Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena

  • Published on
    18-Dec-2015

  • View
    213

  • Download
    0

Embed Size (px)

Transcript

<ul><li> Slide 1 </li> <li> Access Control Patterns &amp; Practices with WSO2 Middleware Prabath Siriwardena </li> <li> Slide 2 </li> <li> About Me Director of Security Architecture at WSO2 Leads WSO2 Identity Server an open source identity and entitlement management product. Apache Axis2/Rampart committer / PMC A member of OASIS Identity Metasystem Interoperability (IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC. Twitter : @prabath Email : prabath@apache.org Blog : http://blog.facilelogin.comhttp://blog.facilelogin.com LinkedIn : http://www.linkedin.com/in/prabathsiriwardenahttp://www.linkedin.com/in/prabathsiriwardena </li> <li> Slide 3 </li> <li> Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC) </li> <li> Slide 4 </li> <li> With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the rights to another user. </li> <li> Slide 5 </li> <li> With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them. </li> <li> Slide 6 </li> <li> All WSO2 Carbon based products are based on Mandatory Access Control. </li> <li> Slide 7 </li> <li> Group is a collection of Users - while a Role is a collection of permissions. </li> <li> Slide 8 </li> <li> Authorization Table vs. Access Control Lists vs. Capabilities </li> <li> Slide 9 </li> <li> Authorization Table is a three column table with subject, action and resource. </li> <li> Slide 10 </li> <li> With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can exercise on the resource. </li> <li> Slide 11 </li> <li> With Capabilities, each subject has an associated list, called capability list, indicating, for each resource, the accesses that the user is allowed to exercise on the resource. </li> <li> Slide 12 </li> <li> Access Control List is resource driven while capabilities are subject driven. </li> <li> Slide 13 </li> <li> With policy based access control we can have authorization policies with a fine granularity. </li> <li> Slide 14 </li> <li> Capabilities and Access Control Lists can be dynamically derived from policies. </li> <li> Slide 15 </li> <li> XACML is the de facto standard for policy based access control. </li> <li> Slide 16 </li> <li> XACML provides a reference architecture, a request response protocol and a policy language. </li> <li> Slide 17 </li> <li> Policy Enforcement Point (PEP) Policy Information Point (PIP) Policy Administration Point (PAP) Policy Decision Point (PDP) Policy Store XACML Reference Architecture </li> <li> Slide 18 </li> <li> WSO2 Application Server (SOAP Service) WSO2 Identity Server (STS) Client Application SAML token request SAML token with Authentication and Authorization Assertions (Capabilities) SAML token with Authentication and Authorization Assertion + Service Request WSO2 Identity Server (XACML PDP) XACML Response XACML Request XACML with Capabilities (WS-Trust) Hierarchical Resource Profile </li> <li> Slide 19 </li> <li> WSO2 Application Server (Web Application) WSO2 Identity Server (SAML2 IdP) Browser Redirect with SAML Request WSO2 Identity Server (XACML PDP) Unauthenticated Request SAML token with Authentication and Authorization Assertion (Capabilities) XACML Response XACML Request XACML with Capabilities (WS-Trust) Hierarchical Resource Profile </li> <li> Slide 20 </li> <li> WSO2 ESB (Policy Enforcement Point) Client Application Service Request + Credentials WSO2 Application Server (SOAP Service) RBAC Role Based Access Control </li> <li> Slide 21 </li> <li> WSO2 ESB (Policy Enforcement Point) Client Application Service Request + Credentials WSO2 Identity Server (XACML PDP) WSO2 Application Server (SOAP Service) XACML Response XACML Request WSO2 ESB as the XACML PEP (SOAP and REST) </li> <li> Slide 22 </li> <li> WSO2 Application Server Client Application Service Request + Credentials WSO2 Identity Server (XACML PDP) XACML Response XACML Request XACML Servlet Filter XACML PEP as a Servlet Filter </li> <li> Slide 23 </li> <li> WSO2 Identity Server (XACML PDP) XACML Response XACML Request WSO2 Identity Server (OAuth Authorization Server) API Gateway Access Token Client Application Validate() OAuth + XACML </li> <li> Slide 24 </li> <li> WSO2 Application Server (Web Application) External SAML2 IdP (Salesforce) Browser Redirect with SAML Request Unauthenticated Request SAML token with Authentication and Attribute Assertions with IdP groups WSO2 Identity Server Web App roles IdP Groups Authorization with External IdPs (Role Mapping) </li> <li> Slide 25 </li> <li> Login WSO2 Identity Server (XAML PDP) XACML Request XACML Response Liferay Portal XACML Multiple Decisions and Application Specific Roles </li> <li> Slide 26 </li> <li> lean. enterprise. middleware </li> </ul>