5

I just find one framework of AT&T to build ABAC.

This framework use XACML following XML format to create rules. But this framework just implement for Java.

However, I 'm working with PHP and I am using JSON to write rules.

Is my solution correct? May you suggest some frameworks or solutions supporting for PHP?

Kanko
  • 51
  • 1
  • 2

3 Answers3

3

To complete David's answer regarding AuthzForce: it is open source, XACML 3.0 compliant and provides both a Java API (AuthzForce Core) and REST API for PAP and PDP. So you could use the REST API from your PHP program. The API supports XML and JSON format for both PAP and PDP interfaces. However, we are not using the JSON profile of XACML for PDP. Instead, for the whole API, we are using the mapped convention provided by Apache CXF. Such convention allows automatic translation from XML (more precisely the internal XML-derived model used in the implementation code) to JSON, and vice versa automatically.

EDIT (2018-02-26): AuthzForce Core and Server now both support the standard JSON Profile of XACML for the PDP. AuthzForce also provides a minimal RESTful PDP based on the Core, either packaged as a Spring-boot app, or simply the JAX-RS implementation for reuse in any JAX-RS framework.

cdan
  • 3,470
  • 13
  • 27
2

The AT&T framework was an R&D framework designed by AT&T a few years ago and then released to Apache. According to github, it is still active. I am not aware of any commercial use of the product (though I suspect AT&T use it themselves).

The three main frameworks used out there are:

  • WSO2 Balana. This is an open-source Java PDP. It is also bundled as part of WSO2 Identity Server. Most open source users use Balana.
  • SunXACML: this is the original XACML 3.0 implementation. It is pretty old but sturdy (it's been around for 10 years or so). It is also open-source and Java.
  • Axiomatics Policy Server. This is a commercial solution (disclaimer: I work for Axiomatics). It is the most prevalent commercial solution out there. It is also implemented in Java but supports integration for PHP too.

You can find this information on XACML's wikipedia page. There is another interesting engine called AuthZForce but I have little experience with it.

All these engines, AFAIK, use XACML's XML format to store policies. You claim you need JSON. There is no Policy profile of XACML in JSON. There was a question on the topic which you can read here.

Given The Axiomatics Policy Server is exposed as a JSON API, you can use it to integrate with PHP. Other engines probably have a similar approach. If you use Amazon AWS, you can request a copy of the Axiomatics Policy Server AMI.

ABAC is technology-neutral meaning it is not specific to Java, Ruby, .NET, PHP or any other language. What the PDP engine is written in is irrelevant to what your application is written in so long as you can integrate the two together.

I hope this helps, David.

Community
  • 1
  • 1
David Brossard
  • 13,584
  • 6
  • 55
  • 88
0

The TYPO3 Access Control component implements ABAC supporting a simple but expressive access control policy language based on Jiang, Hao & Bouabdallah, Ahmed (2017) and is written in PHP.

Checkout the JSON schema to get an quick impression about the access control policy language. The component is lean and flexible. It's neither opinionated about the format nor about the expression language of the policy language. For example you could use YAML and Symfony expression language. As such a policy could look like this:

description: 'Root policy set.'
algorithm: highestPriority
policies:
    Admin:
        target: 'hasAuthority("typo3:security:principal:admin")'
        description: 'Administrator policy'
        priority: 100
        rules:
            -
                effect: permit
    Default:
        description: 'Deny everything per default.'
        rules:
            -
                obligation:
                    deny:
                        Feedback: ['Access denied.']
witrin
  • 3,701
  • 1
  • 24
  • 49