Standalone Authorisation Server
The standalone authorisation server is a Web Services based
authorisation server. It can be used as an AIPEP  or Credential
Validation Service  or PDP to respond to an application's request for
authorisation related services such as an authorisation decision,
credential validation, and/or obligation enforcement.
It is a Java based application with an embedded Apache Axis2 service
that accepts requests for authorisation services using three
standardised protocols messages sent using SOAP over HTTP or SOAP over
HTTPS. The first of these protocol languages is an XACML
request/response context . The second is a XACML over SAML  and
the final protocol is a Ws-Trust and SAML . This server supports the
use of multiple policies when XACML over SAML or WS-Trust and SAML
message handlers are queried.
As of version 0.2.1 you can also deploy the service in a servlet container
like Tomcat. This helps you take full advantage of Tomcat's capabilities, although
not all features are currently available when deploying within Tomcat. See the documentation
for more details.
As of version 0.2.1 the software completely supports BTG policies 
and the use of obligations.
As of version 0.3.2 the software now supports Blacklist and Whitelist policies.
As of version 0.3.3 the software now supports an additional parameter in the policy "EnableNotApplicable".
This parameter allows the PDP two modes of operation:
In the case of a DenyBased (Blacklist) policy the behaviour is inverted.
- With EnableNotApplicable set to false (default behaviour) the PDP will return Permit if the decision is grant and otherwise Deny, unless the result is Indeterminate.
- With EnableNotApplicable set to true the PDP will return NotApplicable unless the result is Permit or Indeterminate
We do not currently release a software client for the server ourselves, instead we
recommend the use of the ZXID software available from
here which can be used as a compatible SAML XACML client for Apache web servers.
We also provide an example PHP script which makes a pure XACML call via SOAP to the authorization server. This can be downloaded here.
The release is configured with two test PERMIS RBAC policies that can be
used to test the service. For information on how to configure and use
the server please refer to the user documentation provided below:
This version of the PERMIS standalone server supports the latest schema which can be found here.
 David Chadwick, Kaniz Fatema. "An Advanced Policy Based
Authorisation Infrastructure".Proc DIM'09, November 13, 2009, Chicago,
Illinois, USA. ACM [mailto:email@example.com ]
 David W Chadwick, Sassa Otenko and Tuan Anh Nguyen. "Adding Support
to XACML for Multi-Domain User to User Dynamic Delegation of Authority".
International Journal of Information Security. Volume 8, Number 2 /
April, 2009 pp 137-152. DOI 10.1007/s10207-008-0073-y
 OASIS "eXtensible Access Control Markup Language (XACML) Version
2.0" OASIS Standard, 1 Feb 2005
 David W Chadwick, Linying Su, Romain Laborde. "Use of XACML Request
Context to Obtain an Authorisation Decision". GFD.159. 13 November 2009.
Available from http://www.ogf.org/documents/GFD.159.pdf
 David Chadwick, Linying Su. "Use of WS-TRUST and SAML to access a
Credential Validation Service". GFD.157. 13 November 2009. Available
Ana Ferreira, David Chadwick, Pedro Farinha, Ricardo Correia.,
Gansen Zhao, Rui Chilro, Luis Antunes. "How to securely break into RBAC:
the BTG-RBAC model", Annual Computer Security Applications Conference,
Honolulu, Hawaii, December 2009 [mailto:firstname.lastname@example.org]
 David W Chadwick, George Inman. "Attribute Aggregation in Federated
Identity Management". IEEE Computer, May 2009, pp 46-53
Note. Future releases of this package will add support for
attribute aggregation .
- Added support for policy parameter EnableNotApplicable
- Added support for Blacklist and Whitelist policies.
- Added support for dynamic conflict resolution.
- Added a first version of the policy management web service.
- Support XACML CVS in the configuration.
- Includes (limited) support for multiple resources in a single request.
- Introduced a proper namespace for sticky policies.
- On startup www.w3.org should now no longer be contacted to fetch the XMLSchema.dtd file.
- First version including AIPEP functionality.
- Obligations can now be used when deploying in a servlet container.
- Fixed problem with deploying the TestService in a servlet container.
V 0.2.2 - Improved the facility to reset the BTG-state.
- Added and documented BTG capability.
- Use of configurable obligations service.
- (Limited) deployment in Tomcat using the Axis2 servlet now available.
V 0.1.2 - Updated the release package to include expected response messages and corrected the WSDL processing code so that the displayed WSDL is
V 0.1.1 - Minor changes to the release package to include an endorsed directory
V 0.1.0 - Initial Release