This document discusses XACML (eXtensible Access Control Markup Language), which is an OASIS standard for access control policy language and request/response protocol. It describes key XACML concepts like policy-based access control and attribute-based access control. The document then outlines some advantages of XACML, challenges in using it, and provides examples of how XACML can be used for real-world use cases like controlling access to SOAP/REST APIs, web applications, and databases. Specific business use cases demonstrated include X.509 certificate-based authorization, externalizing authorization for a portal, and building a centralized entitlement system.
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
Uncovering XACML to solve real world business use cases
1. Uncovering XACML to solve real
world business use cases
Asela Pathberiya
Associate Technical Lead
2. About WSO2
๏ Global enterprise, founded in
2005 by acknowledged leaders in
XML, web services technologies,
standards and open source
๏ Provides only open source
platform-as-a-service for private,
public and hybrid cloud
deployments
๏ All WSO2 products are 100% open
source and released under the
Apache License Version 2.0.
๏ Is an Active Member of OASIS,
Cloud Security Alliance, OSGi
Alliance, AMQP Working Group,
OpenID Foundation and W3C.
๏ Driven by Innovation
๏ Launched first open source API
Management solution in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and
first open source Mobile solution
in 4Q 2013
4. What is in Today’s Webinar
o Introduction to Access Control & XACML
o Advantages of XACML
o Challenges with XACML
o Business use cases implemented with XACML
o Fine Grained access control for SOAP/REST APIs
o Building access control for Web applications
o Adding entitlement for enterprise data
o Building centralized entitlement system with
existing legacy authorization data
6. Access Control Concepts
Policy Based Access Control
Attribute Based Access Control
Role Based Access Control
Dynamic Access Control
Fine Grained Access Control
Externalized Access Control
Standardized Access Control
Location Based Access Control
Real Time Access Control
7. Access Control Concepts
@#@^!(&%%@
We need to build an Externalized,
Standardized, Policy based,
Attribute based and Dynamic
Authorization System….. ASAP?
11. What is XACML
o XACML is standard for eXtensible Access
Control Markup Language
o Standard is ratified by OASIS standards
organization
The First meeting 21st March 2001
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 22 January 2013
12. XACML Core Specification
o Standardized Policy Language
o Standard way to write access control rules.
o Request/Response Protocol
o Standard way to query authorization requests &
authorization decisions must be responded back.
o Reference Architecture
o Standard components in an authorization system
and integration of each other.
o PDP - Policy Decision Point
o PEP - Policy Enforcement Point
o PIP - Policy Information Point
o PAP - Policy Administration Point
14. XACML Associated Profiles
o Multiple Decision Profile
o Sending multiple authorization queries in single
request & Responding back with multiple
decisions.
o REST profile of XACML
o Standard way to communicate between PDP &
PEP.
o Request / Response Interface based on JSON
and HTTP (Draft)
o JSON based request & response messages.
15. Advantages of XACML
o Externalized
o Standardized
o Policy Based
o Attribute Based
o Fine Grained
o Dynamic
16. Challenges with XACML
o XACML is too complex
o XML language with many syntax
o Difficult to write & understand policies
o Integrating current authorization system with
XACML
o Converting existing authorization rules in to
XACML
o Standard extension point to integrate
17. Challenges with XACML
o Performance Bottleneck
o PDP - PEP communication
o Boolean decision results
o What are the resources that Bob can access?
o Policy Distribution
o Large scale deployments
19. XACML for SOAP/REST Services
o Access Control for SOAP Web Service
o Fine Grained into Operational & Message level
o Filtering response messages
20. XACML for SOAP/REST Services
o Access Control for REST APIs
o Fine Grained into Resources & HTTP Methods
o Scope validation - OAuth 2.0
21. XACML Business Use Case - 1
o Use Case
o X.509 Certificate based Authentication
o Authorization for Web Service operations based
on X.509 Certificate’s details such as CN, OU and
O.
22. XACML Business Use Case - 1
o Key Challenges
o Implementing PEP to extract data from X.509
Certificate
o Writing XACML policies
o Managing and Updating XACML policies efficiently
o Solutions
o X.509 authentication with WSO2ESB
o WSO2ESB Entitlement Mediator as PEP
o Policy Editors in WSO2 Identity Server
o Policy References
24. XACML for Web Applications
o Presentation layer differ with the authenticated
User
25. XACML for Web Applications
o Multiple Decision Profile
o Hierarchical Resource Profile
26. XACML Business Use Case - 2
o Use Case
o Externalized Authorization system for Liferay Portal
o Authorized menu items, images and links are
shown for authenticated users
o ABAC using the existing OpenDJ user store
o Reusing Authorization system for Web Service &
API access control
28. XACML Business Use Case - 2
o Key Challenges
o Implementing PEP for Liferay Portal
o Performance with XACML
o Writing & Managing XACML policies
o Solutions
o Liferay handler as PEP
o Thrift Protocol for improving PDP - PEP
communication
o Caching at PEP level
o Custom built PAP with Policy Editor
30. XACML for Data Entitlement
o Filter data access in database level
31. XACML for Data Entitlement
o Filtering data returned from the database
32. XACML for Data Entitlement
o Modifying input parameters before data is
retrieved
33. XACML Business Use Case - 3
o Use Case
o Access Control for Web Application
o Authorized data must be filtered from large number
of database entries
o Key Challenges
o Performance of PEP-PDP communication
o Performance of filtering data from large database
entries
34. XACML Business Use Case - 3
o Solutions
o De-Centralized PDP
o OSGI Service level communication
o Modifying SQL queries based authorization decisions
38. XACML Business Use Case - 4
o Use Case
o Centralized management for access control
o Get rid from legacy authorization systems
o Externalized and Standardized approaches
o Large scale deployment
o Key Challenges
o Integrating with legacy authorization data
o Policy generation with existing data
o Performance
o Policy distribution
o Auditing
39. XACML Business Use Case - 4
o Solutions
o Policy generation tools
o Policy information points for integrations
o Thrift Protocol for improving PDP - PEP
communication
o Policy distribution patterns
o Policy notifications
o Policy reverse search for auditing