One of the key benefits of an Attribute Based Access Control (ABAC) system is the ability to use many attributes to make fine-grained authorization decisions. The XACML reference makes getting these attributes easier by defining Policy Information Points (PIP).
This article assumes you are already familiar with XACML and PIP’s but if you aren’t or want a refresher check out these classic blog posts: XACML Reference Architecture and Policy Information Points in Five Minutes.
The Axiomatics Policy Server (APS) supports the use of PIP’s. This should come as no surprise since the Axiomatics policy server is XACML compliant. However, one does need to be careful when configuring a database PIP using the Axiomatics Services Manager (ASM). The Axiomatics Services Manager will let you define a PIP that connects to a database by using JDBC or JNDI. Sure, using JDBC might seem easier because the configuration can all be done in the UI but doing so can have a serious drawback. An unmanaged JDBC connection does not implement connection pooling which means each time the Policy Decision Point (PDP) needs to connect to the underlying datasource it will need to authenticate first. This authentication happens at snail’s pace when compared to the performance of our PDP engine and is a real drag on performance.
To overcome this authentication performance issue you should define your database PIP’s to use JNDI instead. What is JNDI? The short answer is: Java Naming and Directory Interface or JNDI for short. We won’t get into the details of this here but if you are interested you can read more about JNDI here or here.
JNDI will manage the connections for the application and can implement connection pooling which keeps a predefined number of authenticated connections open on the datasource. Now when a PDP needs to retrieve an attribute from an external database the connection is already active. The performance improvement gained is staggering. JNDI provides more benefits and services than just connection pooling but the benefit of pooling is more than enough reason to use it and the answer the question “Why should I define attribute connectors using JNDI?”.
If you need help configuring JNDI on Tomcat check this out: Configuring jndi on Tomcat 8. Or for WebSphere see Configuring a data source using the administrative console
You might be asking yourself “Why does Axiomatics allow PIP’s to be defined using jdbc if the performance is bad?” and I’ve asked myself that too. The reality is we rarely find that one size (or software configuration) fits all. Some of our customers want to ability to quickly define, test and use a JDBC PIP or for some reason can’t use jndi so we offer both options. Here at Axiomatics we understand that need and provide products that let you use them the way you need to.
Sometimes software will let you shoot yourself in the foot. We all want options in the software that we use and it’s a best practice to understand those options before using them. In this case it’s important to understand that your PIP’s could add significant overhead to the operation of an XACML system if they are not properly configured. Configuring PIP’s to use jndi will help improve performance of an XACML system.