Use cases for the REST profile for XACML v3.0

1. POST a XACML Request (in XML) to a PDP and receive a XACML Response. This would provide a simple means to test PDPs, verify policy evaluation, and compare implementations. Performance and scalability tests could be scripted using command-line tools such as wget or curl.

2. GET a XACML Policy or PolicySet from a PAP using a predictable URI formed with the PolicyId or PolicySetId (such as http://example.com/pap-service/policies/ExportPolicy).

3. Authorization-as-a-Service In a cloud environment, all functionality is exposed over the network in the form of web services. The trend in web services is away from complex SOAP implementations to simpler REST architectures, driven by performance considerations, the desire for smaller technology stacks (e.g. JavaScript only), and easier upgrade paths. For authorization, these web services include functionality that deals with both the PDP and PAP, since policies need to be created before they can be evaluated. To allow the largest possible audience as consumers of the service, different media types should be supported: at a minimum XML and JSON.

Requirements for the REST profile for XACML v3.0

• Allow access to PDP
• Allow access to PAP
• Low complexity/high performance access over HTTP

  • Use HTTP's uniform interface

• Allow multiple representations for requests and responses, at least
  • XML
    • XACML XML Request/Response independent of SOAP or SAML envelope.
  • JSON
    • XACML elements with attributes to be rendered in JSON as objects with properties
    • XML content artifacts may remain in the JSON representation - Resource Content, for example should remain XML to preserve XPATH query semantics
    • The PDP is not required to understand JSON - the JSON request can be transformed into XACML XML or equivalent internal representation by the REST service endpoint before passing it to the PDP for processing. The PDP response can be transformed to JSON for return to client.

    • Support asynchronous completion callback patterns. JSONP and/or JSON-RPC are candidates . This will also solve domain of origin restrictions for browser apps.

• Define media types for these representations, to be standardized with IANA

• Allow linking from one resource to another, e.g. from a PolicySet to the policy identified by a PolicyIdReference

• Single fixed entry point to service, sub-services can be discovered through links