Modular PERMIS Project

PERMIS Contents

Home

Essentials

Integration Projects

Documents

Developers

PERMIS Java Documentation

Get Involved

Standalone Authorisation Server

Version 0.3.2

The standalone authorisation server is a Web Services based authorisation server. It can be used as an AIPEP [1] or Credential Validation Service [2] or PDP to respond to an application's request for authorisation related services such as an authorisation decision, credential validation, and/or obligation enforcement.

It is a Java based application with an embedded Apache Axis2 service that accepts requests for authorisation services using three standardised protocols messages sent using SOAP over HTTP or SOAP over HTTPS. The first of these protocol languages is an XACML request/response context [3]. The second is a XACML over SAML [4] and the final protocol is a Ws-Trust and SAML [5]. This server supports the use of multiple policies when XACML over SAML or WS-Trust and SAML message handlers are queried.

As of version 0.2.1 you can also deploy the service in a servlet container like Tomcat. This helps you take full advantage of Tomcat's capabilities, although not all features are currently available when deploying within Tomcat. See the documentation for more details.

As of version 0.2.1 the software completely supports BTG policies [6] and the use of obligations.

As of version 0.3.2 the software now supports Blacklist and Whitelist policies.

As of version 0.3.3 the software now supports an additional parameter in the policy "EnableNotApplicable". This parameter allows the PDP two modes of operation:

With EnableNotApplicable set to false (default behaviour) the PDP will return Permit if the decision is grant and otherwise Deny, unless the result is Indeterminate.
With EnableNotApplicable set to true the PDP will return NotApplicable unless the result is Permit or Indeterminate

In the case of a DenyBased (Blacklist) policy the behaviour is inverted.

We do not currently release a software client for the server ourselves, instead we recommend the use of the ZXID software available from here which can be used as a compatible SAML XACML client for Apache web servers.

We also provide an example PHP script which makes a pure XACML call via SOAP to the authorization server. This can be downloaded here.

The release is configured with two test PERMIS RBAC policies that can be used to test the service. For information on how to configure and use the server please refer to the user documentation provided below:

This version of the PERMIS standalone server supports the latest schema which can be found here.

Downloads

Standalone Server V 0.3.3

Documentation

References

[1] David Chadwick, Kaniz Fatema. "An Advanced Policy Based Authorisation Infrastructure".Proc DIM'09, November 13, 2009, Chicago, Illinois, USA. ACM [mailto:d.w.chadwick@kent.ac.uk ]
[2] David W Chadwick, Sassa Otenko and Tuan Anh Nguyen. "Adding Support to XACML for Multi-Domain User to User Dynamic Delegation of Authority". International Journal of Information Security. Volume 8, Number 2 / April, 2009 pp 137-152. DOI 10.1007/s10207-008-0073-y [mailto:d.w.chadwick@kent.ac.uk ]
[3] OASIS "eXtensible Access Control Markup Language (XACML) Version 2.0" OASIS Standard, 1 Feb 2005

[4] David W Chadwick, Linying Su, Romain Laborde. "Use of XACML Request Context to Obtain an Authorisation Decision". GFD.159. 13 November 2009. Available from http://www.ogf.org/documents/GFD.159.pdf
[5] David Chadwick, Linying Su. "Use of WS-TRUST and SAML to access a Credential Validation Service". GFD.157. 13 November 2009. Available from http://www.ogf.org/documents/GFD.157.pdf

[6]

Ana Ferreira, David Chadwick, Pedro Farinha, Ricardo Correia., Gansen Zhao, Rui Chilro, Luis Antunes. "How to securely break into RBAC: the BTG-RBAC model", Annual Computer Security Applications Conference, Honolulu, Hawaii, December 2009 [

mailto:d.w.chadwick@kent.ac.uk

[7] David W Chadwick, George Inman. "Attribute Aggregation in Federated Identity Management". IEEE Computer, May 2009, pp 46-53 [mailto:d.w.chadwick@kent.ac.uk]

Note. Future releases of this package will add support for

attribute aggregation [7].

Change Log

V 0.3.3
- Added support for policy parameter EnableNotApplicable
V 0.3.2
- Added support for Blacklist and Whitelist policies.
V 0.3.1
- Added support for dynamic conflict resolution.
- Added a first version of the policy management web service.
V 0.2.6
- Support XACML CVS in the configuration.
V 0.2.5
- Includes (limited) support for multiple resources in a single request.
- Introduced a proper namespace for sticky policies.
- On startup www.w3.org should now no longer be contacted to fetch the XMLSchema.dtd file.
V 0.2.4
- First version including AIPEP functionality.
V 0.2.3
- Obligations can now be used when deploying in a servlet container.
- Fixed problem with deploying the TestService in a servlet container.
V 0.2.2 - Improved the facility to reset the BTG-state.
V 0.2.1
- Added and documented BTG capability.
- Use of configurable obligations service.
- (Limited) deployment in Tomcat using the Axis2 servlet now available.
V 0.1.2 - Updated the release package to include expected response messages and corrected the WSDL processing code so that the displayed WSDL is correct.
V 0.1.1 - Minor changes to the release package to include an endorsed directory
V 0.1.0 - Initial Release

Last updated 20 July 2011