Transcript
Page 1: Access Control Patterns & Practices with  WSO2 Middleware

Access Control Patterns & Practiceswith

WSO2 Middleware

Prabath Siriwardena

Page 2: Access Control Patterns & Practices with  WSO2 Middleware

About Me• Director of Security Architecture at WSO2• Leads WSO2 Identity Server – an open source identity and

entitlement management product.• Apache Axis2/Rampart committer / PMC• A member of OASIS Identity Metasystem Interoperability (IMI)

TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC.

• Twitter : @prabath• Email : [email protected]• Blog : http://blog.facilelogin.com• LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Page 3: Access Control Patterns & Practices with  WSO2 Middleware

Discretionary Access Control (DAC)

vs. Mandatory Access Control (MAC)

Page 4: Access Control Patterns & Practices with  WSO2 Middleware

With the Discretionary Access Control, the user can be the owner

of the data and at his discretion can transfer the rights to another

user.

Page 5: Access Control Patterns & Practices with  WSO2 Middleware

With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot

transfer them.

Page 6: Access Control Patterns & Practices with  WSO2 Middleware

All WSO2 Carbon based products are based on Mandatory Access

Control.

Page 7: Access Control Patterns & Practices with  WSO2 Middleware

Group is a collection of Users - while a Role is a collection of

permissions.

Page 8: Access Control Patterns & Practices with  WSO2 Middleware

Authorization Table vs.

Access Control Lists vs.

Capabilities

Page 9: Access Control Patterns & Practices with  WSO2 Middleware

Authorization Table is a three column table with subject, action

and resource.

Page 10: Access Control Patterns & Practices with  WSO2 Middleware

With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can

exercise on the resource.

Page 11: Access Control Patterns & Practices with  WSO2 Middleware

With Capabilities, each subject has an associated list, called capability list,

indicating, for each resource, the accesses that the user is allowed to exercise on the

resource.

Page 12: Access Control Patterns & Practices with  WSO2 Middleware

Access Control List is resource driven while capabilities are

subject driven.

Page 13: Access Control Patterns & Practices with  WSO2 Middleware

With policy based access control we can have authorization policies

with a fine granularity.

Page 14: Access Control Patterns & Practices with  WSO2 Middleware

Capabilities and Access Control Lists can be dynamically derived

from policies.

Page 15: Access Control Patterns & Practices with  WSO2 Middleware

XACML is the de facto standard for policy based access control.

Page 16: Access Control Patterns & Practices with  WSO2 Middleware

XACML provides a reference architecture, a request response protocol and a policy language.

Page 17: Access Control Patterns & Practices with  WSO2 Middleware

Policy Enforcement Point (PEP)

Policy Information Point (PIP)

Policy Administration Point (PAP)

Policy Decision Point (PDP)

Policy Store

XACML Reference Architecture

Page 18: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 Application Server (SOAP Service)

WSO2 Identity Server (STS)

Client Application

SAML token request

SAML token with Authentication and

Authorization Assertions (Capabilities)SAML token with Authentication

and Authorization Assertion

+Service Request

WSO2 Identity Server (XACML PDP)

XACML ResponseXACML Request

XACML with Capabilities (WS-Trust) Hierarchical Resource Profile

Page 19: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 Application Server (Web Application)

WSO2 Identity Server (SAML2 IdP)

Browser Redirect with SAML Request

WSO2 Identity Server (XACML PDP)

Unauthenticated Request

SAML token with Authentication and

Authorization Assertion (Capabilities)

XACML ResponseXACML Request

XACML with Capabilities (WS-Trust) Hierarchical Resource Profile

Page 20: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 ESB(Policy Enforcement

Point)Client Application

Service Request + Credentials

WSO2 Application Server (SOAP Service)

RBAC

Role Based Access Control

Page 21: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 ESB(Policy Enforcement

Point)Client Application

Service Request + Credentials

WSO2 Identity Server (XACML PDP)

WSO2 Application Server (SOAP Service)XACML Response

XACML Request

WSO2 ESB as the XACML PEP (SOAP and REST)

Page 22: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 Application ServerClient Application

Service Request + Credentials

WSO2 Identity Server (XACML PDP) XACML Response

XACML Request

XACML Servlet Filter

XACML PEP as a Servlet Filter

Page 23: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 Identity Server (XACML PDP)

XACML ResponseXACML Request

WSO2 Identity Server (OAuth Authorization

Server)API Gateway

Access Token

Client Application

Validate()

OAuth + XACML

Page 24: Access Control Patterns & Practices with  WSO2 Middleware

WSO2 Application Server (Web Application)

External SAML2 IdP (Salesforce)

Browser Redirect with SAML RequestUnauthenticated Request

SAML token with Authentication and Attribute Assertions with IdP groups

WSO2 Identity Server

Web App roles

IdP Groups

Authorization with External IdPs (Role Mapping)

Page 25: Access Control Patterns & Practices with  WSO2 Middleware

Login

WSO2 Identity Server(XAML PDP)

XACML Request

XACML Response

Liferay Portal

XACML Multiple Decisions and Application Specific Roles

Page 26: Access Control Patterns & Practices with  WSO2 Middleware

lean . enterprise . middleware


Recommended