Citation: http://blog.9cbs.net/beegee/rchive/2004/09/15/105935.aspx Summary: 1.xAcml (Extensible Access Control Markup Language), extended access control high mark (OASIS organization )
2. Main functions: 1) Description Access Control Policy 2) Describe the request and response method of judging access controls 3. PEP requests resources, the actions, and other accessory information to form a request (Request) based on the requester's properties. The PEP then sends the request to the PDP (Policy Decision Point, Policy Judgment Point). PDP will check the request and some (access control) policy information about the request, and finally answer whether the access is recognized. 1. Access request results: permit deny indeterminate (unavailable, unavailable) NOT Applicable (This request cannot be responded by the server) 5. All the roots of all XACML access control policies are Policy or PolicySet. A policyset is a container that can accommodate other Policy or PolicySet, which can be referenced to non-local Policy or PolicySet. PolicySet can contain multiple policies a reference to a single access control policy that manifests through a set of rules. Policy can contain multiple rules Each XACML Access Control Policy document contains a unique policy or policyset root in its XML tag. Method of coordination judgment results: combining algorithms. Each algorithm represents a different method of combining multi-judgment results to a single judgment result. Part of the job with the "Policy Merge Algorithm / Policy Combining Algorithms" Policy "rule merge algorithm / rule combining algorithms6.pdp is based on a request to find the corresponding policy. To achieve this, Xacml provides another known Target features .Target is a bridge that requests the policy. Target provides restrictions to index PDP to associate with the corresponding parameters of the request to correspond to the corresponding policy, policyset, Rule 7.xAcml runtime processing It is attribute. The property is a known type of value, which may include the identity of the attribute definition or define the datetime policy to parse the attribute value from the request or other source (other policy) in two mechanisms: AttributeSignator and AttributeDesignator let. .AttributeSignator Policy definitions are defined in a name and type, and you can provide a publisher (Issuer) option and then look for the value of this property in the request, or determine if the attribute value can be found in the request .attributeselectors makes one The policy queries an attribute value in the form of XPath Query. Just provide a data type and XPath expression, you can resolve the attribute value in the request document. AttributeSignator and Attributector can return a multi-value (because there may be a request to match multiple conditions ), So XACML provides a special attribute called "BAG"; when the attribute value BAG is acquired, it is necessary to compare it to obtain the expected access control license. This feature is a powerful system function set. It is noted that some functions are defined as a specific data type (eg String and Integer et al.).
