Saturday, August 8, 2009
Policy Rework and XACML Inefficiencies
I've had to rework the policy format I made earlier this week, mainly because it would have required an excessive amount of Java methods to make it work. I've decided to stay away from adding to the XACML specification wherever possible (with a few exceptions), because it cannot support all the possible rules that could occur in an RAdAC policy. Instead, only individual risk/need factors are calculated by Java methods; how they are combined is determined by the XACML policy. I did run into one problem with this approach, which was that the policy needs to use the risk and need measurements multiple times throughout the policy to make a decision. It is very inefficient to copy-and-paste the part of the policy that calculates risk and need each time they are used. I found a solution in the XACML 2.0 specification, the <VariableDefinition> and <VariableReference> tags. They store the result of a calculation for use throughout the policy. The only snag with using this, if we decide to go this route, is we will have to use the CVS version of Sun's XACML implementation to get the 2.0 features, which, according to their website, is stable.
Posted by Lee at 5:57 PM