The amount of private information in the Internet is constantly increasing with the explosive growth of cloud computing and social networks. XACML is one of the most important standards for specifying access control policies for web services. The number of XACML policies grows really fast and evaluation processing time becomes longer. The XEngine approach proposes to rearrange the matching tree according to the attributes used in the target sections, but for speed reasons they only support equality of attribute values. For a fast termination the combining algorithms are transformed into a first applicable policy, which does not support obligations correctly.

In our approach all comparison functions defined in XACML as well as obligations are supported. In this paper we propose an optimization for XACML policies evaluation based on two tree structures. The first one, called Matching Tree, is created for a fast searching of applicable rules. The second one, called Combining Tree, is used for the evaluation of the applicable rules. Finally, we propose an exploring method for the Matching Tree based on the binary search algorithm. The experimental results show that our approach is orders of magnitude better than Sun PDP.

This work would not have been possible without the inestimable contribution of:

• Santiago Pina Ros
• Mario Lischka

Santiago Pina Ros, Mario Lischka, Félix Gómez Mármol, «Graph-Based XACML Evaluation«, 17th ACM Symposium on Access Control Models and Technologies (SACMAT 2012), Newark (USA), pp. 83-92, 20-22/06/2012

• Website: 17th ACM Symposium on Access Control Models and Technologies (SACMAT 2012)
• Date: 20-22/06/2012
• Venue: Rutgers University, Newark (USA)