Following the previous post that I wrote a while ago about authenticating reverse proxies in front of resources you want to protect with OpenID Connect or OAuth 2.0, this post is about the next step: access control using those proxies. Whilst the plugins that I talked about have basic access control possibilities built in to them, it may be that you want to integrate it with a central XACML Policy Engine that your company already deploys. To facilitate that, I have developed plugins that implement the XACML 3.0 Policy Enforcement Point logic into NGINX and Apache HTTPd.
In this way you can write and maintain advanced access control logic in XACML policies using your XACML 3.0 Policy Administration Point and enforce those policies directly in your reverse proxy web servers that protect your business assets. The communication between the web server PEP and the PDP engine is done using the XACML 3.0 REST and JSON Profiles, so it has minimal overhead in terms of processing and payload.
Look here for the NGINX plugin: https://github.com/zmartzone/lua-resty-xacml-pep
There’s a similar plugin for Apache 2.x that can be purchased under a commercial agreement. For details contact: firstname.lastname@example.org