Sun Releases Open Source XACML Language

LowneWulf writes "An InternetNews.com article mentions that the OASIS standards group today ratified the Extensible Access Control Markup Language 1.0 specification. But even better, Sun Microsystems Labs has backed this up with an open-source version in Java on Sourceforge."

wow

[unterderbrucke]

YAUML (Yet Another Useless Markup Language) should become more commonly used around here.

How?

[JanusFury]

How can a language be open source? A language doesn't need source; it's a syntax. Compilers need source, not languages. 'Open Source Language' sounds like more hype to me. I may be stupid, but I don't know of any truly open source implementations of the Java that this 'Open Source Language' is in (Last I checked, Sun had a pretty strict licensing scheme going for Java implementations)

Re:How?

[TummyX]

A language doesn't need source; it's a syntax


Uh. And grammar.


Compilers need source, not languages. 'Open Source Language' sounds like more hype to me


Well open source language simply means a langauge where the compiler is OSS. It doesn't make less sense than saying "Perl is open source".

JAY! Another language!

[eddy]

Jee-aah! Another language! That's great, because we can never have too many of these. I was just thinking to myself, "Gee, I wish I had another markup language to learn".

(obl: karma to burn)

None

[M.C.+Hampster]

Not everything is about DRM. Move along.

I'd hardley say useless

there are real reasons why this new markup language is needed. It is intended for complex distributed processes that cross several application domains. the common example is a travel agent, who needs to book travel plans for a customer. The booking includes, flights, trains, cars, hotels and motels. Given the complexity of booking that many items in one single transaction across multiple booking systems, you need a common authentication mechanism. What would you prefer? Everyone write their own authen scheme, which may be secure, but will take a couple months to implement. Multiply by the number of companies the travel agent connects to book reservations.

there are those who disagree, but those whose jobs require complexity, it is a step towards easier integration. Microsoft should just go with the architecture Oasis has laid out for ebXML and dump their piece of junk which originally had no concept of coreography.

"Open source" reference implementation

[yerricde]

How can a language be open source?

I consider a language to be "open source" if it has a reference implementation available to the public as OSI Certified(TM) open source software.

Re:"Open source" reference implementation

[JanusFury]

That would be a compiler/reference implementation.

A language can definitely be 'Open', but the term 'Open Source' has absolutely no meaning when attached to a language.

'Open Source English'.

That makes absolutely no sense. My point is not related to how useful or good this language is, I'm just annoyed at this example of Sun's generally confusing and strange marketing.

Re:What idiots

[angel'o'sphere]

Does it ever occur to Sun that Java is not the answer to all problems? That maybe, just maybe, an implementation in C would be more generally useful as a reference implementation?


I know more Java programmers than C programmers .... and all C programmers I know program Java now.

All industry software projects I'm involved in are in ... ah forgett it you wont belive it anyway ...

HINT: its not C and its not C++.

angel'o'sphere

Re:What idiots

[JanusFury]

This seems to be a mostly server-side technology, and Java is generally accepted on the server, so I don't see it as a bad thing that it's in Java.

However, if this technology requires the client to implement some complex authentication stuff, you've got a problem. Exclusively tying your reference implementation to 'weighty' technologies like .NET or Java is a very negative thing, because many clients will either not have the necessary runtimes, or will have very outdated versions of them. Both .NET and Java weigh in at at least 10mb, and that will definitely hurt deployment of any technology.

Such prosaic names and acronyms...

[Consul]

The subject submits its query to the entity protecting the resource (e.g. file system, web server). This entity is called a Policy Enforcement Point (PEP). The PEP forms a request (using the XACML request language) ... (snip)

They should have called its language PEP Talk. ;-)

XACML is

[WetCat]

just l33t version of HackML - a language
made specially for hackers!

Interesting twist, the sourceforge bit

[jaiger]

First, synchronize watches - how long before JBOSS integrates this?

Now on to more serious commentary. This story is interesting in that Sun might actually be "getting it". Sure they've been saying "we get it" for some time but that crappy Sun license...that's just what we needed, YACL (Yet Another Community License).

This project is actually on Sourceforge, and with a BSD-looking license no less!! I like what I'm seeing, Sun.

-joe

Re:What idiots

[jilles]

Hey, it's just a prototype/demo application that conforms to the standard. If you don't like it write your own in your favorite language (and feel free to borrow as much as you like from the source code).

Besides, this kind of thing would typically be used in a web application environment, where C typically is not the language of choice (mostly because core dumps are not acceptable in a server environment). And guess what, sun happens to produce some of the most popular tools and techniques for web applications (mostly Java based).

RTFP people

[f00zbll]

For those who are too damn lazy to read what the language does and why Sun wrote a reference implementation.

* One standard access control policy language can replace dozens of application-specific languages

* Administrators save time and money because they don't need to rewrite their policies in many different languages

* Developers save time and money because they don't have to invent new policy languages and write code to support them; they can reuse existing code

* Good tools for writing and managing XACML policies will be developed, since they can be used with many applications

* XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported

* One XACML policy can cover many resources; this helps avoid inconsistent policies on different resources

* XACML allows one policy to refer to another; this is important for large organizations, for instance, a site-specific policy may refer to a company-wide policy and a country-specific policy.

Before someone else rants about copy protection, find out what it is before you start typing. I'm guitly of it in the past, but this is a useful language will real benefits.

Re:What idiots

[binaryDigit]

Does it ever occur to Sun that Java is not the answer to all problems

Did it occur to you that Sun would write the code to match whatever use fits THEM the best. The fact that they then turn around and make the code OS is a gesture on their part. Did you think they sat around and said "hey, lets write an implementation of this for the masses"? Nope, their needs came first, as it should be.

Unfortunately not everyone "gets it"

[binaryDigit]

The requirement of having robust access control (beyond simple enter your name and password) is not very common outside the corp. world. So those who've not had to deal in that code would not fully understand how big of a deal that this markup language CAN be (assuming it's adopted, robust, etc, etc). This is definitely one of those areas where "everybody rolls their own", or worse, they dumb down their access control to fit things like directory services and the ilk, that were never intended to do what this is trying to.

Funny how in many posts this has degenerated into either "we don't need no more stinkin languages" or "Sun/Java sucks, yadda, yadda".

Re:Unfortunately not everyone "gets it"

[afidel]

Oh this is SO true, for instance my last employer was GE, within GE there are probably at least 100 different authentication domains (this is being conservative, there are probably several hundred) in the last couple of years they have tried to unite a large % of these under an SSO policy, only problem is to even get your SSO information you might have to travel across 3-4 domains. For instance to get mine I had to get inside the firewall with a vpn client, acess a controlled page with a DES access card, then provide my NT credentials to get access to my webmail which lead me through a link to a peoplesoft application with it's own access controlls so that I could sign up for SSO. Providing a single set of credentials and having all of the services recognize me would have made life much easier. Of course a good counterpoint is that anyone who was able to spoof my credentials would then have acess to all of those resources, but this was generally true of the cumbersome system, as long as you had access to the email password you could retrieve/reset most of the others.

Re:What idiots

[The+Bungi]

HINT: its not C and its not C++.

Intercal? BrainF*ck? Fundies? Well for god's sake man, do tell!!

XML stone soup

[alext]

Like so many other "XML-based" standards, XACML is horribly constrained by the lack of general logical or procedural primitives in XML. As we all know, XML is not a programming language - it was never intended to be computationally complete - yet there seem to be a neverending stream of attempts that effectively try to turn it into one.

It is a fundamental mistake to try to shoehorn semantics which will generally include logic - such as an access control decision - into a language which has no support for them. While XACML "is not intended to form the basis of an authorization decision by itself" it must of necessity include the means to combine and modify rules - hence requiring logical operators which of course have no standard representation in XML.

The specific result is that each attempt to use XML for anything other than the simplest semantics (SOAP, Schema, XSLT, JSP...) must invent its own representations of operators, variables, modules and so forth.

The general result is one unholy mess. We, the poor bloody coding infantry, have to face learning a dozen or more ways of representing the same fundamental concept in a multitude of languages, each supposedly specialized for a narrowly-defined task, but in reality incorporating almost-but-not-quite-all the features of a general purpose language. XML's ugly syntax becomes the least of our problems - that can always be hidden by visual tools or 'generators', but no tool is likely to be able to reunite fundamental concepts fragmented into so many different representations.

Standards such as these do not represent progress, they represent a growing mass of redundancy that one day will have to be refactored into more coherent form. Anyone who studied LISP, or some other language capable of representing the popular data and programming paradigms (logic, procedural, declarative...) will be aware that common ways of representing such semantics have been known for decades. The fact that the practice of XML continues to ignore such basic prior art is an extraordinary indictment of the state of our industry today.

I welcome any explanation from the individuals or organizations concerned as to what obliged them to make yet another idiosyncratic elaboration of the generally incoherent and unusable body of XML specifications.

Re:XML stone soup

[matt[0]]

I'm sure you're one of those people who insists on doing their configuration through a language specific construct, such as using eval() in Perl.

XACML, as well as a few other XML "languages" is useful in that the policy is portable and everyone can benefit from better tools to work with the language. XML provides a middle ground for these languages. Sure, it doesn't have operators or behave like a programming language...but every programming or scripting language has several means of reading XML.

Re:XML stone soup

[alext]

I'm sure you're one of those people who insists on doing their configuration through a language specific construct, such as using eval() in Perl.

Not sure I follow you - what kind of construct would not be language-specific?

XML provides a middle ground for these languages.

"middle ground", "vocabulary" and "ontology" are certainly the kind of phrases you see in conjunction with XML. Unfortunately they mean very little.

every programming or scripting language has several means of reading XML.

No doubt. And probably a means of reading CSV files too. If you are implying by this that the ability to read XML structures is a significant contribution to the generation or interpretation of such languages as XACML then I think we'd have to disagree.

XML here is a simple "wrapper" or syntax abstraction for the concrete syntax underlying XACML (or whatever). By itself, does nothing to constrain or interpret the latter.

To take a simple example (from a guy called Philip Wadler, who has this on a T shirt)

1. Start with a mathematical function, say 2x

2. Now represent it in a convenient programming language, say Scheme: (lambda (x) (* 2 x))

3. But in XML, the syntax has to be explicitly flagged in frequently gruesome detail:

<abstraction>
<var>x</var>
<expression>
<appl ication>
<const>*</const><arguments>
<const>2</c onst>
<var>x</var>
</arguments>
</application>
</expression>
</abstraction>

For any non-trivial language, XML is just baggage, it doesn't add anything useful.

Okay, an attempt to explain...

[Abcd1234]

This is really a bit of a niche domain (in that, system administrators and other folks are interested, most other people aren't).

Basically, in the world, there are many scenarios where it would be VERY useful to be able to enable access controls on various resources in a system. By "access controls", I mean rules which define who can perform actions on given resources. This sounds so general because it is very general. The purpose of XACML is to provide a language which allows you to specify these rules, or policies, in a nice format independant of the rest of the system (data storage, etc) for any number of domains, and provides software to implement the required components for such a system.

As a solid example, you could use XACML, a central PDP, and a PEP on a set of firewalls to control which IPs have access to what. You'd have to write a PEP for the firewalls, and set up a PDP to handle the requests, but once this is done, you could use XACML to write firewall rules!

Another example, suppose you have a user trying to access their email. You could have a PEP in the client which talks to a PDP to determine if the user is allowed to perform various actions on the mailbox (read, write, etc). In this case, you'd use XACML to determine who can perform what actions on the mailbox.

In both of these cases, XACML defines the language PEPs use to talk to PDPs, and also specifies a common XML language for defining the policies to determine who can do what.

In essence, XACML abstracts these concepts of policy enforcement, rule definitions, etc, and wraps them up in a nice XML language which can be used in any component which implements the XACML specificiations for a PDP and PEP. Why would you want to do this? Well, first, it allows you to use plug in in an access control system, rather than having to roll your own. This is good. Second, anyone who implements the XACML standard can interwork. So, I can write a PEP for my email client, and use Joe's PDP to enforce policy in my system. Third, because all your systems now use a single language, you can centralize the policy database and use common tools to manage all of them. An administrators dream!

Now, this is really important people, this has NOTHING TO DO WITH DRM! Or Palladium! Or any other conspiracy theory you want to come up with. This is simply a tool for software developers and system administrators to easily integrate a standard access control framework into their systems.

* Note, in the previous, PDP - Policy Decision Point, and PEP - Policy Enforcement Point.

On language-independent languages

[alext]

One of the beauties of XML is so many different language bindings exist.

That XML is a lingua franca is frequently asserted but can't be proved. The reason is that XML has no (or more strictly, very limited) semantics.

To say that your application can "understand" XML because it can use the DOM API doesn't mean that it can interpret XACML, or any other XML "ontology". You might just as well argue that you can understand Danish because you can parse the "å" character.

All you are saying when you assert that XML applications can be written in any language is that the semantics of XACML (or whatever) can be mapped to various programming languages.

This feature is shared by any machine-readable language, many of which are arguably better at representing XACML semantics than XML.

Re:What idiots

[angel'o'sphere]

Also, I have a word for people who can program Java but not C: dumbass. C is about programming a computer, Java is about using a computer.


If C is the only language you can write in, then every further word is wasted I guess.

Anyway:

The solution is a new language, written for the technology of today and backported to old computers. It would be as low level as C or lower, and have no functions that aren't reentrant. Perhaps a way of doing objects and better exception handling could be added: closer than Objective C is to C, but implemented on the next level with the new language.


Probably you might look at 'D', the language Walther Bright is working on? See www.digitalmars.com.

C might be an appropriated language for system programming, but that is more or less a shortcomming of our current computer architecture, not a feature of the language C.

Two simple 2 liners like:
int i = 4;
fwrite(FILE, &i, size_of(i), 1);

and
int i;
fread(FILE, &i, size_of(i), 1);

Thats not even portable over different system architectures. And sometimes not even over two different compilers on the same architecture.

If everything looks like a register or like memory your appropriated tool is .... well, assembler? Ok, just kidding ... use C.

But if your problem is not register or memory and not signal processing ... but: Customer, CustomerAdress, Order, DelieveryTime, DelieveryAdress, BillingAdress .... spread over 100-s of servers, integrated over industries, manufactored-just-in-time, to be delievered just-in-time, made from raw materials and premanufactored parts, delieverd just-in-time, to be adapted to changing business requirements - if possible in a timeframe of a month - then C is not the adequate language.

Neither is Java, but we have nothing wich is better ... well, this is a different topic.

At least a Java program or a server component running on an App Server is portable.

And Java offers hundreds of APIs, STANDARDS even, to cope with all cross architecture interoparability problems.

If you would say, PERL, ok, then I only could say: puh, a nerd, writing in a cryptic 'write once, never maintane' language.

But PERL indeed offers nearly everything Java offers. Easy web integration, DB access, portability, speed, text and XML processing etc.

But C?

BTW: writing a linux like kernal is to be done far easyer in Java then in C/C++.

Your post simply shows that you have no clue about Java and that you think you have a clue about C .... I hope the latter is true :-)

angel'o'sphere

Re:Every language is a niche language.

[smccrory]

alext, you're completely missing the point. Java users have been able to do this for quite some time now. Take a look a JAAS - it is an excellent solution if all you do is Java. But the purpose of describing the access control policies in something language-independant like XML is that, we'll, you can implement it in other languages without having to rewrite both the rules and the access control mechanism. This is darn good stuff actually, and lots of readers here are completely missing it. You and many others are blaming Sun for developing something that can be used for more than just Java! Incredulous...