Policy Enforcement Points
Axiomatics offers XACML Policy Enforcement Points (PEP) for a broad variety of environments.
A Policy Enforcement Point (PEP) is the trusted component in the XACML architecture that enforces the decisions made by a Policy Decision Point (PDP). A PEP controls access to the application that hosts the protected resource. It can be embedded within the application or placed as an interceptor in front of it. It can be deployed as an extension to an XML gateway or a filter in an enterprise service bus (ESB), a servlet filter on an application server or web portal and so on.
The clear separation of concern between the decision process and the enforcement process provides architects with the means to build a comprehensive access control framework whereby access decisions can be enforced in any number of applications across any number of domains at any layer or depth.
Regardless of where the PEP is placed, it protects a resource in the following steps:
- It intercepts access requests and translates them to XML requests
- It sends the request to a Policy Decision Point (PDP) for evaluation
- It enforces whatever response the PDP sends - typically Permit or Deny.
Axiomatics provides PEPs for a broad range of environments and application such as:
|
J2SE / J2EE | |
|---|---|
|
Servlet PEP |
Applications using the servlet specification. |
|
JAXWS PEP |
Applications using the JAX WS specification. |
|
JMS PEP |
Enforcement point that is capable of intercepting JMS messages on a bus and calling out to a decision point. |
|
JSF PEP |
GUI-driven policy enforcement point which can handle access control in JSF-driven webpages. |
|
Spring Security Framework PEP |
PEP capabilities built into the Java Spring Security Framework. Contact Axiomatics for information about general availability. |
|
AOP PEP |
Aspect-oriented programming PEP using annotations to inject PEP logic in methods, classes, and packages. The configuration can be internal or external. |
|
.Net Framework | |
|
ASP .Net PEP |
C# .NET client for the APS PDP. The Axiomatics .NET ASP solution also has a support for Microsoft Active Directory Federation Services 2.0 claims. A user's claims can automatically be retrieved and used as attribute input in an XACML authorization query. |
|
Advanced and application-specific PEP components | |
|
PEP for SharePoint and document managment systems. |
Axiomatics new SharePoint solution leverages ARQ technology to deliver fine-grained and non-intrusive access control for SharePoint environments. This is a new component. Contact your Axiomatics representative regrding general availability. |
|
ARQ SDK-based solutions |
The Axiomatics Reverse Query provides an SDK used to create reverse queries and to handle the responses (filter expressions). This is useful to achieve access control for very large data sets. Filtering can be achieved on inbound or outbound data streams. |
|
SQL manipulating PEP components |
Axiomatics delivers different types of advanced solutions which utilize the ARQ SDK, for instance to achieve fine-grained authorization on the data layer by means of altering inbound SQL statements. Contact your Axiomatics representative regarding availability for platforms of interest. |
|
Custom built, special-purpose PEP components |
Customers frequently use the APIs provided by Axiomatics to build their own solutions. The Axiomatics Professionals Services organization can however also deliver special-purpose PEPs whereby these APIs are used as well. |
|
PEP capabilities enhancing third-party products | |
|---|---|
|
XML Gateways |
Axiomatics partners with companies such as Layer7 to provide XACML-based authorization on the level of an XML Gateway. |
|
Web Access Management environments |
With partners, Axiomatics can offer XACML capabilities for Web Access Management (WAM) software such as CA SiteMinder or RSA Access Manager. |
|
Microsoft Windows Server 2008 SDDL |
Microsoft Windows 2008 comes with new capabilties for object level access control on the level of the operating system. Axiomatics brings XACML policy control for these new capabilities. |
Note! Axiomatics PEP capabilities are continously being enhanced to include new platforms and application environments. The above list is not complete and some of the modules mentioned above may not be generally available "out-of-the-box" without customization. For accurate information about PEP capabilities in your area of interest, please contact your Axiomatics representative.