The HERAS^AF Project

HERAS^AF is an open-source research project from the University of Applied Science Rapperswil.
The project has the objective to demonstrate the technical feasibility of a central manageable (enterprise-ready) authorization solution. 
It is built upon freely available, established and future driven technologies and standards. The main focus relies on interoperability, expandability and exchangeability of the integrated components.

It's important to mention that it is not intended to build a product suite HERAS^AF. Because of the limited man power in the project team it's not possible to bring all the components up to a level where HERAS^AF can be counted as a full enterprise-ready XACML suite.

Motivation

In today’s economic world, centralized policy management and access control is not an issue for many companies although they could save a lot of effort and money once such a system had been integrated in their environment. Most applications use proprietary access control and authorization mechanisms. This often leads to inconsistencies since various rights to access a resource have to be handled separately in all applications. Having many applications up and running, it is almost impossible for an administrator to keep track of all access rights effectively in place. This leads to vulnerable and flawed deployed security policies that can turn out to be very costly for a company, for example if this
becomes public or exposed to the outside world.

HERAS^AF takes on the challenge to solve these problems.

Objectives

The main objectives of HERAS^AF are as follows:

Holistic approach:

• HERAS^AF supports authorization in its entirety.
• All access requests to secured resources are intercepted by PEP’s and redirected to a PDP, where an evaluation process is being carried out that specifies whether access is granted or denied. The PEP then is responsible for enforcing the result of this evaluation.
• A sophisticated model design makes it possible for non-tech-savvy personnel to manage policies as well.

Enterprise suitability:

• HERAS^AF shall be a non-intrusive framework, meaning that only minor changes have to be undertaken to integrate it into an existing environment. Already integrated authorization solutions shall be used further on without any limitations.
• HERAS^AF is designed explicitly for adaptability and extensibility. The usage of the Spring IoC-Container ensures exchangeability of
  components used by HERAS^AF.
• The HERAS^AF API can be used to integrate corporate-specific components. These components simply need to use the extension points provided by HERAS^AF.
• HERAS^AF uses established and validated standards. This way it is based on solid ground and open for extension in the future. Extensibility enhances interoperability and helps integrating HERAS^AF in existing or future infrastructures.
• The Policy Administration Point (PAP) integrates a layer of abstraction in such a way that an administrator in the role of the business administrator using the PAP does not need to know technical details to be able to create and manage policies and policy sets. So called templates, which contain all technical details and are created by an XACML-adept technical administrator, enable the business administrator to form business-related policies and policy sets using these templates. It is the job of the business administrator to fill these policies or policy sets with businessrelated data, as he knows the business domain but has no knowledge about all technical details. This way, HERAS^AF achieves "separation of business concerns".

Application security

• Access control to resources does not reside in different applications anymore: this task can be delegated to HERAS^AF. HERAS^AF provides agents, namely PEPs, which act as interceptors and can be integrated in existing or new applications.

Background

After 8 months of planning, conception and information gathering, HERAS^AF was launched as a project by René Eggenschwiler, Yan Graf and Wolfgang Giersche in January 2006.
As a proof of concept, René Eggenschwiler and Yan Graf laid the basis for HERAS^AF in mid 2006. Their implementation was based on
Sun’s XACML implementation.
As a term thesis, Massimo Cerqui and Sandro Strebel built a Policy Enforcement Point (PEP) by using SpringAOP and AspectJ. As a
follow-up and diploma thesis, a role-dependant Policy Administration Point (PAP) has been implemented with Spring, Spring Web Flow, JSF and Facelets.
At the same time, Sascha Dolski, Florian Huonder and Stefan Oberholzer created a PDP web service endpoint based on Sun’s XACML implementation. Later in 2007, due to several problems with Sun’s XACML, they realized a new XACML implementation for HERAS^AF as a diploma thesis.