Apply fine-grained authorization to Java MVC applications
Upcoming SlideShare
Loading in...5
×
 

Apply fine-grained authorization to Java MVC applications

on

  • 894 views

N-tier applications can be challenging from a security perspective. Security policies impact the user interface as well as the business layer and even the data layer. Users should only be presented ...

N-tier applications can be challenging from a security perspective. Security policies impact the user interface as well as the business layer and even the data layer. Users should only be presented with relevant UIs and widgets based on their permissions. At the same time, the underlying business objects should also be protected. Externalizing authorization lets architects and developers move security policies out of the code into a common layer or authorization service. With the rise of the eXtensible Access Control Markup Language (XACML), a policy-based, multi-factor authorization language, it has become easy to define and apply rich authorization policies. Still, how do you efficiently ensure that one single policy can be applied across all your M-V-C layers?

In this webinar we will discuss:
- An end-end scenario
- Policies and enforcement strategies for UIs
- Business objects
- The data tier.

We will also explain how you apply XACML-driven authorization via:
- Java annotations and aspect-oriented programming
- SQL filtering
- Checks on the presentation tier.

Statistics

Views

Total Views
894
Views on SlideShare
825
Embed Views
69

Actions

Likes
1
Downloads
18
Comments
0

6 Embeds 69

https://www.axiomatics.com 46
https://axiomatics.com 12
http://www.axiomatics.com 5
http://axiomatics.net 3
http://partner.axiomatics.com 2
http://axiomatics.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Feel free to ask questions via Twitter or GoToWebinar

Apply fine-grained authorization to Java MVC applications Apply fine-grained authorization to Java MVC applications Presentation Transcript

  • Webinar: Apply fine-grained authorization to Java MVC apps
  • Webinar: Apply fine-grained authorization to Java MVC apps this webinar will start in:
  • Guidelines You are muted centrally The webinar is recorded Slides available for download Q&A at the end 3
  • Twitter @axiomatics #XACML #MVC #Java 4
  • Speakers & Agenda  Today‟s speakers Andreas Sjöholm Saravana Kumar Sankaramoorthy  What‟s fine-grained authorization?  A note on XACML  Apply fine-grained authorization to an MVC app  Presentation tier  Business tier  Data tier  Today‟s use case: Acme, a car retailer David Brossard
  • What is fine-grained authorization? Fine-grained & Externalized Authorization
  • Today’s business challenge  Businesses are more dynamic  The will/need to share is more important  Provide better service / care  The amount of data is increasing  Everything is electronic from health records to book reviews  Consuming patterns are evolving  Consumers are going mobile
  • Introducing eXternalized authorization       Gartner: “Externalized Authorization Management” Centralized Decoupled from your applications‟ business logic Policy-based Multi-factor & fine-grained Standardized: XACML Who? What? When? Where? Why? How?
  • Any-Depth Authorization
  • Behold XACML!  eXtensible Access Control Markup Language  An OASIS standard  The de facto standard for fine-grained access control  Current version: 3.0  XACML defines  A policy language  A request / response scheme  An architecture Axiomatics
  • Three key points of XACML Policy-based Attributebased Technologyneutral Use policies to describe and implement complex AuthZ An attribute consists of an identifier, datatype, and value Apply XACML to Java, .NET, and more 11
  • More on eXternalized Authorization  Check out the Axiomatics webinar  Speaker: Srijith Nair (@srijith)  YouTube: http://www.youtube.com/watch?v=kH0ewXlIFHY  SlideShare: http://www.slideshare.net/Axiomatics/protect-yourapplications-and-apis-with-externalized-authorization
  • Fine-grained authorization in the presentation tier
  • Challenge  Users should only be presented with the relevant UI  For instance controls should be enabled/disabled depending on user permissions  Use fine-grained authorization to deliver the best UX possible
  • Approach     Use widget properties Use JSP tags Use templates Use obligations and advice to help the user  Example: tell the user why they cannot approve a PO  Example: implement 2-factor authentication flow  Use the Axiomatics Policy Server  Enterprise authorization server
  • Fine-grained authorization in the business tier Using Annotations and Aspect Orientation
  • Challenge  Security seen as a hindrance  Authorization code is often mixed with application code  Authorization is often poorly implemented if at all
  • Approach  Use filters and interceptors on APIs  Use aspect-oriented programming (AOP) to inject authorization behavior in the business logic  Use the Axiomatics Policy Server  Enterprise authorization server
  • Introducing Aspects  First there was Object Orientation (OO)  Static models  Aspect Oriented Programming  Makes OO dynamic  Cross-cutting concerns  Provides Advice at certain Points  Non-intrusive to boilerplate code  XACML and AOP fit nicely together  Let a PDP provide decisions to handle authorization concerns  AOP implementations  AspectJ (the one used here)  Spring AOP
  • Axiomatics XACML AOP  Axiomatics XACML AOP  Adds fine-grained authorization to Java code  Supports legacy applications with minimal intrusion  Using it we can  Invoke PDP at various well-defined places  Avoid touching source code  Filter returned objects via obligations  Let UI adopt to security context  Attach to other frameworks to collect attributes (Spring...)  Auto-generate specific application documentation to be used by policy authors (attribute ontologies) based on src code
  • Fine-grained authorization in the data tier
  • Challenge  Control access to data stored in databases  The data is not known a priori  Traditional XACML does not scale to millions of records
  • Approach  Integrate with the database  Parse the SQL statement  Augment the SQL statement with a filter (WHERE clause)  Use the Axiomatics Data Access Filter  New in October 2013  Delivers row-level data filtering for Oracle databases
  • A Java MVC Demo The “Car demo”
  • The use case  Acme Inc. is a used-car retailer  Acme Inc. buys and sells vehicles  Acme Inc. is a highly-distributed company with stores across the 50 states  Acme Inc. wants to make sure only the right employees buy and sell vehicles at the right price  Acme Inc. wants a smooth experience for employees and customers alike  Acme Inc. also wants to go mobile  Offer mobile applications for its employees  Deliver better value to their customers
  • The architecture Authenticate (JAAS) User Directory Presentation tier Retrieve data via JPA Business tier Java Web-App Apache Tomcat 26
  • Apply authorization to the Java architecture Authenticate (JAAS) User Directory Presentation tier Retrieve data via JPA Business tier Java Web-App Apache Tomcat VPD Axiomatics 27
  • Sample authorization logic  Authorization requirements  Users in purchasing can view the purchasing menu  Users in purchasing can create purchase orders in their region  Managers in purchasing can approve purchase orders up to their approval limit  Policies about functions, data, and widgets…  Attributes  User: role, department, approval limit, location  Resource: type, location, amount  Action: action-id (view, create, edit)  Context: time of the day… Multi-factor authorization
  • Structure your authorization Purchasing Create View Same region Approve Same region & Approval Limit
  • Code Deep-dive: the presentation tier  In this demo, we control the menu  The menu is written in Java and Javascript using Jquery  Let‟s write some JSP if/else to control which parts of the menu are rendered  Note: consider using JSF or a presentation framework  You can then use widget properties to enable/disable show/hide the widgets
  • Code deep-dive: use AOP & annotations  Apply the @XacmlEnforcementPoint annotation public interface VehicleService { @XacmlEnforcementPoint Order createPurchaseOrder(); }  Annotate the POJOs with @XacmlAttribute class PurchaseOrder{ @XacmlAttribute String identifier; @XacmlAttribute Double amount; }
  • Code Deep-dive: Oracle VPD Integration  Configure the Java web app to pass down the client information  Configure VPD to reach out to the Data Access Filter  VPD appends the produced WHERE clause to the original SQL statement 3. WHERE location=„AZ‟ Oracle VPD 2. SELECT * FROM purchaseOrders 1. View purchase orders Java Web-App
  • Other areas      Spring Security JAAS integration JSP taglibs JMS Can you name any? Goal Provide a unified, standardized way of applying fine-grained authorization across multiple applications
  • eXternalized Authorization  Simpler management  The authorization logic is externalized into XACML policies  You no longer need to write Java code  If the authorization logic changes, update the policies  Strive for configuration-based authorization  E.g. via interceptors (servlet filters, JAX-WS handlers)  Configure the handlers using the target framework‟s config files (e.g. web.xml)
  • eXternalized Authorization saves time Before After 5% 20% Business logic Security 80% Business logic Security 95%
  • Beyond Java  Apply the same architectural approach and XACML policies to  .NET  Perl  Python  Ruby  Business apps  And more!
  • The Axiomatics XACML Developers Website      Community for XACML developers Technical blog Download code samples Understand policy modeling XACML Reference Library  Functions  Data types…  Download the ALFA plugin for Eclipse
  • Upcoming events  Gartner IAM Summit  Los Angeles  Nov. 18th – 20th  InfoSec Financial  London  Nov 19th and 20th Axiomatics
  • Questions? Contact us at info@axiomatics.com © 2013 Axiomatics AB 39