PERMIS Project Web Site


PERMIS Contents

Home

Essentials Integration Projects Documents Developers Get Involved

Standalone Authorisation Server

Version 0.3.2


The standalone authorisation server is a Web Services based authorisation server. It can be used as an AIPEP [1] or Credential Validation Service [2] or PDP to respond to an application's request for authorisation related services such as an authorisation decision, credential validation, and/or obligation enforcement.

It is a Java based application with an embedded Apache Axis2 service that accepts requests for authorisation services using three standardised protocols messages sent using SOAP over HTTP or SOAP over HTTPS. The first of these protocol languages is an XACML request/response context [3]. The second is a XACML over SAML [4] and the final protocol is a Ws-Trust and SAML [5]. This server supports the use of multiple policies when XACML over SAML or WS-Trust and SAML message handlers are queried.

As of version 0.2.1 you can also deploy the service in a servlet container like Tomcat. This helps you take full advantage of Tomcat's capabilities, although not all features are currently available when deploying within Tomcat. See the documentation for more details.

As of version 0.2.1 the software completely supports BTG policies [6] and the use of obligations.

As of version 0.3.2 the software now supports Blacklist and Whitelist policies.

As of version 0.3.3 the software now supports an additional parameter in the policy "EnableNotApplicable". This parameter allows the PDP two modes of operation:

  • With EnableNotApplicable set to false (default behaviour) the PDP will return Permit if the decision is grant and otherwise Deny, unless the result is Indeterminate.
  • With EnableNotApplicable set to true the PDP will return NotApplicable unless the result is Permit or Indeterminate
In the case of a DenyBased (Blacklist) policy the behaviour is inverted.

We do not currently release a software client for the server ourselves, instead we recommend the use of the ZXID software available from here which can be used as a compatible SAML XACML client for Apache web servers.

We also provide an example PHP script which makes a pure XACML call via SOAP to the authorization server. This can be downloaded here.

The release is configured with two test PERMIS RBAC policies that can be used to test the service. For information on how to configure and use the server please refer to the user documentation provided below:

This version of the PERMIS standalone server supports the latest schema which can be found here.

  • Downloads
  • Documentation
  • References

  • Note. Future releases of this package will add support for
    • attribute aggregation [7].

  • Change Log
    • V 0.3.3
      • Added support for policy parameter EnableNotApplicable
    • V 0.3.2
      • Added support for Blacklist and Whitelist policies.
    • V 0.3.1
      • Added support for dynamic conflict resolution.
      • Added a first version of the policy management web service.
    • V 0.2.6
      • Support XACML CVS in the configuration.
    • V 0.2.5
      • Includes (limited) support for multiple resources in a single request.
      • Introduced a proper namespace for sticky policies.
      • On startup www.w3.org should now no longer be contacted to fetch the XMLSchema.dtd file.
    • V 0.2.4
      • First version including AIPEP functionality.
    • V 0.2.3
      • Obligations can now be used when deploying in a servlet container.
      • Fixed problem with deploying the TestService in a servlet container.
    • V 0.2.2 - Improved the facility to reset the BTG-state.
    • V 0.2.1
      • Added and documented BTG capability.
      • Use of configurable obligations service.
      • (Limited) deployment in Tomcat using the Axis2 servlet now available.
    • V 0.1.2 - Updated the release package to include expected response messages and corrected the WSDL processing code so that the displayed WSDL is correct.
    • V 0.1.1 - Minor changes to the release package to include an endorsed directory
    • V 0.1.0 - Initial Release

    Last updated 20 July 2011