Enterprises have several options when considering how to address the authorization function for in-house developed applications. In this post, we will compare and contrast the differences between Drools, a business process rules language, and Extensible Access Control Markup Language (XACML), an industry standard for authorization.

Optimized for different purposes

The XACML standard includes a reference architecture, policy language and request/response protocol that is optimized for access control (authorization) processing. XACML enables a developer to fully externalize authorization from the application logic, making it easier to implement changes to authorization policies. By external, we mean that access policies are defined outside of the application in an authorization service and the application calls the external authorization service for access decisions. The Organization for Advancement of Information Standards (OASIS) owns and manages the development of the XACML standard. Drools is a general purpose business rule engine introduced in 2001 and commercially supported in JBoss Rules. Given Drools generality, it is more expressive than the XACML policy language.

Interoperability and standardization

As mentioned above, XACML is an industry standard for authorization and as such, is implemented by many vendors. The XACML policy language can represent a wide array of access control use cases and be supported by infrastructure components from different vendors. For example, XACML policies enforced by Axiomatics at the application layer can also be enforced by IBM Guardium in its database firewall. The interoperability provided by an industry standard has a large potential to lower the overall operational cost of the environment, implement authorizations consistently at different control points and make it easier to manage authorization policies across the application landscape.

Integration with application environments

Both Drools and XACML can be implemented within a variety of application environments, including .NET, Java, SOA/web services, Python, PHP, commercial applications, and so on. Drools has an active developer community which as developed an appealing (for developers) set of tools around the rule language. On the XACML side, Axiomatics has created a number of off-the-shelf connectors for popular programming environments and offers a domain specific language component, enabling developers to generate XACML policies from an Eclipse IDE.

Stateful vs. Stateless

Unlike the XACML policy decision point (PDP), the Drools model is stateful. This means that the state of the engine changes based on the rules it has executed in the past. For authorization, this feature has been exploited to encode “Usage Control”, a generalization of Access Control, where the policy determines not only who can use a resource, but also how. The XACML PDP module is a stateless engine, meaning each access request is treated as an atomic entity. Caching of policies, attributes and access decisions can be enabled in different components of the XACML system but caching is done for reuse of data, not to capture system state. A stateless approach lends itself to more easily configure the system for scalability and availability.

Audit and Compliance

XACML has a distinct advantage over Drools in the areas of audit-ability and compliance. The XACML policy language defines access controls rules in a structured representation that makes it easy to determine whether an application is in compliance with business, security and regulatory requirements.

Further, Axiomatics has developed tools that permit further analysis of XACML policies/rules in order to answer questions such as:

  • Who has access to a specific resource?
  • Who can update customer records?
  • What can users with a certain collection of attributes do?

Database access control

Axiomatics has developed a capability to protect database records at the row, column and cell level by introducing a new product called Axiomatics Reverse Query. The solution decouples database authorization functionality from the size of the data set, permitting the solution to scale to massive databases, data warehouses or bid data deployments. Drools has no similar capability, which would be important when securing access to tens of millions of consumer and small business customer records.

Interoperability

XACML is an internationally recognized security standard that is interoperable across many vendor implementations. Axiomatics proved interoperability with IBM DataPower and Fasoo DRM during proof of concept demonstrations in 2011. Several public demonstrations, dating back to 2007, have also proven interoperability between vendor product offerings.