Access Control using Reverse Proxy XACML PEPs

Following the previous post that I wrote a while ago about authenticating reverse proxies in front of resources you want to protect with OpenID Connect or OAuth 2.0, this post is about the next step: access control using those proxies. Whilst the plugins that I talked about have basic access control possibilities built in to them, it may be that you want to integrate it with a central XACML Policy Engine that your company already deploys. To facilitate that, I have developed plugins that implement the XACML 3.0 Policy Enforcement Point logic into NGINX and Apache HTTPd.

In this way you can write and maintain advanced access control logic in XACML policies using your XACML 3.0 Policy Administration Point and enforce those policies directly in your reverse proxy web servers that protect your business assets. The communication between the web server PEP and the PDP engine is done using the XACML 3.0 REST and JSON Profiles, so it has minimal overhead in terms of processing and payload.

Look here for the NGINX plugin:

There’s a similar plugin for Apache 2.x that can be purchased under a commercial agreement. For details contact:

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s