higher-level than Java, and SQL is still just of some intermediate level. Even some generally unpopular old languages have some high-level features not found in Java/C/C++ like Scheme's continuations or COBOL's PIC formatting or Fortran's matrix arithmetic. I know you can program those in Java, but those high-level concepts are not directly provided by Java.

In the big picture of all the languages out there Java is decidedly pretty far over on the scale of being low-level. Again level is not a scale of goodness, so don't fall into that misconception and use that term as such.

Anyway, they're right !

GPL is viral, that's why people are using more and more LGPL or less intrusive licenses.

Freedom is good, as long as you've got liberty of choice ;-)

Let's face to a reality, how many people in the real world do get a copy of apache HTTPD, modify it and release it under a YAHTTPD ?

IMHO, very few ... aside from big guys (IBM, ...) but the trouble is that here people from the veryfirst project are no-way aware of existing fork (that can bring good new features as well as raw incompatibilities).

That's how you came out with YetAnotherREvolutionaryStuff projects ! Wouldn't it be better if before hamering code, people look after improving existing softwares and contributing their job the comunity ?

I asume that it is harder to contribute a clean diff than writing you own spagheti lines ! But at the end, where the use of writing code for the comunity, if we are not able to get benefit from it ?

There should be a way within an opensource licence to prevent useless forks ...

Not an easy job ;-)