SBA-XACML

Abstract

Policy-based computing is taking an increasing role in providing real-time decisions and governing the systematic interaction among distributed Web services. XACML (eXtensible Access Control Markup Language) has been known as the de facto standard widely used by many vendors for specifying access and context-aware policies. Accordingly, the size and complexity of XACML policies are significantly growing to cope with the evolution of web-based applications and services. This growth raised many concerns related to the efficiency of real-time decision process (i.e. policy evaluation) and the correctness of complex policies. This paper is addressing these concerns through the elaboration of SBA-XACML, a novel Set-Based Algebra (i.e. SBA) scheme that provides efficient evaluation of XACML policies. Our approach constitutes of elaborating (1) a set-based language that covers all the XACML components and establish an intermediate layer to which policies are automatically converted, and (2) a semantics-based policy evaluation that provides better performance compared to the industrial standard Sun Policy Decision Point (PDP) and its corresponding ameliorations. Experiments have been conducted on real-life and synthetic XACML policies in order to demonstrate the efficiency, relevance and scalability of our proposition. The experimental results explore that SBA-XACML evaluation of large and small sizes policies offers better performance than the current approaches, by a factor ranging between 2.4 and 15 times faster depending on policy size.