OASIS gives OK to Web services standard

Corporate demand for better Web services security technology got another shot in the arm last week after a standards body finalized work on an XML-based access control protocol.

The Organization for the Advancement of Structured Information Standards (OASIS) gave its stamp of approval to the Extensible Access Control Markup Language (XACML), which has been in development for almost two years. The standard is designed to alleviate the patchwork of access control policies companies use today that are written in proprietary languages specific to each device or application, an inflexible system that creates an administrative nightmare.

XACML includes an access control language and request/response language that let developers write policies dictating what users can access on a network or over the Internet. XACML likely will show up in firewalls, servers and Web access management software but also could be used as the basis for gateways to connect disparate access control policy engines.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Corporate demand for better Web services security technology got another shot in the arm last week after a standards body finalized work on an XML-based access control protocol.

The Organization for the Advancement of Structured Information Standards (OASIS) gave its stamp of approval to the Extensible Access Control Markup Language (XACML), which has been in development for almost two years. The standard is designed to alleviate the patchwork of access control policies companies use today that are written in proprietary languages specific to each device or application, an inflexible system that creates an administrative nightmare.

XACML includes an access control language and request/response language that let developers write policies dictating what users can access on a network or over the Internet. XACML likely will show up in firewalls, servers and Web access management software but also could be used as the basis for gateways to connect disparate access control policy engines.

"XACML is for any point on the Internet that has to make a decision on authorization," says Hal Lockhart, co-chair of the XACML technical committee at OASIS.

OASIS also is working on the Security Assertion Markup Language (SAML), which was ratified late last year. XACML and SAML are complementary in supporting identity management and authentication and authorization for Web services.

"XACML builds on SAML to ensure the right people have access to the right things at the right time," says Jamie Lewis, president of Burton Group.

But Lewis says companies will still have to work out the differences between their access policies. "XACML won't make Company A's policies automatically meaningful to Company B," he says.

IBM and Sun are among the major players supporting XACML.

Read more about software in Network World's Software section.