Entitlements Service

I am among the team of 4 engineers who work on designing and implementing the entitlements service for OpenSSO project for a year. And we are happy to see that entitlements service is the key feature in OpenSSO Express 9 (see our press release).

Followings are the key things that we have done (I wrote about 80% of the SDK so it is ok to blame me if things are not working)

  1. Improve scalability.
    We use indexes in LDAP server to locate policies for evaluation. This fast and heuristic approach helps us to eliminate most of unrelated policies and retrieve the related ones rapidly. Our latest test shows that we can handle over 1 million policies.
  2. Improve performance.
    We use multi-threading, re-entrance read-write lock (Java concurrency package) and LDAP indexes to speed up policy evaluation. The performance has improved significantly as we benchmark it against the previous policy evaluation engine. We are in the process of tuning the caching system. And better results would be expected.
  3. REST interfaces
    We have REST interfaces for policy evaluation and management. This means that non Java (such as PHP and Python) clients can make policy evaluation requests. State of art, Jersey is used for our REST implementation; and JSON is used too.
  4. User friendly UI
    My co-worker has developed a nice set of entitlements services UI using icefaces
  5. XACML support
    Able to import and export XACML.

Currently, we are working with technical writers on documenting entitlement services. You should be able to see these document early next year when OpenSSO Express 9 is shipped.

Well, year 2009 is coming to an end. It has been a fun year working on entitlements service (among my other doings). Sleepless nights, long meetings, ranting and hanging my head on the keyboard (just kidding) are part of the fun :-). I hope that 2010 will be more exciting.


2 Responses

  1. Dear Dennis, I do not think this is the right place to ask these questions, but if you have wrote about 80% of the SDK, maybe you can help me. We are developing a webapp and we are going to use OpenSSO Express 8 (possibly 9) for authentication and authorization. Users of the webapp must be able to create policies outside OpenSSO. The webapp is supposed to ask OpenSSO to create new policies, delete others and so on. It is not clear to me how I can manage OpenSSO policies without the console and the admin tools. I tried the OpenSSO Client SDK (policyManager.addPolicy(…)), but it does not work (I get the token correctly, so I suppose the AMproperties is set properly). Sorry if the question is silly and many thanks in advance for your help. Cheers, Marco

  2. Hi Marco.

    There are few options for you to programmatically create policies.

    I would like you to send your questions to users@opensso.dev.java.net.
    We will answer your questions via email so that questions and answers can be
    archived and shared with other users of OpenSSO.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: