Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

One way of improving the performance of a XACML engine is by using caching techniques. However, caching implementation must be designed carefully. When  When looking at the XACML reference architecture, we could identify that, caching can be done in four places.

Image RemovedImage Added

 

  1. XACML policies can be cached as policies are usually stored in a database or file system. This can be done for each request, if is not desirable to load them from the database or file system. Therefore it is required to cache the XACML policies.
  2.  Attribute  Attribute values that are retrieved from external pips can be cached as those attribute values may be retrieved from external sources such as Web Services, remote JDBC and remote LDAP servers.
  3.  XACML decisions can be cached at PDP level. For most scenarios, the same authorization query can hit the PDP multiple times, therefore it creates a considerable performance hit if the decision can be cached before hitting the PDP.
  4.  XACML decisions can also be cached in PEP level. This would probably gain a magnificent performance hit. It means that PEP do not want to query the XACML PDP for authorization queries and this would save the time needed for the XACML query and response in the transport between PEP and PDP.

...

Lets go through above mentioned, four type of caches in some details and identify the important design considerations. Also lets briefly discuss how WSO2 Identity Server has implemented these.

...

WSO2 Identity Server provides a concurrent hash map based caching implementation as the decision cache. Cache is not distributed among cluster nodes. Only the cache invalidation messages are distributing by using the same Infinispan caching implementation. Therefore if the cache is invalidated in one node, all decision caches in other nodes are also invalidated. Also there is some invalidation time interval for each cache entry (Decision). The time out value can be configurable and this would lead a solution for cache growth.

PEP Decision Cache

...

  1. PEP Decision cache must be invalidated when policy cache updated, attribute cache is invalidated, PDP decision cache is invalidated and global policy combining algorithm is updated.

...

  1. Cache invalidation messages are must propagated PEP via a reliable way.

WSO2 Identity Server only provides the PDP, PAP and PIP functionality. PEP must be binded into your application. However, there is an implementation called PDP proxy, which would provide a set of APIs for the application to deal with. This PDP Proxy source comes along with the entitlement mediator in WSO2 ESB.