Who uses XACML?
I'm a member of the team at IBM that builds a security policy management solution, including XACML for authorization policy; and I used to be the team lead for the XACML runtime component itself. The product is called Tivoli Security Policy Manager, and is definitely under active development.
WebLogic used to be built by BEA, before they were acquired by Oracle. I'm not sure if Oracle still sells it or not.
Axiomatics also has a XACML solution, as does Jericho Systems.
This has been answered on the XACML TC list already: http://markmail.org/message/w7msffsbi6qzgfoj
XACML is used in a wide variety of industries today. Trying to summarize what's been said
There are 2 types of implementations today:
open-source implementations They are either backed by commercial organizations, foundations, or universities. These include:
- (Sun-backed) SunXACML (http://sunxacml.sourceforge.net/) - very much dead on its own but used in other products such as WS02's offering (see below)
- (R&D-backed) SICSACML (http://www.sics.se/node/2465) backed by SICS, the Swedish Institute for Computer Science, and now taken up by Axiomatics (www.axiomatics.com)
- (University-backed) Heras AF (http://www.herasaf.org/heras-af-xacml.html): Orange is using their product. Orange is one of the leading telecommunications providers in Europe.
- WS02 is a company that was born from the Apache Synapse project and expanded into different areas successfully including XACML by using the initial SunXACML implementation (http://wso2.org/library/identity-server/user-management/xacml). I am not sure they have customers using XACML today.
- Enterprise XACML (http://code.google.com/p/enterprise-java-xacml/) but not updates in nearly a year
- Brad Cox also a neat approach to implementing XACML as described in his blog and paper at http://bradjcox.blogspot.com/
Commercial products
- Oracle OES provides a SunXACML-based XACML 2.0 implementation. It is hard to know whether OES customers are using XACML features.
- IBM Tivoli Security Policy Manager
- Axiomatics Policy Server took SICSACML and marketed it in 2006 - their product fully implements XACML 3.0. Their customers include "one of the world's largest bank", Paypal, Bell Helicopter, Swedish National Healthcare service, SOS Alarm, and DATEV eG as listed at www.axiomatics.com/customers.html
There are other vendors such as Jericho Systems and Nextlabs that offer XACML. Also Securent (later bought by CISCO) had a XACML offering.
Lastly I recommend you visit the XACML TC (http://www.oasis-open.org/committees/xacml/) where you can see its contributing members. Those include Oracle, Axiomatics, Boeing, Veterans Administration, EMC who are regular contributors.