Is there a JSON profile to define XACML policies?

Question

I'm novice with the XACML world. I've read some documentation regarding JSON and REST profiles of the v3.0 standard but everything I can find is related to XACML requests and responses and not policies (which is the part I'm interested in).

Is there any documentation about how should XACML policies be defined using a JSON profile instead of the traditional XML format?

Answer 1

No there isn't at the moment. The JSON profile of XACML only deals with XACML requests and responses. The idea behind the profile is to provide a more lightweight way of sending and receiving XACML requests / responses.

Since policies are typically at rest, the encoding of the policy doesn't matter so much.

That said, there are 3 initiatives you may be interested in:

• the ALFA profile of XACML: this is a pseudo-code notation used to write XACML policies in an easy way. Axiomatics, the company I work for, is currently submitting the spec to the OASIS XACML Technical Committee as a profile.
  • There is a free plugin for Eclipse you can use to write ALFA. Download it here
  • I uploaded ALFA tutorials to YouTube. They are all available here.
• Bernard Butler of the Waterford Institute of Technology did implement XACML policies in JSON. You can find some of his work here. It uses a lot of the same ideas used in the JSON profile
• Ron Turner of nMed LLC has also done some work in that space. You can find a presentation on the topic here.

Answer 2

There is no standard JSON format for XACML policies, as already answered. Yet there are well-known conventions to convert XML to JSON (with limitations), mostly used by REST API frameworks. So if you know the XML format, the convention tells you the JSON format. For example, Apache CXF used to support two conventions: Badgerfish and the mapped convention. Badgerfish is no longer maintained in CXF therefore the mapped convention is preferred now.

The mapped convention is what AuthzForce Server - another ABAC/XACML implementation - uses for the RESTful PAP (Policy Administration Point) API, so that you can manage XACML policies in either XML (standard XACML) or JSON format. We used the JSON format for Javascript-based apps (e.g. web user interface) in particular.