简体繁体 English

XACML是否仍在维护中

[英]Is XACML still under maintenance

原文 2017-02-15 07:19:53 0 2 xacml/ xacml3

Currently i'm working in a on-line payment company, i need to implement a access control system. 目前，我在一家在线支付公司工作，我需要实施一个访问控制系统。 I used XACML for experimental purpose 2 years ago, and used it in a management system(based on Balana's XACML implementation). 2年前，我将XACML用于实验目的，并将其用于管理系统（基于Balana的XACML实现）。 I noticed XACML Version 3 specification hasn't been updated since Jan 2013, i wonder whether this specification is still under maintenance. 我注意到自2013年1月以来未更新XACML版本3规范，我想知道该规范是否仍在维护中。 If not, does anyone know any alternative? 如果没有，还有谁知道其他选择吗？

2 个解决方案

What David says is correct. 大卫说的是正确的。 In addition, the OASIS XACML Technical Committee (TC) has just voted to hold a public review of Errata for XACML 3.0. 此外，OASIS XACML技术委员会（TC）刚刚投票决定对XACML 3.0的勘误进行公开审查。 The review should start within a few days. 审查应在几天之内开始。 The corrections are minor, but it does show we are maintaining the documents and getting input from the field. 所做的更正是次要的，但这确实表明我们正在维护文档并从现场获取输入。

Although no one is currently working on them, there are several unfinished Profiles I would like to see completed. 尽管目前尚无人在研究这些资料，但我希望看到一些未完成的个人资料。 One is to extend the JSON format for XACML to cover the policy language. 一种是扩展XACML的JSON格式以覆盖策略语言。 It currently only covers only the decision request protocol. 当前仅涵盖决策请求协议。 Another is the ALFA policy language which is a more user friendly, JSON-like language originally developed by Axiomatics, and endorsed by the TC. 另一种是ALFA政策语言，它是一种更加用户友好的类JSON语言，最初由Axiomatics开发，并由TC认可。

For people who want to use XACML, in addition to several excellent commercial products, there are at least two other open source implementations in addition the the WS02 - Balana one mentioned above. 对于想要使用XACML的人，除了几种出色的商业产品之外，除了上面提到的WS02-Balana之外，还有至少两个其他开源实现。 Forgerock has one and there is another originally developed in house at ATT. Forgerock有一个，而另外一个最初是在ATT内部开发的。 The later one was contributed to the Apache Incubator, but failed to gain traction and was mothballed. 后来的一个贡献给了Apache Incubator，但未能获得成功，因此被封存。 However the original code is still freely available under Apache license. 但是，原始代码仍可在Apache许可下免费获得。

Finally I should mention that I have proposed various ways to integrate XACML with token-based authorization schemes such as OAuth. 最后，我应该提到我已经提出了各种方法来将XACML与基于令牌的授权方案（例如OAuth）进行集成。 However this has not gone past the research stage. 但是，这还没有超出研究阶段。

Yes, XACML is still very much active. 是的，XACML仍然非常活跃。 The standard, in version 3, is mature and right now no one is working on XACML 4.0. 该标准在版本3中已经成熟，并且现在还没有人在使用XACML 4.0。 Given XACML 3.0 is a standard, there won't be changes made to 3.0. 由于XACML 3.0是一个标准，因此不会对3.0进行任何更改。 Either we go to 3.1 or 4.0. 我们可以转到3.1或4.0。 There are enhancements we are thinking of for a 4.0 version but this is not the focus for now. 我们正在考虑对4.0版本进行增强，但这不是现在的重点。

The focus is on profiles, both technical profiles (such as the JSON profile of XACML ) and business profiles (such as the Export Control profile of XACML). 重点是概要文件，包括技术概要文件（例如XACML的JSON概要文件）和业务概要文件（例如XACML的Export Control概要文件）。

Disclaimer : I work for Axiomatics , the leading XACML implementation. 免责声明 ：我为领先的XACML实现Axiomatics工作。 I am also a member of the XACML Technical Committee. 我也是XACML技术委员会的成员。

We see more and more requests for Attribute Based Access Control and XACML in the marketplace especially in financial and healthcare 我们看到市场上对基于属性的访问控制和XACML的需求越来越多，尤其是在金融和医疗保健领域