XACML.NET

The idea of this project was to implement the XACML specification released by Oasis in purely .Net code (C#) which can be used by anyone in the .Net developer comunity. XACML.NET is under the Mozilla license MPL 1.1 so any software under a license compatible with MPL can use this code.

XACML is a specification that defines an access control mechanism based on Xml documents. The specification defines 3 basic documents: Policy (description of the permissions), Request (a request for some Subject over some Resource to perform an Action), and a Response (the results of applying the policy to the Request document). This implementation allows loading policies and requests from its Xml representation, and perform an evaluation aplying the policy. This implementation contains 4 main assemblies:

• Core. The main implementation code, this assembly contains a set of classes which are responsible for loading the Policies and Requests and generating a Response resulting from the evaluation of the Request against a Policy. In order to implement a PDP this assembly must be referenced and used.
• xacmlTest. This is a console based evaluation tool that can be used to perform an evaluation over an existing policy and request and will print in the console the result document.
• Control center. A GUI tool used to create and edit policies and requests.
• TestHarness. A set of NUnit tests used to execute all the ConformanceTests provided with the specification.

Specification conformance: This code implements the 100% XACML 1.0 except the following differences:

• regexp-string-match. Since this function is defined for XPath 2.0 and .Net implemnts XPath 1.0 not all the regular expression syntax is supported, specifically Reluctant quantifiers are not suported, all the other differences between XSD regular expressions are supported.
• The specification is not very clear about the current node for the XPath expressions and the ConformanceTests are also inconsistent, so a decission was taked for this implementation.

XACML 1.1 is still in draft but this implementation supports the new (ordered) policy and rule combining algorithms and also makes the assumptions for the XPath expressions return values.

There are also optional features in the specification and this implementation supports the following ones:

• Obligations
• Extensible type system. Any data type that is not defined in the specification can be used in the AttributeValues, and new functions can be created supporting those data types, the basic evaluation engine will allow extended data types and there is an API to create the new data types.
• Extensible functions. Functions can be created in external assemblies and added to the evaluation engine in the configuration file.
• Extensible algorithms. Policy combining algorith and Rule combining algorithm can be created in external assemblies and added to the evaluation engine in the configuration class.
• Policy repositories. The specification defines 2 types of policy repositories: Id based and Target based. The first one is a list of policy documents based on the Id of the policy or policy set reference. In the second type the policy or policy set is loaded depending on the Request document contents, all the policies in the repository will be evaluated to determine which one matches the request contents.
• Attribute repositories. External attribute repositories can be created and attributes can be defined in the configuration file or using a class that populates the attribute contents from an external resource.