2. About
Me
• Director
of
Security
Architecture
at
WSO2
• Leads
WSO2
Iden8ty
Server
–
an
open
source
iden8ty
and
en8tlement
management
product.
• Apache
Axis2/Rampart
commiCer
/
PMC
• A
member
of
OASIS
Iden8ty
Metasystem
Interoperability
(IMI)
TC,
OASIS
eXtensible
Access
Control
Markup
Language
(XACML)
TC
and
OASIS
Security
Services
(SAML)
TC.
• TwiCer
:
@prabath
• Email
:
prabath@apache.org
• Blog
:
hCp://blog.facilelogin.com
• LinkedIn
:
hCp://www.linkedin.com/in/prabathsiriwardena
3.
Discretionary Access Control (DAC)
vs.
Mandatory Access Control (MAC)
4.
With the Discretionary Access Control,
the user can be the owner of the data
and at his discretion can transfer the
rights to another user.
5.
With Mandatory Access Control, only
designated users are allowed to grant
rights and, users cannot transfer them.
6.
All WSO2 Carbon based products are
based on Mandatory Access Control.
7.
Group is a collection of Users - while a
Role is a collection of permissions.
10. With Access Control Lists, each resource is
associated with a list, indicating, for each
subject, the actions that the subject can exercise
on the resource.
11. With Capabilities, each subject has an
associated list, called capability list, indicating,
for each resource, the accesses that the user is
allowed to exercise on the resource.
12.
Access Control List is resource driven
while capabilities are subject driven.
13.
With policy based access control we
can have authorization policies with a
fine granularity.
14.
Capabilities and Access Control Lists
can be dynamically derived from
policies.
15.
XACML is the de facto standard for
policy based access control.
16.
XACML provides a reference
architecture, a request response
protocol and a policy language.
17. XACML
Reference
Architecture
Policy
Administra0on
Point
(PAP)
Policy
Decision
Point
(PDP)
Policy
Store
Policy
Enforcement
Point
(PEP)
Policy
Informa0on
Point
(PIP)
18. WSO2
Iden0ty
Server
(XACML
PDP)
XACML
Request
XACML
with
Capabili0es
(WS-‐Trust)
Hierarchical
Resource
Profile
XACML
Response
WSO2
Iden0ty
Server
(STS)
WSO2
Applica0on
Server
(SOAP
Service)
SAML
token
with
Authen0ca0on
and
Authoriza0on
Asser0ons
(Capabili0es)
SAML
token
request
Client
Applica0on
SAML
token
with
Authen0ca0on
and
Authoriza0on
Asser0on
+
Service
Request
19. WSO2
Iden0ty
Server
(XACML
PDP)
XACML
Request
XACML
with
Capabili0es
(WS-‐Trust)
Hierarchical
Resource
Profile
XACML
Response
WSO2
Iden0ty
Server
(SAML2
IdP)
WSO2
Applica0on
Server
(Web
Applica0on)
SAML
token
with
Authen0ca0on
and
Authoriza0on
Asser0on
(Capabili0es)
Browser
Redirect
with
SAML
Request
Unauthen0cated
Request
20. Role
Based
Access
Control
WSO2
Applica0on
Server
(SOAP
Service)
Client
Applica0on
Service
Request
+
Creden0als
WSO2
ESB
(Policy
Enforcement
Point)
RBAC
21. WSO2
ESB
as
the
XACML
PEP
(SOAP
and
REST)
WSO2
Iden0ty
Server
(XACML
PDP)
XACML
Response
WSO2
Applica0on
Server
(SOAP
Service)
XACML
Request
WSO2
ESB
(Policy
Enforcement
Point)
Client
Applica0on
Service
Request
+
Creden0als
22. XACML
PEP
as
a
Servlet
Filter
WSO2
Iden0ty
Server
(XACML
PDP)
XACML
Response
XACML
Request
XACML
Servlet
Filter
Client
Applica0on
WSO2
Applica0on
Server
Service
Request
+
Creden0als
23. OAuth
+
XACML
WSO2
Iden0ty
Server
(OAuth
Authoriza0on
Server)
XACML
Request
Validate()
XACML
Response
WSO2
Iden0ty
Server
(XACML
PDP)
API
Gateway
Access
Token
Client
Applica0on
24. Authoriza0on
with
External
IdPs
(Role
Mapping)
WSO2
Iden0ty
Server
IdP
Groups
External
SAML2
IdP
(Salesforce)
SAML
token
with
Authen0ca0on
and
A.ribute
Asser0ons
with
IdP
groups
Web
App
roles
WSO2
Applica0on
Server
(Web
Applica0on)
Browser
Redirect
with
SAML
Request
Unauthen0cated
Request
25.
Liferay
Portal
XACML
Mul0ple
Decisions
and
Applica0on
Specific
Roles
XACML
Request
WSO2
Iden0ty
Server
(XAML
PDP)
XACML
Response
Login