Formalisation and Implementation of XACML

by M. Masi, R. Pugliese, and F. Tiezzi


Formal Access Control Policy Language (FACPL)


We propose here a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground (see the "Manuscripts" section below). This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies.

To demonstrate feasibility and effectiveness of our approach, we have developed a software tool, supporting the specification of policies and the verification of access requests, whose implementation fully relies on our formal development.






Software tool

The implementation of our XACML formalisation is made in Java, by also using the ANTLR tool for parsing generation. Our tool compiles a policy written in our syntax into a Java class following the formal semantics rules. Thus, a repository storing some policies consists of a Java archive containing all the Java classes generated from the policies. A policy decision is then computed by executing the generated code with the requests passed as parameters to an entry method.



      Università degli Studi di Firenze              IMT Institute for Advanced Studies Lucca              Tiani "Spirit" GmbH  

Last update: Dec 14, 2012