Developer Outreach: Axiomatics at JavaZone ’13

The second part to the presentation focus on an introduction to Attribute-based access control or ABAC. ABAC can be seen as the next step after Role-based access control (RBAC) in the evolution of authorization. ABAC extends the capabilities of RBAC to focus not only on user attributes (identity, role, title, group) but also on other attributes of the user, the resource, and even the context (e.g. time of the day, IP, location). Most importantly ABAC lets developers easily implement relationships e.g. doctors can access a medical record if they have a care relationship with the owner (patient) of the medical record.

Attribute-based access control therefore lets developers define the right authorization scenarios they care about. And ABAC doesn’t come along. ABAC is enabled through a policy-based approach (or PBAC for the sake of yet another acronym). That led us to part III of the presentation, an introduction to XACML.

It’s XACML, not whack-a-mole, and it stands for eXtensible Access Control Markup Language. XACML is an OASIS standard (OASIS is the organization behind SAML and many other standards). It’s the de facto standard for policy- and attribute-based access control. One of the main parts to XACML is its architecture and the way the authorization is queried: it’s always via a yes or a no question. Can Alice do X? Yes she can. This makes integration extremely simple and lightweight. And that, of course, makes developers happy.


In the final part to the presentation, we focused on examples and integrations with existing tooling and APIs. For instance, we looked at using XACML-based authorization for Java servlets, JAX-WS services, and even annotations-driven authorization.

Related Articles

Meeting today’s dynamic authorization and access challenges: The Axiomatics story | Dynamically Speaking
Dynamically Speaking
For more than 15 years, Axiomatics has worked with companies worldwide to define and deliver solutions to the most complex authorization and access challenge. In...
Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...