Apply fine-grained authorization to Java MVC applications

2,655 views
2,387 views

Published on

N-tier applications can be challenging from a security perspective. Security policies impact the user interface as well as the business layer and even the data layer. Users should only be presented with relevant UIs and widgets based on their permissions. At the same time, the underlying business objects should also be protected. Externalizing authorization lets architects and developers move security policies out of the code into a common layer or authorization service. With the rise of the eXtensible Access Control Markup Language (XACML), a policy-based, multi-factor authorization language, it has become easy to define and apply rich authorization policies. Still, how do you efficiently ensure that one single policy can be applied across all your M-V-C layers?

In this webinar we will discuss:
- An end-end scenario
- Policies and enforcement strategies for UIs
- Business objects
- The data tier.

We will also explain how you apply XACML-driven authorization via:
- Java annotations and aspect-oriented programming
- SQL filtering
- Checks on the presentation tier.

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,655
On SlideShare
0
From Embeds
0
Number of Embeds
308
Actions
Shares
0
Downloads
64
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • Feel free to ask questions via Twitter or GoToWebinar
  • Apply fine-grained authorization to Java MVC applications

    1. 1. Webinar: Apply fine-grained authorization to Java MVC apps
    2. 2. Webinar: Apply fine-grained authorization to Java MVC apps this webinar will start in:
    3. 3. Guidelines You are muted centrally The webinar is recorded Slides available for download Q&A at the end 3
    4. 4. Twitter @axiomatics #XACML #MVC #Java 4
    5. 5. Speakers & Agenda  Today‟s speakers Andreas Sjöholm Saravana Kumar Sankaramoorthy  What‟s fine-grained authorization?  A note on XACML  Apply fine-grained authorization to an MVC app  Presentation tier  Business tier  Data tier  Today‟s use case: Acme, a car retailer David Brossard
    6. 6. What is fine-grained authorization? Fine-grained & Externalized Authorization
    7. 7. Today’s business challenge  Businesses are more dynamic  The will/need to share is more important  Provide better service / care  The amount of data is increasing  Everything is electronic from health records to book reviews  Consuming patterns are evolving  Consumers are going mobile
    8. 8. Introducing eXternalized authorization       Gartner: “Externalized Authorization Management” Centralized Decoupled from your applications‟ business logic Policy-based Multi-factor & fine-grained Standardized: XACML Who? What? When? Where? Why? How?
    9. 9. Any-Depth Authorization
    10. 10. Behold XACML!  eXtensible Access Control Markup Language  An OASIS standard  The de facto standard for fine-grained access control  Current version: 3.0  XACML defines  A policy language  A request / response scheme  An architecture Axiomatics
    11. 11. Three key points of XACML Policy-based Attributebased Technologyneutral Use policies to describe and implement complex AuthZ An attribute consists of an identifier, datatype, and value Apply XACML to Java, .NET, and more 11
    12. 12. More on eXternalized Authorization  Check out the Axiomatics webinar  Speaker: Srijith Nair (@srijith)  YouTube: http://www.youtube.com/watch?v=kH0ewXlIFHY  SlideShare: http://www.slideshare.net/Axiomatics/protect-yourapplications-and-apis-with-externalized-authorization
    13. 13. Fine-grained authorization in the presentation tier
    14. 14. Challenge  Users should only be presented with the relevant UI  For instance controls should be enabled/disabled depending on user permissions  Use fine-grained authorization to deliver the best UX possible
    15. 15. Approach     Use widget properties Use JSP tags Use templates Use obligations and advice to help the user  Example: tell the user why they cannot approve a PO  Example: implement 2-factor authentication flow  Use the Axiomatics Policy Server  Enterprise authorization server
    16. 16. Fine-grained authorization in the business tier Using Annotations and Aspect Orientation
    17. 17. Challenge  Security seen as a hindrance  Authorization code is often mixed with application code  Authorization is often poorly implemented if at all
    18. 18. Approach  Use filters and interceptors on APIs  Use aspect-oriented programming (AOP) to inject authorization behavior in the business logic  Use the Axiomatics Policy Server  Enterprise authorization server
    19. 19. Introducing Aspects  First there was Object Orientation (OO)  Static models  Aspect Oriented Programming  Makes OO dynamic  Cross-cutting concerns  Provides Advice at certain Points  Non-intrusive to boilerplate code  XACML and AOP fit nicely together  Let a PDP provide decisions to handle authorization concerns  AOP implementations  AspectJ (the one used here)  Spring AOP
    20. 20. Axiomatics XACML AOP  Axiomatics XACML AOP  Adds fine-grained authorization to Java code  Supports legacy applications with minimal intrusion  Using it we can  Invoke PDP at various well-defined places  Avoid touching source code  Filter returned objects via obligations  Let UI adopt to security context  Attach to other frameworks to collect attributes (Spring...)  Auto-generate specific application documentation to be used by policy authors (attribute ontologies) based on src code
    21. 21. Fine-grained authorization in the data tier
    22. 22. Challenge  Control access to data stored in databases  The data is not known a priori  Traditional XACML does not scale to millions of records
    23. 23. Approach  Integrate with the database  Parse the SQL statement  Augment the SQL statement with a filter (WHERE clause)  Use the Axiomatics Data Access Filter  New in October 2013  Delivers row-level data filtering for Oracle databases
    24. 24. A Java MVC Demo The “Car demo”
    25. 25. The use case  Acme Inc. is a used-car retailer  Acme Inc. buys and sells vehicles  Acme Inc. is a highly-distributed company with stores across the 50 states  Acme Inc. wants to make sure only the right employees buy and sell vehicles at the right price  Acme Inc. wants a smooth experience for employees and customers alike  Acme Inc. also wants to go mobile  Offer mobile applications for its employees  Deliver better value to their customers
    26. 26. The architecture Authenticate (JAAS) User Directory Presentation tier Retrieve data via JPA Business tier Java Web-App Apache Tomcat 26
    27. 27. Apply authorization to the Java architecture Authenticate (JAAS) User Directory Presentation tier Retrieve data via JPA Business tier Java Web-App Apache Tomcat VPD Axiomatics 27
    28. 28. Sample authorization logic  Authorization requirements  Users in purchasing can view the purchasing menu  Users in purchasing can create purchase orders in their region  Managers in purchasing can approve purchase orders up to their approval limit  Policies about functions, data, and widgets…  Attributes  User: role, department, approval limit, location  Resource: type, location, amount  Action: action-id (view, create, edit)  Context: time of the day… Multi-factor authorization
    29. 29. Structure your authorization Purchasing Create View Same region Approve Same region & Approval Limit
    30. 30. Code Deep-dive: the presentation tier  In this demo, we control the menu  The menu is written in Java and Javascript using Jquery  Let‟s write some JSP if/else to control which parts of the menu are rendered  Note: consider using JSF or a presentation framework  You can then use widget properties to enable/disable show/hide the widgets
    31. 31. Code deep-dive: use AOP & annotations  Apply the @XacmlEnforcementPoint annotation public interface VehicleService { @XacmlEnforcementPoint Order createPurchaseOrder(); }  Annotate the POJOs with @XacmlAttribute class PurchaseOrder{ @XacmlAttribute String identifier; @XacmlAttribute Double amount; }
    32. 32. Code Deep-dive: Oracle VPD Integration  Configure the Java web app to pass down the client information  Configure VPD to reach out to the Data Access Filter  VPD appends the produced WHERE clause to the original SQL statement 3. WHERE location=„AZ‟ Oracle VPD 2. SELECT * FROM purchaseOrders 1. View purchase orders Java Web-App
    33. 33. Other areas      Spring Security JAAS integration JSP taglibs JMS Can you name any? Goal Provide a unified, standardized way of applying fine-grained authorization across multiple applications
    34. 34. eXternalized Authorization  Simpler management  The authorization logic is externalized into XACML policies  You no longer need to write Java code  If the authorization logic changes, update the policies  Strive for configuration-based authorization  E.g. via interceptors (servlet filters, JAX-WS handlers)  Configure the handlers using the target framework‟s config files (e.g. web.xml)
    35. 35. eXternalized Authorization saves time Before After 5% 20% Business logic Security 80% Business logic Security 95%
    36. 36. Beyond Java  Apply the same architectural approach and XACML policies to  .NET  Perl  Python  Ruby  Business apps  And more!
    37. 37. The Axiomatics XACML Developers Website      Community for XACML developers Technical blog Download code samples Understand policy modeling XACML Reference Library  Functions  Data types…  Download the ALFA plugin for Eclipse
    38. 38. Upcoming events  Gartner IAM Summit  Los Angeles  Nov. 18th – 20th  InfoSec Financial  London  Nov 19th and 20th Axiomatics
    39. 39. Questions? Contact us at info@axiomatics.com © 2013 Axiomatics AB 39

    ×