AuthzForce (Community Edition)


Button-OW2con16-Short149x65.png OW2con16AwardsResults_thumbnail.jpgBest Project Award

https://bestpractices.coreinfrastructure.org/projects/389/badge 

What is AuthzForce?

The AuthzForce project provides an Attribute-Based Access Control (ABAC) framework compliant with the OASIS XACML standard v3.0, that mostly consists of an authorization policy engine and a RESTful authorization server. It was primarily developed to provide advanced access control for Web Services or APIs, but is generic enough to address all kinds of access control use cases.
You can use AuthzForce in two ways depending on your needs:

  • Java API: AuthzForce provides a XACML PDP (Policy Decision Point) engine as a Java library so that applications can instantiate and use an embedded XACML PDP easily with Java. This API is provided by AuthzForce Core License badge.
  • Web API:
    - AuthZForce provides a multi-tenant RESTful PDP/PAP API server (PAP stands for Policy Administration Point) that web clients can call to manage policies, request authorization decisions, etc. This API is provided by AuthzForce Server License badge, Docker badge .
    - AuthZForce also provides a minimal single-tenant RESTful PDP API server that web clients can call to request authorization decisions, etc. This API is provided by AuthzForce RESTful PDP License badge, Docker badge .

AuthzForce Features

PDP (Policy Decision Point)

Applies to AuthzForce Core, AuthzForce RESTful PDP, and AuthzForce Server.

AuthzForce provides XACML PDP features:

OASIS XACML v3.0 Standards compliance

For further details on what is actually supported with regards to the XACML specifications, please refer to the Feature page.
 

Enhancements to the XACML standard

Security

  • Detection of circular XACML policy / variable references (PolicyIdReference/PolicySetIdReference/VariableReference);
  • Control of the maximum XACML PolicyIdReference/PolicySetIdReference/VariableReference depth.

Performance

  • Optional strict multivalued attribute parsing: if enabled, multivalued attributes must be formed by grouping all AttributeValue elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with XACML 3.0 Core specification of Multivalued attributes (§7.3.3), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
  • Optional strict attribute Issuer matching: if enabled, AttributeDesignators without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.);
  • Optimal integer data-type implementation: the maxIntegerValue configuration parameter (expected maximum absolute value in XACML attributes of type http://www.w3.org/2001/XMLSchema#integer) helps the PDP choose the most efficient Java data-type. By default, the XACML/XML type http://www.w3.org/2001/XMLSchema#integer is mapped to the larger Java data-type: BigInteger. However, this may be overkill for example in the case of integer attributes representing the age of a person; in this case, the Short type is more appropriate and especially more efficient. Therefore, decreasing the maxIntegerValue value as much as possible, based on the range you expect your integer values to fit in, makes the PDP engine more efficient on integer handling: lower memory consumption, faster computations.
  • Pluggable Decision Cache: you can plug in your own XACML Decision Cache mechanism to speed up evaluation of (repetitive) requests. See down below for more info (Decision Cache extension).

Attribute sources a.k.a. PIPs (Policy Information Points)

Authzforce is able to retrieve attributes from a XACML Request of course, but also from other attribute sources, also known as Policy Information Points (PIP) in the XACML standard, e.g. LDAP or SQL database servers, REST services or X.509 attribute certificate repository. Besides, its plugin architecture enables developers to support custom attribute sources by adding new Attribute Provider plugins. More info in the Extensibility points section below.

Extensibility points

  • Attribute Datatypes: you may extend the PDP engine with custom XACML attribute datatypes;
  • Functions: you may extend the PDP engine with custom XACML functions;
  • Combining Algorithms: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
  • Attribute Providers a.k.a. PIPs: you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation; such attribute sources are also known as Policy Information Points (PIPs) in XACML terms, i.e. you implement a new Attribute Provider to support a new type of PIP.
  • Request Preprocessor: you may customize the processing of XACML Requests before evaluation by the PDP core engine (e.g. used for implementing XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories);
  • Result Postprocessor: you may customize the processing of XACML Results after evaluation by the PDP engine (e.g. used for implementing XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision);
  • Policy Providers (AuthzForce Core only): you may plug custom policy providers into the PDP engine to allow it to resolve PolicyIdReference or PolicySetIdReference in particular;
  • Decision Cache: you may extend the PDP engine with a custom XACML decision cache, allowing the PDP to skip evaluation and retrieve XACML decisions from cache for recurring XACML Requests;
  •  Java extension mechanism to switch HashMap/HashSet implementations (e.g. to get different performance results).

PIP (Policy Information Point)

Applies to AuthzForce Core and AuthzForce Server.

AuthzForce provides XACML PIP features in the form of Attribute Providers. More information in the previous section.

PAP (Policy Administration Point)

Applies to AuthzForce Server only.

AuthzForce provides XACML PAP features:

  • Policy management: create/read/update/delete multiple policies and references from one to another (via PolicySetIdReference)
  • Policy versioning: create/read/delete multiple versions per policy.
  • Configurable root policy ID/version: top-level policy enforced by the PDP may be any managed policy (if no version defined in configuration, the latest available is selected)
  • Configurable maximum number of policies;
  • Configurable maximum number of versions per policy.
  • Optional policy version rolling (when the maximum of versions per policy has been reached, oldest versions are automatically removed to make place).

REST API

Applies to AuthzForce Server only.

Applies to AuthzForce RESTful PDP only.

High availability and load-balancing

Applies to AuthzForce Server only.

  • Integration with file synchronization tools (e.g. csync2) or distributed filesystems (e.g. NFS and CIFS) to build clusters of AuthzForce Servers.

Versions

See the change log file according to the Keep a CHANGELOG conventions.

License

See the license file.

Getting started

To get started using AuthzForce Core (PDP library), check the README.
If you are rather interested by the AuthzForce Server instead, go to the AuthzForce Server project.

Support

You should use AuthzForce users' mailing list as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc.

If you are experiencing any bug with this project and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the OW2 Issue Tracker.
Please include as much information as possible; the more we know, the better the chance of a quicker resolution:

  • Software version
  • Platform (OS and JRE)
  • Stack traces generally really help! If in doubt, include the whole thing; often exceptions get wrapped in other exceptions and the exception right near the bottom explains the actual error, not the first few lines at the top. It's very easy for us to skim-read past unnecessary parts of a stack trace.
  • Log output can be useful too; sometimes enabling DEBUG logging can help;
  • Your code & configuration files are often useful.

Security - Vulnerability reporting

If you want to report a vulnerability, you must do so on the OW2 Issue Tracker and make sure the checkbox This issue is confidential and should only be visible to team members with at least Reporter access is checked when creating the issue. Then, if the AuthzForce team can confirm it, they will uncheck it to make the issue public.

Support

See CONTRIBUTING.md.