Can somebody tell us the diffirences between acegi and rbac and xacml!

I'm confused!

:oops:

"Acegi" refers to a company, Acegi Technology, in Australia.

"Acegi Security" is a security implementation for Spring, developed by Acegi Technology.

"RBAC" is role based access control, a design pattern for assigning permissions via roles rather than directly to principals.

"XACML" is the OASIS eXtensible Access Control Markup Language standard.

So RBAC and XACML are both standards. Acegi Security is an implementation. Acegi Security doesn't seek to implement XACML. Acegi Security allows you to achieve a RBAC style of administration.

Acegi Security allows you to achieve a RBAC style of administration.

!!but how ?

Is there any topic about it?

From http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf:

The basic concept of RBAC is that users are assigned to roles, permissions are assigned to roles, and users acquire permissions by being members of roles. Core RBAC includes requirements that user-role and permission-role assignment can be many-to-many. Thus the same user can be assigned to many roles and a single role can have many users. Similarly, for permissions, a single permission can be assigned to many roles and a single role can be assigned to many permissions.

In Acegi Security you have principals, which when authenticated are housed in an Authentication object. Each Authentication object has multiple GrantedAuthority[]s. A GrantedAuthority represents a permission.

Your AuthenticationManager is customised (typically via an AuthenticationDao) to handle the "role" part of the RBAC model. Specifically, it iterates the roles associated with a user (principal), and adds each of the permissions (GrantedAuthoritys) assigned to the role to the Authentication.

Hope this clears things up.

So RBAC and XACML are both standards. Acegi Security is an implementation. Acegi Security doesn't seek to implement XACML. Acegi Security allows you to achieve a RBAC style of administration.

Hey, how about this quote then. Looks like after all there's some common ground between two
Within OASIS, the XACML technical committee is developing an RBAC profile for expression of authorization policies in XML, making it easier to build RBAC into web applications.