Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.
Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.
The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”
During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.
In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!
What Are The Drone Anti-jamming Systems Technology?
Authorization - it's not just about who you are
1. Authorization…
It’s not just about who you are
David Brossard, @davidjbrossard
Product Manager Axiomatics AB
Member of the OASIS XACML Technical Committee
2. Axiomatics 2
What’s authorization?
“The authorization function determines whether a
particular entity is authorized to perform a given
activity, typically inherited from authentication
when logging on to an application or service.”
3. 3
What happens when authorization isn’t done right?
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
New York City Health & Hospitals
Corporation Releases Electronic
Health Records
1 700 000
Citi Exposes Details of 150,000
Individuals Who Went into
Bankruptcy
150 000
6 000 000 Facebook’s Download Your
Information releases too much
information about your contacts
4. Axiomatics 4
Authorization is that necessary evil developers must do
But I want to do
app development
Daddy…
You will secure your
app first my son…
5. Axiomatics 5
But we, developers, hate spending time on security
80%
20%
Time spent developing an application
Business logic
Security
* And no this isn’t PacMan
6. Axiomatics 6
So how do developers do it today?
{nothing}
{application
frameworks}
{home-
grown}
10. Axiomatics 10
So how do you handle additional information?
Context Location Relationship
Classification Parent Delegation Guardian IP
address Device Pattern Behavior Risk
Clearance Employment Citizenship Time
Intellectual PropertyExport Control
11. Authorization should really be about…
When?What? How?Where?Who? Why?
11
Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
Attribute-based Access Control
Welcome to…
12. Axiomatics 12
What’s an attribute?
An identifier
e.g. citizenship
A datatype
e.g. string
A category / object it describes
e.g. the user, the resource
14. Axiomatics
Behold XACML!
eXtensible Access Control Markup Language
An OASIS standard
The de facto standard for fine-grained access control
Current version: 3.0
XACML defines
A policy language
A request / response scheme
An architecture
15. 15
Three key points of XACML
Policy-based Attribute-based Technology-
neutral
Apply XACML to
Java, .NET, and more
Use policies to describe and
implement complex AuthZ
An attribute consists
of an
identifier, datatype, a
nd value
16. XACML Architecture Flow
16
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
Access
Document #123
Access
Document #123
Can Alice access
Document #123?
Yes, Permit
Load XACML
policies
Retrieve user
role, clearance
and document
classification
19. 3 structural elements
PolicySet
Policy
Rule
Root: either of PolicySet or Policy
PolicySets contain any number of PolicySets & Policies
Policies contain Rules
Rules contain an Effect: Permit / Deny
Combining Algorithms are used to resolve conflicts
between rules
Language Elements of XACML
21. Language Structure: Russian dolls
PolicySet, Policy &
Rule can contain
Targets
Obligations
Advice
Rules can contain
Conditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
22. Axiomatics 22
The one question that matters in XACML
Can Manager
Alice approve
Purchase
Order 12367?
Yes, she can!
23. • Subject
User id = Alice
Role = Manager
• Action
Action id = approve
• Resource
Resource type = Purchase Order
PO #= 12367
• Environment
Device Type = Laptop
23
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367?
Yes, she can
• Result
Decision: Permit
Status: ok
The core XACML specification does not
define any specific transport /
communication protocol:
-Developers can choose their own.
-The SAML profile defines a binding to send
requests/responses over SAML assertions
25. Axiomatics
Sample Scenario – a CRM use case
A customer representative of a large financial
organization needs to access customer data
The compliance manager, the application owner, and
the chief security officer agree on certain “rules”
No one can access
data outside office
hours
Customer reps can
view accounts in
their region
Our customers can
blacklist some of our
employees
Customer reps
cannot work on
family accounts
26. XACML lets you define and group policies
Sample policies
No one can access data outside office hours
Customer reps can view accounts in their region
Customer reps cannot work on family accounts
Our customers can blacklist some of our employees
Note
XACML lets you define negative and positive rules
XACML can use any number of attributes
XACML can combine policies together and define conflict
resolutions
Policies are usually generic but can also be user-specific
27. The example reworked
Overall policy: access customer record
DENY if time < 9am OR time > 5pm
DENY if employee.location!=customer.location
DENY if customer.id belongs to employee.family
ALLOW access
28. Implement the policies using ALFA
ALFA plugin for Eclipse
Add-on to the Eclipse IDE
Write XACML using a pseudo-code called ALFA – the
Axiomatics Language for Authorization
Free download from www.axiomatics.com
Hands-on demo
30. 30
Use the same enforcement SDK across all your apps
XACML Enforcement Point SDK
31. Axiomatics
Example: use Java Servlet Filters
Protect Java web apps
public class ServletPEP implements javax.servlet.Filter{
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
32. Example: use JAX-WS interceptors
Protect Java web services
Can be applied inbound and outbound
Inspect the payload of the messages
Also applicable to JAX-RS services
/*
* (non-Javadoc)
*
* @see
javax.xml.ws.handler.Handler#handleMessage(javax.xml.ws.handler.
* MessageContext)
*/
public boolean handleMessage(SOAPMessageContext context) {
}
33. Example: use AOP – annotations
Example: a Student Management Service
Create, grade, and delete students
Apply the @XacmlEnforcementPoint annotation
Annotate the POJOs with @XacmlAttribute
public interface StudentService {
@XacmlEnforcementPoint
Student createStudent();
}
class Student {
@XacmlAttribute
String name;
@XacmlAttribute
Integer age;
}
34. Other areas
Spring Security
JAAS integration
JSP taglibs
JMS
Can you name any?
Goal: provide a unified, standardized way of applying
fine-grained authorization across multiple applications
35. XACML simplifies authorization management
The authorization logic is externalized into XACML
policies
You no longer need to write Java code
If the authorization logic changes, update the policies
Strive for configuration-based authorization
E.g. via interceptors (servlet filters, JAX-WS handlers)
Configure the handlers using the target framework’s config files
(e.g. web.xml)
36. XACML saves you time
80%
20%
Before
Business
logic
Security
95%
5%
After
Business
logic
Security
37. Beyond Java
Apply the same architectural approach and XACML
policies to
.NET
Perl
Python
Ruby
Business apps
And more!
39. 39
Just a spoonful of XACML makes…
Consolidated
authorization
Enhanced
security
Business
enabler
Compliance
Expose data and APIs
to new customers
Write once,
Enforce everywhere
Consistent
authorization
enforcement
Implement
legal frameworks
40. Axiomatics
Do you want to chip in?
OASIS XACML TC
https://www.oasis-open.org/committees/xacml/
Online resources
http://www.xacml.eu
Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location