基于冗余消除和属性数值化的XACML策略优化方法

可扩展的访问控制标记语言(eXtensible Access Control Markup Language,XACML)逐渐成为访问控制的标准之一。为了确保系统可用性,访问控制系统需要高效的XACML策略评估引擎。针对这一问题,从XACML策略本身潜在的不足出发,从冗余消除和属性数值化两个方面对XACML策略进行了优化。冗余消除在不影响策略评估结果的前提下去除策略库中的冗余规则,同时结合规则压缩消除规则间的冗余状态。属性数值化将文本的XACML策略属性转化为数值属性,使评估引擎匹配使用高效的数值匹配方式而不是低效的字符串匹配方式,同时使用Hash表结构存储数值属性与文本属性的映射关系有利于策略维护。仿真实验结果表明,提出的策略优化方法的性能与原始Sun XACML 相比有较大提升。

XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization

XACML (eXtensible Access Control Markup Language) has become one of main access control standards.Access control systems need effective XACML evaluation engine to ensure system availability.To solve the problem above,this paper optimized XACML policy from two aspects:redundancy elimination and attribute numericalization,based on the potential shortcomings of XACML itself.Redundancy elimination removes the redundant rules in the policies and the redundant states between the rules by applying rule compression method.Attribute numericalization transforms textuary attributes of XACML policies into numerical attributes,to make evaluation engine use effective numerical match,instead of inefficient string match.In addition,it is beneficial for policy management that using Hash table to store the mappings between textuary attributes and numerical attributes.Simulation experimental results show that the policy engine using the policy optimization method proposed in this paper is much faster than Sun XACML.