An extensible XACML authorization decision engine for context aware applications

Context-awareness is a central aspect of pervasive computing applications. However, the information representing a context evolves with the capability of the technology embedded in pervasive devices. As a consequence, access control systems should be able to support and understand any new context information in order to address access control requirements. In this article, we present an extensible XACML (eXtensible Access Control Markup Language) authorization decision engine to provide such flexibility. In attribute based access control like XACML, extending the policy authorization engine means extending its ability to understand new attributes data types including the functions that are used in the policy to evaluate the users´ requests. We show there are two kinds of data types to consider in the context of access control system: data types of which both the values and the order relations are initially known, and data types of which neither the value nor the relation order are initially known. Based on this analysis, we present an extensible architecture for implementing XACML decision authorization engine composed of a core component that can be enhanced by additional data type modules. This architecture has been implemented in Java and includes an API for writing new data type modules.