News

Widespread adoption seen for XACML specs

• By Rich Seeley
• February 26, 2003

Within a year, developers can expect to see widespread adoption of the Extensible Access Control Markup Language (XACML), the newly ratified OASIS information access standard for Internet applications, XML experts say.

XACML gives developers information access controls for Web services applications, said Brad Brown, chairman and chief architect of TUSC (http://www.tusc.com), an Oracle consulting company based in Lombard, Ill. He likened the new standard to access controls that have been deployed for decades on mainframe systems.

''Access control is something that's been around for a while dating back to the early DEC days with file systems,'' Brown said. Until the advent of XACML, there was no easy way to set privileges for things such as read and update for Web services and other applications operating via the Internet, he added.

''This technology provides that for this world,'' Brown said. ''It gives you additional security privileges that historically you haven't had. You could certainly build it into your Web application, but people would have to go out and manually build that stuff.''

Ron Schmelzer, senior analyst at ZapThink LLC (http://www.zapthink.com), a Waltham, Mass.-based firm specializing in XML technologies, agreed with Brown that XACML would appear in major vendors' Web servers within six months. The analyst estimated that it would have widespread implementation in Web services applications by the end of this year or early 2004.

Noting that it was complementary to Security Assertion Markup Language (SAML) from OASIS, Schmelzer said XACML would make it easier for end users to work with Web services applications. Operating similar to single sign-on, once a user's access privileges are set, they can then work uniformly with all of the services across the Internet that are incorporated into a Web services application, he said.

Brown said once XACML becomes a standard feature of Web server products, implementing access controls in Web services applications should be relatively easy.

''I think it will be very easy to implement,'' he explained. ''That's the good thing about standards that have been developed to date. People have been pretty specific about making this Web development world easier and easier. I think that's a pretty important part of the development life cycle, freeing the time and energy people spend re-inventing the wheel.''