View
3.620
Download
1
Category
Tags:
Preview:
DESCRIPTION
Presentation slides from Axiomatics webinar June 13, 2013.
Citation preview
Webinar: Preparing your applications for externalized authorization
Twitter @axiomatics
@srijith
#XACML
2
Axiomatics in brief
Common authorization patterns - background
Externalizing authorization
XACML
APS Developer Edition – Introduction and demo
Questions and Answer session
Agenda
3
Focus area Externalized authorization XACML standard
Company background
R&D since 2000 Axiomatics founded in 2006
OASIS XACML Technical Committee
Member since 2005 Editorial responsibilities
Products implementing XACML 2.0 and 3.0 The largest deployments world-wide
Axiomatics in brief
4
APS Developer Edition Non-production use Aimed at reducing lead time to use XACML Enabling devs. to easily use XACML in their apps Interested? Contact sales@axiomatics.com
More Editions to follow – stay tuned Srijith Nair – Axiomatics Developer Relations
5
Today’s webinar – drivers
© 2013, Axiomatics AB
Preparing your applications for externalized authorization
Srijith Nair June 13, 2013
6
© 2013, Axiomatics AB
In the olden days, authorization was about
Who?
7
© 2013, Axiomatics AB
Authorization should really be about…
When? What? How? Where? Who? Why?
8
© 2013, Axiomatics AB
Access Control List (ACL) Resource centric Permissions attached to objects Specifies which subject has access
Role-Based Access Control (RBAC) User Centric Widely adopted Well understood Industry-standard around it Simple But….
Authorization Approaches
User Role(s) Permission(s)
Role 1
Role 2
P P
P P
P P
9
© 2013, Axiomatics AB
Static, predefined, inflexible Does not extend beyond user Doesn’t scale
Role explosion Difficult to define fine-grained access control rules How would one implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship
Where’s the role? Doctor What’s a patient? A record? A care relationship?
Problem with RBAC?
10
© 2013, Axiomatics AB
Pull out the highlighter
What if we were not limited to roles?
Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship
It is all about Attributes, Attributes, Attributes!
11
© 2013, Axiomatics AB
Attributes Are sets of labels or properties Describe all aspects of entities that must be considered for authorization purposes
Attribute-Based Access Control (ABAC) uses attributes as building blocks in a structured language used to define access control rules and to describe access requests
Attribute-based access control
12
© 2013, Axiomatics AB
ABAC vs. RBAC Role-Based Access Control Attribute-Based Access Control
User Role Permissions User + Action + Resource + Context
Attributes
Policies
Static & pre-defined Dynamic & Adaptive
Role 1
Role 2
P P
P P
P P
13
© 2013, Axiomatics AB
Declarative: Security roles, constrains are added to deployment descriptor of application (e.g. in J2EE, web constraints are added to web.xml, EJB constraints into ejb-jar.xml) Configured during assembly stage, enforced by security runtime Usually rely on roles
Programmatic: Enforcement of AuthZ is written in the code Gives app developers more control
JACC interface can be used to make calls to external AuthZ providers
Declarative vs. Programmatic AuthZ
14
© 2013, Axiomatics AB
Future-Proofing Authorization
External from Applications
Standards-Compliant
Authorization Service
Fine- Grained Context-Aware
Attribute-based Access Control
Externalized AuthZ
15
© 2013, Axiomatics AB
Externalizing Authorization
16
© 2013, Axiomatics AB
Consider distributed or multi-tiered apps Consider SOA, Cloud services AuthZ needs to be done at several tiers, places Move similar, often-used AuthZ code to own layer Some progress, but
Different programming patterns Frameworks providing coarse-grained AuthZ Fine-grained AuthZ still in code
Need for Externalizing AuthZ
17
© 2013, Axiomatics AB
A multitude of Authorization Frameworks
CanCan
Microsoft Claims
SalesForce PermissionSet
Spring Security
Rails AuthZ
Python Fedora
Flask-Auth
Slim for PHP
18
© 2013, Axiomatics AB
Cons They are specific to their language They are not standards-based Their capabilities are at times limited They require subject matter expertise They are expensive
Pros It’s the right step towards fine-grained authorization It’s the right step towards externalizing authorization
What’s with native authorization frameworks?
19
© 2013, Axiomatics AB
Enter XACML
20
© 2013, Axiomatics AB
eXtensible Access Control Markup Language Prominent ABAC system OASIS standard
V 3.0 approved in January 2013 V 1.0 approved in 2003 (10 years ago!)
XACML is expressed as a specification document Provides profiles for developers:
JSON REST
http://www.oasis-open.org/committees/xacml/
21
What is XACML?
© 2013, Axiomatics AB 22
What does XACML contain?
XACML
Reference Architecture
Policy Language
Request / Response Protocol
© 2013, Axiomatics AB
The XACML Architecture
23
Manage Policy Administration Point
Decide Policy Decision Point
Support Policy Information Point Policy Retrieval Point
Enforce Policy Enforcement Point
© 2013, Axiomatics AB
XACML Architecture Flow
24
Decide Policy Decision Point
Manage Policy Administration Point
Support Policy Information Point Policy Retrieval Point
Enforce Policy Enforcement Point
Access Document #123
Access Document #123
Can Alice access Document #123? Yes, Permit
Load XACML policies
Retrieve user role, clearance and document classification
© 2013, Axiomatics AB 25
What does XACML contain?
XACML
Reference Architecture
Policy Language
Request / Response Protocol
© 2013, Axiomatics AB
3 structural elements PolicySet Policy Rule
Root: either PolicySet or Policy PolicySets contain any number of PolicySets & Policies Policies contain Rules Rules contain an Effect: Permit / Deny Combining Algorithms for Rules and Policies
26
Language Elements of XACML
© 2013, Axiomatics AB
Root Policy Set
PolicySet
Policy
Rule
Effect=Permit
Rule
Effect = Deny
PolicySet
Policy
Rule
Effect = Permit
27
Sample XACML Policy
© 2013, Axiomatics AB 28
Language Structure: Russian dolls
PolicySet, Policy & Rule can contain
Targets Obligations Advice
Rules can contain Conditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
© 2013, Axiomatics AB 29
What does XACML contain?
XACML
Reference Architecture
Policy Language
Request / Response Protocol
© 2013, Axiomatics AB
Environment
Subject Action
Resource Environment
Action
Resource
Subject
30
Request and Response It’s all about Attributes! ABAC Represented in XML
XACML Policies
XACML Request
XACML Response
© 2013, Axiomatics AB
Req/Resp
XACML and PEP
ENFORCE STOP ANALYZE FORWARD
E S
A
F
31
© 2013, Axiomatics AB
What are you protecting? What architecture? What framework?
J2EE? Web app server Servlet filter Web services JAX-WS Enterprise Service Bus? Apache Service Mix Interceptors IIS? ISAPI filter XML gateway? Custom vendor assertion
32
Stop the message: the form factor
S
© 2013, Axiomatics AB
Map from ‘native attributes’ to XACML attributes Two types of attributes
Attributes in the message Message headers
SOAPAction HTTP method Target URI…
Message payload Transaction amount
Attribute in the environment / framework Time of the day
Analyze the message: extract attributes
A
33
© 2013, Axiomatics AB
Extract Attributes - Example POST /login.jsp HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/4.0 Content-Length: 27 Content-Type: application/x-www-form-urlencoded userid=joe <?xml version="1.0" encoding="UTF-8"?>
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login.jsp </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">joe </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>
Via the HTTPServletObject
34
© 2013, Axiomatics AB
How is the PDP exposed? In-process? RMI? JSON? SOAP? …
Create a XACML request and insert it inside the right “transporter”
Java XACML request and pass to the API method Java XACML request serialized using RMI JSON payload and send as HTTP(S) request XML XACML request inside SOAP message and send as HTTP request …
Forward access control request to the PDP
Req/Resp
F
35
© 2013, Axiomatics AB
Permit / Deny / Not Applicable / Indeterminate Check the bias Apply obligations & advice
Log access in the central log repository Send notification email Filter out some data from the response
Enforce: receive the PDP decision and act
E
36
© 2013, Axiomatics AB
APS Developer Edition
37
© 2013, Axiomatics AB
“(…)is an aggregate product that aims to simplify the process of working with Axiomatics products. It is primarily intended for developers and is designed to enable a quick and easy setup of the APS environment. The Developer Edition contains the standard releases of APS and other Axiomatics software of relevance to developers in a complete, self-contained and easy-to-install package.”
For non-production use only
What is APS Developer Edition?
38
© 2013, Axiomatics AB
APS components - ASM, PDP, PAP PEP SDK for Java and ALFA packages Sample demo application and XACML policy Sample Eclipse projects for
JSP demo application JSP PEP Java PEP ALFA
PAP workspace Single Tomcat for ASM, PDP and demo application Simplified initialization and management scripts
What it contains
39
© 2013, Axiomatics AB
APS Developer Edition does not include: Eclipse distribution Java distribution APS Developer Resources Anything else not mentioned in previous slide
What it does not contain
40
© 2013, Axiomatics AB
Quick Start Guide
41
© 2013, Axiomatics AB
Demo
42
© 2013, Axiomatics AB
Questions? Contact us at info@axiomatics.com
Recommended