Why lasagna is better than spaghetti
Building	
  authoriza/on	
  into	
  your	
  apps,	
  
APIs,	
  and	
  DB	
  using	
  ...
Before	
  we	
  begin,	
  a	
  liPle	
  draw	
  
Drop	
  in	
  your	
  card	
  at	
  the	
  Axioma/cs	
  booth	
  for	
  a...
A	
  liPle	
  history	
  of	
  pasta	
  
Meet	
  Sally	
   And	
  her	
  precious	
  one	
   And	
  so	
  lasagna	
  kicke...
Doesn’t	
  your	
  code	
  feel	
  like	
  spagheS?	
  
©	
  Axioma/cs	
  2014	
  -­‐	
  @axioma/cs	
  
(if/then/else mixo...
A	
  liPle	
  history	
  of	
  access	
  control	
  
Based	
  on:	
  Hilbert	
  and	
  Lopez,	
  2011	
  
86	
   87	
   88...
What’s	
  Our	
  Secret	
  Ingredient?	
  
APributes…	
  
APributes…	
  
APributes…	
  
APribute-­‐Based	
  Access	
  Control	
  
Who…	
   What…	
   Where…	
   When…	
   Why…	
  
APributes	
  can	
  describe	
 ...
The	
  Secret	
  Sauce?	
  	
  
Policy-­‐Based	
  Access	
  Control	
  
Centralized…	
  
Easy	
  to	
  audit…	
  
eXtensib...
XACML	
  –	
  eXtensible	
  Access	
  Control	
  
=	
   +	
  
(ABAC)	
   (PBAC)	
  
XACML	
  
supports	
  
Schrodinger's	
  
cat	
   Paul Madsen’s
Bake	
  in	
  layers	
  
©	
  Axioma/cs	
  2014	
  -­‐	
  @axioma/cs	
  
Authoriza/on	
  at	
  the	
  right	
  place	
  
B...
Data	
  Tier	
  
Bake	
  once,	
  enjoy	
  everywhere	
  
PresentaJon	
  Tier	
  
API	
  &	
  WS	
  Tier	
  
Business	
  T...
How	
  does	
  Chef	
  
Gebel	
  take	
  it	
  to	
  
the	
  next	
  level?	
  
I	
  use	
  ALFA,	
  
100%	
  
XACML	
  
I...
THE	
  ALFA	
  
PLUGIN	
  FOR	
  
ECLIPSE	
  
Authoriza/on’s	
  KitchenAid	
  
©	
  Axioma/cs	
  2014	
  -­‐	
  @axioma/cs...
What’s	
  ALFA	
  
•  Abbreviated	
  Language	
  for	
  Authoriza/on	
  
•  OASIS	
  
–  Axioma/cs	
  language	
  donated	...
What’s	
  the	
  ALFA	
  plugin?	
  
•  Add-­‐on	
  to	
  Eclipse,	
  the	
  popular	
  IDE	
  
•  Lets	
  you	
  write	
 ...
An	
  example:	
  the	
  insurance	
  use	
  case	
  
•  Authoriza/on	
  requirement	
  
–  A	
  customer	
  can	
  view	
...
THE	
  JSON	
  PROFILE	
  
OF	
  XACML	
  
Delicious	
  &	
  Healthy	
  
©	
  Axioma/cs	
  2014	
  -­‐	
  @axioma/cs	
  
Objec/ves	
  
•  Lightweight	
  nota/on	
  
•  Get	
  rid	
  of	
  the	
  verboseness	
  of	
  XML	
  
•  Easy	
  to	
  wr...
The	
  JSON	
  Profile	
  -­‐	
  Basics	
  
•  The	
  profile	
  is	
  a	
  close	
  mirror	
  of	
  the	
  XML	
  XACML	
  ...
Example	
  in	
  HTML/Javascript	
  
<script language="javascript">
var jsonRequest = new Object();
jsonRequest.Request = ...
Size	
  of	
  a	
  XACML	
  request	
  
©	
  Axioma/cs	
  2014	
  -­‐	
  @axioma/cs	
  
0	
  
10	
  
20	
  
30	
  
40	
  
...
THE	
  REST	
  PROFILE	
  OF	
  XACML	
  	
  
The	
  perfect	
  way	
  to	
  serve	
  your	
  lasagna	
  
©	
  Axioma/cs	
...
Why	
  a	
  “REST”	
  profile?	
  
•  No	
  standard	
  transport	
  protocol	
  in	
  XACML	
  core	
  
•  Different	
  imp...
Pos/ng	
  the	
  JSON	
  Request	
  in	
  Javascript	
  
var xmlHttp = null;
function authorize() {
var xacmlRequest =
doc...
And	
  now,	
  
let’s	
  bake!	
  
Ok,	
  so	
  it’s	
  
/me	
  to	
  
wrap	
  up	
  
Forget	
  spagheS.	
  Whip	
  up	
  lasagna!	
  
©	
  Axioma/cs	
  2014	
  -­‐	
  @axioma/cs	
  
(Sorry	
  Sergio	
  Leone...
Summary	
  
Acronym	
   Name	
   DescripJon	
  
EAM	
   eXternalized	
  
Authoriza/on	
  
Management	
  
The	
  act	
  of	...
References	
  
•  REST	
  profile	
  of	
  XACML	
  
•  JSON	
  profile	
  of	
  XACML	
  
•  ALFA	
  profile	
  of	
  XACML	...
Grazie a tutti i tutte
David	
  Brossard	
  
Axioma/cs	
  –	
  the	
  leaders	
  in	
  ABAC	
  &	
  PBAC	
  
@davidjbrossa...
Upcoming SlideShare
Loading in …5
×

CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON

763 views
596 views

Published on

Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
763
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON

  1. 1. Why lasagna is better than spaghetti Building  authoriza/on  into  your  apps,   APIs,  and  DB  using  JSON,  REST  &  ALFA   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  2. 2. Before  we  begin,  a  liPle  draw   Drop  in  your  card  at  the  Axioma/cs  booth  for  a   chance  to  win  a  Bose  bluetooth  speaker   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  3. 3. A  liPle  history  of  pasta   Meet  Sally   And  her  precious  one   And  so  lasagna  kicked   spaghe6  out  ©  Axioma/cs  2014  -­‐  @axioma/cs  
  4. 4. Doesn’t  your  code  feel  like  spagheS?   ©  Axioma/cs  2014  -­‐  @axioma/cs   (if/then/else mixology)
  5. 5. A  liPle  history  of  access  control   Based  on:  Hilbert  and  Lopez,  2011   86   87   88   89   90   91   92   93   94   95   96   97   98   99   00   01   02   03   04   05   06   07   300   250   200   150   100   50   0   ~93%  digital   ~0,7%  digital   DAC   MAC   RBAC   ABAC   Increasing  access     control  challenges   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  6. 6. What’s  Our  Secret  Ingredient?   APributes…   APributes…   APributes…  
  7. 7. APribute-­‐Based  Access  Control   Who…   What…   Where…   When…   Why…   APributes  can  describe  everything  (not  just  who)   How…  
  8. 8. The  Secret  Sauce?     Policy-­‐Based  Access  Control   Centralized…   Easy  to  audit…   eXtensible…  Standardized…   APribute-­‐based…  
  9. 9. XACML  –  eXtensible  Access  Control   =   +   (ABAC)   (PBAC)  
  10. 10. XACML   supports   Schrodinger's   cat   Paul Madsen’s
  11. 11. Bake  in  layers   ©  Axioma/cs  2014  -­‐  @axioma/cs   Authoriza/on  at  the  right  place   Business  /er…  API  /er…   Data  /er…  Web  app  /er…  Presenta/on  /er…  
  12. 12. Data  Tier   Bake  once,  enjoy  everywhere   PresentaJon  Tier   API  &  WS  Tier   Business  Tier   eXternalized   AuthorizaJon   Service  
  13. 13. How  does  Chef   Gebel  take  it  to   the  next  level?   I  use  ALFA,   100%   XACML   I  use  JSON   and  REST  too   –  easy  on  the   developers  
  14. 14. THE  ALFA   PLUGIN  FOR   ECLIPSE   Authoriza/on’s  KitchenAid   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  15. 15. What’s  ALFA   •  Abbreviated  Language  for  Authoriza/on   •  OASIS   –  Axioma/cs  language  donated  to  OASIS  XACML   –  In  the  process  of  standardiza/on   •  Goals   –  Makes  XACML  policies  easier  to  write   –  Simplifies  XACML  structure   –  Enhances  possibili/es   •  Audience   –  Aimed  at  developers  ini/ally   –  Very  popular  with  business  analysts   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  16. 16. What’s  the  ALFA  plugin?   •  Add-­‐on  to  Eclipse,  the  popular  IDE   •  Lets  you  write  ALFA  easily   –  Auto-­‐complete   –  Syntax  checking   –  Syntax  coloring   •  Converts  ALFA  into  XACML  3.0  policies  on  the  fly   •  Lets  you  test  your  policies   ©  Axioma/cs  2014  -­‐  @axioma/cs   Available  for   free  from   Axioma/cs  
  17. 17. An  example:  the  insurance  use  case   •  Authoriza/on  requirement   –  A  customer  can  view  his/her  own  policies  and  the  policies  of  a  spouse   that  are  not  marked  as  private   •  Iden/fy  the  aPributes   –  User  type;  ac/on;  policy  owner;  policy  private  flag;  spouse;  object   type;  user  iden/ty   •  Rework  the  rule   –  A  user  with  type==customer  can  do  ac/on==view  on  object  of   type==policy…   •  if  and  only  if  policyOwner  ==  userId  or,   •  If  and  only  if  policyPrivateFlag==false    &&  policy.owner==user.spouse   •  Implement  in  ALFA   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  18. 18. THE  JSON  PROFILE   OF  XACML   Delicious  &  Healthy   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  19. 19. Objec/ves   •  Lightweight  nota/on   •  Get  rid  of  the  verboseness  of  XML   •  Easy  to  write   •  Broader  support  for  languages  (JS,  Python…)   •  Remove  the  XACML  /  XML  redundancy   •  Infer  certain  things  e.g.  datatypes   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  20. 20. The  JSON  Profile  -­‐  Basics   •  The  profile  is  a  close  mirror  of  the  XML  XACML   request  /  response   •  It  is  possible  to  omit  informa/on  and  use   inference   –  Reasonable  defaults   –  E.g.  String  is  not  specified.   •  Default  category  names   –  AccessSubject,  Resource,  Ac/on,  Environment   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  21. 21. Example  in  HTML/Javascript   <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> ©  Axioma/cs  2014  -­‐  @axioma/cs  
  22. 22. Size  of  a  XACML  request   ©  Axioma/cs  2014  -­‐  @axioma/cs   0   10   20   30   40   50   Word  count   XML   JSON   0   200   400   600   800   1000   1200   1400   Char.  Count   XML   JSON  
  23. 23. THE  REST  PROFILE  OF  XACML     The  perfect  way  to  serve  your  lasagna   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  24. 24. Why  a  “REST”  profile?   •  No  standard  transport  protocol  in  XACML  core   •  Different  implementa/ons  have  different   SOAP  wrappings   •  SOAP  in  itself  is  losing  in  popularity   •  Provide  easy  means  to  send  authoriza/on   request   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  25. 25. Pos/ng  the  JSON  Request  in  Javascript   var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) );©  Axioma/cs  2014  -­‐  @axioma/cs  
  26. 26. And  now,   let’s  bake!  
  27. 27. Ok,  so  it’s   /me  to   wrap  up  
  28. 28. Forget  spagheS.  Whip  up  lasagna!   ©  Axioma/cs  2014  -­‐  @axioma/cs   (Sorry  Sergio  Leone)   REST  +  ALFA  +  JSON   A  recipe  for  success   Don’t  forget  to  pair  the  pasta  with  an  elegant   wine.  Ask  @ggebel,  our  head  sommelier,  for   recommenda/ons  
  29. 29. Summary   Acronym   Name   DescripJon   EAM   eXternalized   Authoriza/on   Management   The  act  of  cleanly  separa0ng  business  logic   from  authoriza0on  logic  and  maintaining  each   one  independently   ABAC   APribute-­‐based  access   control   An  authoriza0on  model  whereby  parameters   about  the  user,  resource,  ac0on,  and   environment  can  be  used  to  determine  access   PBAC   Policy-­‐based  access   control   An  authoriza0on  model  which  uses  a<ributes   combined  together  inside  policies  to  define   granted  or  denied  access   XACML   eXtensible  Access  Control   Markup  Language   The  standard  implementa0on  of  ABAC  and   PBAC  –  done  by  OASIS.  
  30. 30. References   •  REST  profile  of  XACML   •  JSON  profile  of  XACML   •  ALFA  profile  of  XACML   è Available  on  the  OASIS  XACML  TC  website   oasis-­‐open.org/commiPees/tc_home.php?wg_abbrev=xacml   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  31. 31. Grazie a tutti i tutte David  Brossard   Axioma/cs  –  the  leaders  in  ABAC  &  PBAC   @davidjbrossard   @axioma/cs   hPp://developers.axioma/cs.com   ©  Axioma/cs  2014  -­‐  @axioma/cs  

×