HERAS-AF Logo Holistic Enterprise-Ready Application Security Architecture Framework




HERASAF XACML

HERASAF XACML shall be a comprehensive XACML solution in the future.

So far a fully compliant XACML 2.0 implementation (HERASAF XACML Core) is available.

HERASAF Architecture

HERAS-AF Architecture

HERASAF XACML architecture overview.

HERASAF XACML Core

The XACML Core component is responsible for evaluating XACML 2.0 access requests.
Further it has a lot of useful functionality supporting the evaluation.

See the component page for further information.

This component is available in version 1.0.0-M1 in the downloads section.

HERASAF XACML Policy Repository

The Policy Repository component is responsible for holding the policies for the evaluation.
The current research focus in this direction is about indexing XACML 2.0 policies for accelerating the evaluation process.

This component is not yet available.

HERASAF XACML PDP

The Policy Decision Point (PDP) component is an "endpoint" for components that evaluate an access request.

HERASAF developed two prove of concept web service endpoints in the past.

In the first half of the 2010 it is planned to implement a final web service PDP endpoint during a Bachelor Thesis.

HERASAF XACML PAP

The Policy Administration Point  (PAP) component is the part within an XACML framwork that manages the policies.
We think that a PAP must fulfill the following tasks:

  • Policy entering (natural language style or something other)
  • Conflict detection and resolution
  • Minimization of the set of policies
  • Deployment of the policies
  • Management of different PDPs

 

In the first half of the 2010 it is planned to do a thesis in the area of conflict detection and resolution.

HERASAF XACML PIP

The Policy Information Point (PIP) component is the part within an XACML framework that resolves missing attributes from further sources (database, ldap, ...).

HERASAF developed a PIP to demonstrate the functionality.

HERASAF XACML PEP

The Policy Enforcement Point (PEP) component is the part within an XACML framework that enforces access control in an application.

HERASAF developed two prove of concept web service endpoints in the past.

There are no future plans currently to implement a PEP component.