Weitere ähnliche Inhalte Ähnlich wie Axiomatics webinar 13 june 2013 shared (20) Kürzlich hochgeladen (20) Axiomatics webinar 13 june 2013 shared3. Axiomatics in brief
Common authorization patterns - background
Externalizing authorization
XACML
APS Developer Edition – Introduction and demo
Questions and Answer session
Agenda
3
4. Focus area
Externalized authorization
XACML standard
Company background
R&D since 2000
Axiomatics founded in 2006
OASIS XACML Technical Committee
Member since 2005
Editorial responsibilities
Products implementing XACML 2.0 and 3.0
The largest deployments world-wide
Axiomatics in brief
4
5. APS Developer Edition
Non-production use
Aimed at reducing lead time to use XACML
Enabling devs. to easily use XACML in their apps
Interested? Contact sales@axiomatics.com
More Editions to follow – stay tuned
Srijith Nair – Axiomatics Developer Relations
5
Today’s webinar – drivers
6. © 2013, Axiomatics AB
Preparing your applications for
externalized authorization
Srijith Nair
June 13, 2013
6
8. © 2013, Axiomatics AB
Authorization should really be about…
When?What? How?Where?Who? Why?
8
9. © 2013, Axiomatics AB
Access Control List (ACL)
Resource centric
Permissions attached to objects
Specifies which subject has access
Role-Based Access Control (RBAC)
User Centric
Widely adopted
Well understood
Industry-standard around it
Simple
But….
Authorization Approaches
User Role(s) Permission(s)
Role 1
Role 2
P
P
P
P
P
P
9
10. © 2013, Axiomatics AB
Static, predefined, inflexible
Does not extend beyond user
Doesn’t scale
Role explosion
Difficult to define fine-grained access control rules
How would one implement the rule:
Doctors should be able to view the records of patients
assigned to their unit and edit the records of those patients
with whom they have a care relationship
Where’s the role? Doctor
What’s a patient? A record? A care relationship?
Problem with RBAC?
10
11. © 2013, Axiomatics AB
Pull out the highlighter
What if we were not limited to roles?
Doctors should be able to view the
records of patients assigned to their
unit and edit the records of those
patients with whom they have a care
relationship
It is all about Attributes, Attributes, Attributes!
11
12. © 2013, Axiomatics AB
Attributes
Are sets of labels or properties
Describe all aspects of entities that must be
considered for authorization purposes
Attribute-Based Access Control (ABAC)
uses attributes as building blocks
in a structured language used to define access
control rules and
to describe access requests
Attribute-based access control
12
13. © 2013, Axiomatics AB
ABAC vs. RBAC
Role-Based Access Control Attribute-Based Access Control
User Role Permissions User + Action + Resource + Context
Attributes
Policies
Static & pre-defined Dynamic & Adaptive
Role 1
Role 2
P
P
P
P
P
P
13
14. © 2013, Axiomatics AB
Declarative:
Security roles, constrains are added to deployment
descriptor of application (e.g. in J2EE, web constraints
are added to web.xml, EJB constraints into ejb-jar.xml)
Configured during assembly stage, enforced by security
runtime
Usually rely on roles
Programmatic:
Enforcement of AuthZ is written in the code
Gives app developers more control
JACC interface can be used to make calls to external
AuthZ providers
Declarative vs. Programmatic AuthZ
14
15. © 2013, Axiomatics AB
Future-Proofing Authorization
External from
Applications
Standards-
Compliant
Authorization Service
Fine-
Grained
Context-Aware
Attribute-based Access
Control
Externalized
AuthZ
15
17. © 2013, Axiomatics AB
Consider distributed or multi-tiered apps
Consider SOA, Cloud services
AuthZ needs to be done at several tiers, places
Move similar, often-used AuthZ code to own
layer
Some progress, but
Different programming patterns
Frameworks providing coarse-grained AuthZ
Fine-grained AuthZ still in code
Need for Externalizing AuthZ
17
18. © 2013, Axiomatics AB
A multitude of Authorization Frameworks
CanCan
Microsoft Claims
SalesForce
PermissionSet
Spring Security
Rails AuthZ
Python Fedora
Flask-Auth
Slim for PHP
18
19. © 2013, Axiomatics AB
Cons
They are specific to their language
They are not standards-based
Their capabilities are at times limited
They require subject matter expertise
They are expensive
Pros
It’s the right step towards fine-grained authorization
It’s the right step towards externalizing authorization
What’s with native authorization frameworks?
19
21. © 2013, Axiomatics AB
eXtensible Access Control Markup Language
Prominent ABAC system
OASIS standard
V 3.0 approved in January 2013
V 1.0 approved in 2003 (10 years ago!)
XACML is expressed as a specification document
Provides profiles for developers:
JSON
REST
http://www.oasis-open.org/committees/xacml/
21
What is XACML?
22. © 2013, Axiomatics AB
22
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
23. © 2013, Axiomatics AB
The XACML Architecture
23
Manage
Policy Administration Point
Decide
Policy Decision Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
24. © 2013, Axiomatics AB
XACML Architecture Flow
24
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
Access
Document #123
Access
Document #123
Can Alice access
Document #123?
Yes, Permit
Load XACML
policies
Retrieve user
role, clearance
and document
classification
25. © 2013, Axiomatics AB
25
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
26. © 2013, Axiomatics AB
3 structural elements
PolicySet
Policy
Rule
Root: either PolicySet or Policy
PolicySets contain any number of PolicySets &
Policies
Policies contain Rules
Rules contain an Effect: Permit / Deny
Combining Algorithms for Rules and Policies
26
Language Elements of XACML
27. © 2013, Axiomatics AB
Root Policy
Set
PolicySet
Policy
Rule
Effect=Permit
Rule
Effect = Deny
PolicySet
Policy
Rule
Effect =
Permit
27
Sample XACML Policy
28. © 2013, Axiomatics AB
28
Language Structure: Russian dolls
PolicySet, Policy & Rule
can contain
Targets
Obligations
Advice
Rules can contain
Conditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
29. © 2013, Axiomatics AB
29
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
30. © 2013, Axiomatics AB
Environment
Subject Action
Resource Environment
Action
Resource
Subject
30
Request and Response
It’s all about Attributes! ABAC
Represented in XML
XACML Policies
XACML Request
XACML Response
32. © 2013, Axiomatics AB
What are you protecting?
What architecture? What framework?
J2EE?
Web app server Servlet filter
Web services JAX-WS
Enterprise Service Bus?
Apache Service Mix Interceptors
IIS? ISAPI filter
XML gateway? Custom vendor assertion
32
Stop the message: the form factor
S
33. © 2013, Axiomatics AB
Map from ‘native attributes’ to XACML attributes
Two types of attributes
Attributes in the message
Message headers
SOAPAction
HTTP method
Target URI…
Message payload
Transaction amount
Attribute in the environment / framework
Time of the day
Analyze the message: extract attributes
A
33
34. © 2013, Axiomatics AB
Extract Attributes - Example
POST /login.jsp HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
userid=joe <?xml version="1.0" encoding="UTF-8"?>
<xacml-ctx:Request ReturnPolicyIdList="true"
CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST
</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<xacml-ctx:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login.jsp
</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
</xacml-ctx:Attributes>
<xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">joe
</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
Via the HTTPServletObject
34
35. © 2013, Axiomatics AB
How is the PDP exposed?
In-process?
RMI?
JSON?
SOAP?
…
Create a XACML request and insert it inside the right
“transporter”
Java XACML request and pass to the API method
Java XACML request serialized using RMI
JSON payload and send as HTTP(S) request
XML XACML request inside SOAP message and send as HTTP
request
…
Forward access control request to the PDP
Req/Resp
F
35
36. © 2013, Axiomatics AB
Permit / Deny / Not Applicable / Indeterminate
Check the bias
Apply obligations & advice
Log access in the central log repository
Send notification email
Filter out some data from the response
Enforce: receive the PDP decision and act
E
36
38. © 2013, Axiomatics AB
“(…)is an aggregate product that aims to simplify
the process of working with Axiomatics products. It
is primarily intended for developers and is
designed to enable a quick and easy setup of the
APS environment. The Developer Edition contains
the standard releases of APS and other Axiomatics
software of relevance to developers in a complete,
self-contained and easy-to-install package.”
For non-production use only
What is APS Developer Edition?
38
39. © 2013, Axiomatics AB
APS components - ASM, PDP, PAP
PEP SDK for Java and ALFA packages
Sample demo application and XACML policy
Sample Eclipse projects for
JSP demo application
JSP PEP
Java PEP
ALFA
PAP workspace
Single Tomcat for ASM, PDP and demo application
Simplified initialization and management scripts
What it contains
39
40. © 2013, Axiomatics AB
APS Developer Edition does not include:
Eclipse distribution
Java distribution
APS Developer Resources
Anything else not mentioned in previous slide
What it does not contain
40