The idea of this project was to implement the
XACML specification released by
Oasis in purely .Net code (C#) which can be used by anyone in the .Net
developer comunity. XACML.NET is under the Mozilla license MPL 1.1 so any
software under a license compatible with MPL can use this code.
XACML is a specification that defines an access control mechanism based on Xml
documents. The specification defines 3 basic documents: Policy (description
of the permissions), Request (a request for some Subject over
some Resource to perform an Action), and a Response (the
results of applying the policy to the Request document). This implementation
allows loading policies and requests from its Xml representation, and perform
an evaluation aplying the policy. This implementation contains 4 main
Core. The main implementation code, this assembly contains a set of
classes which are responsible for loading the Policies and Requests and
generating a Response resulting from the evaluation of the Request against a
Policy. In order to implement a PDP this assembly must be referenced and used.
xacmlTest. This is a console based evaluation tool that can be used
to perform an evaluation over an existing policy and request and will print in
the console the result document.
Control center. A GUI tool used to create and edit policies and
TestHarness. A set of NUnit tests used to execute all the
ConformanceTests provided with the specification.
Specification conformance: This code implements the 100% XACML 1.0 except the
regexp-string-match. Since this function is defined for XPath 2.0 and .Net
implemnts XPath 1.0 not all the regular expression syntax is supported,
specifically Reluctant quantifiers
are not suported, all the other differences between XSD regular expressions are
The specification is not very clear about the current node for the XPath
expressions and the ConformanceTests are also inconsistent, so a decission was
taked for this implementation.
XACML 1.1 is still in draft but this implementation supports the new (ordered)
policy and rule combining algorithms and also makes the assumptions for the
XPath expressions return values.
There are also optional features in the specification and this implementation
supports the following ones:
Extensible type system. Any data type that is not defined in the
specification can be used in the AttributeValues, and new functions can be
created supporting those data types, the basic evaluation engine will allow
extended data types and there is an API to create the new data types.
Extensible functions. Functions can be created in external
assemblies and added to the evaluation engine in the configuration file.
Extensible algorithms. Policy combining algorith and Rule combining
algorithm can be created in external assemblies and added to the evaluation
engine in the configuration class.
Policy repositories. The specification defines 2 types of policy
repositories: Id based and Target based. The first one is a list of policy
documents based on the Id of the policy or policy set reference. In the second
type the policy or policy set is loaded depending on the Request document
contents, all the policies in the repository will be evaluated to determine
which one matches the request contents.
Attribute repositories. External attribute repositories can be created
and attributes can be defined in the configuration file or using a class that
populates the attribute contents from an external resource.