David Brossard, profile picture
Uploaded byDavid Brossard
PPTX, PDF4,269 views

Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

The document discusses the advantages of attribute-based and policy-based access control (ABAC and PBAC) over traditional models, using lasagna as a metaphor for structured authorization versus spaghetti-like code complexity. It introduces ALFA, a simplified language for writing XACML policies, and highlights the benefits of using JSON for a lightweight, user-friendly approach to authorization requests. It emphasizes the importance of externalizing authorization and provides practical examples of implementing these concepts with JSON and REST profiles.

Related topics:
Access Control Overview

Embed presentation

Downloaded 39 times
Why lasagna is better than spaghetti Building authorization into your apps, APIs, and DB using JSON, REST & ALFA © Axiomatics 2014 - @axiomatics
Before we begin, a little draw Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker © Axiomatics 2014 - @axiomatics
A little history of pasta Meet Sally And her precious one And so lasagna kicked spaghetti out© Axiomatics 2014 - @axiomatics
Doesn’t your code feel like spaghetti? © Axiomatics 2014 - @axiomatics
A little history of access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges © Axiomatics 2014 - @axiomatics
What’s Our Secret Ingredient? Attributes… Attributes… Attributes…
Attribute-Based Access Control Who… What… Where… When… Why… Attributes can describe everything (not just who) How…
The Secret Sauce? Policy-Based Access Control Centralized… Easy to audit… eXtensible…Standardized… Attribute-based…
XACML – eXtensible Access Control = + (ABAC) (PBAC)
XACML supports Schrodinger's cat Paul Madsen’s
Bake in layers © Axiomatics 2014 - @axiomatics Authorization at the right place Business tier…API tier… Data tier…Web app tier…Presentation tier…
Data Tier Bake once, enjoy everywhere Presentation Tier API & WS Tier Business Tier eXternalized Authorization Service
How does Chef Gebel take it to the next level? I use ALFA, 100% XACML I use JSON and REST too – easy on the developers
THE ALFA PLUGIN FOR ECLIPSE Authorization’s KitchenAid © Axiomatics 2014 - @axiomatics
What’s ALFA • Abbreviated Language for Authorization • OASIS – Axiomatics language donated to OASIS XACML – In the process of standardization • Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibilities • Audience – Aimed at developers initially – Very popular with business analysts © Axiomatics 2014 - @axiomatics
What’s the ALFA plugin? • Add-on to Eclipse, the popular IDE • Lets you write ALFA easily – Auto-complete – Syntax checking – Syntax coloring • Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies © Axiomatics 2014 - @axiomatics
An example: the insurance use case • Authorization requirement – A customer can view his/her own policies and the policies of a spouse that are not marked as private • Identify the attributes – User type; action; policy owner; policy private flag; spouse; object type; user identity • Rework the rule – A user with type==customer can do action==view on object of type==policy… • if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse • Implement in ALFA © Axiomatics 2014 - @axiomatics
THE JSON PROFILE OF XACML Delicious & Healthy © Axiomatics 2014 - @axiomatics
Objectives • Lightweight notation • Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes © Axiomatics 2014 - @axiomatics
The JSON Profile - Basics • The profile is a close mirror of the XML XACML request / response • It is possible to omit information and use inference – Reasonable defaults – E.g. String is not specified. • Default category names – AccessSubject, Resource, Action, Environment © Axiomatics 2014 - @axiomatics
Example in HTML/Javascript <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> © Axiomatics 2014 - @axiomatics
Size of a XACML request © Axiomatics 2014 - @axiomatics 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
THE REST PROFILE OF XACML The perfect way to serve your lasagna © Axiomatics 2014 - @axiomatics
Why a “REST” profile? • No standard transport protocol in XACML core • Different implementations have different SOAP wrappings • SOAP in itself is losing in popularity • Provide easy means to send authorization request © Axiomatics 2014 - @axiomatics
Posting the JSON Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) ); } © Axiomatics 2014 - @axiomatics
And now, let’s bake!
Ok, so it’s time to wrap up
Forget spaghetti. Whip up lasagna! © Axiomatics 2014 - @axiomatics (Sorry Sergio Leone) Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
Summary Acronym Name Description EAM eXternalized Authorization Management The act of cleanly separating business logic from authorization logic and maintaining each one independently ABAC Attribute-based access control An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access PBAC Policy-based access control An authorization model which uses attributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementation of ABAC and PBAC – done by OASIS.
References • REST profile of XACML • JSON profile of XACML • ALFA profile of XACML Available on the OASIS XACML TC website oasis-open.org/committees/tc_home.php?wg_abbrev=xacml © Axiomatics 2014 - @axiomatics
Grazie a tutti i tutte David Brossard Axiomatics – the leaders in ABAC & PBAC @davidjbrossard @axiomatics http://developers.axiomatics.com © Axiomatics 2014 - @axiomatics

More Related Content

PDF
【BS12】Visual Studio 2022 40分一本勝負!
by日本マイクロソフト株式会社
 
PPTX
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
byOpennaru, inc.
 
PPTX
Volley in android
byHimanshu Saini
 
PDF
Hello, ReactorKit 
bySuyeol Jeon
 
PDF
Using Postman to Automate API On-Boarding
byPostman
 
PPT
jQuery
byMohammed Arif
 
PDF
강성훈, 실버바인 대기열 서버 설계 리뷰, NDC2019
bydevCAT Studio, NEXON
 
PPTX
Ask the expert AEM Assets best practices 092016
byAdobeMarketingCloud
 
【BS12】Visual Studio 2022 40分一本勝負!
by日本マイクロソフト株式会社
 
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
byOpennaru, inc.
 
Volley in android
byHimanshu Saini
 
Hello, ReactorKit 
bySuyeol Jeon
 
Using Postman to Automate API On-Boarding
byPostman
 
jQuery
byMohammed Arif
 
강성훈, 실버바인 대기열 서버 설계 리뷰, NDC2019
bydevCAT Studio, NEXON
 
Ask the expert AEM Assets best practices 092016
byAdobeMarketingCloud
 

What's hot

PPT
Jquery Giriş
byOğuzhan TAŞ Akademi
 
PDF
AWS 클라우드로 천만명 웹 서비스 확장하기 - 윤석찬 백승현 - AWS Summit 2016
byAmazon Web Services Korea
 
PDF
PyCon Korea 2018 - 파이썬으로 학생 들여다보기
byYungon Park
 
PDF
시작하자 단위테스트
byYongEun Choi
 
PDF
마이크로서비스를 위한 AWS 아키텍처 패턴 및 모범 사례 - AWS Summit Seoul 2017
byAmazon Web Services Korea
 
PDF
ASP.NET Core Interview Questions PDF By ScholarHat.pdf
byScholarhat
 
PDF
[IMQA] performance consulting
byIMQA
 
PDF
카오스 엔지니어링을 활용한 마이크로서비스 안정성 개선하기 - 정준우, AWS 솔루션즈 아키텍트:: AWS Summit Online Kor...
byAmazon Web Services Korea
 
PDF
도커의 기초 - 김상필 솔루션즈 아키텍트 :: AWS Container Day
byAmazon Web Services Korea
 
PDF
모바일 게임 테스트 자동화 (Appium 확장)
byJongwon Kim
 
PDF
Lambda@Edge를통한멀티리전기반글로벌트래픽길들이기::이상현::AWS Summit Seoul 2018
byAmazon Web Services Korea
 
PPTX
JavaScript Basic
byFinsa Nurpandi
 
PDF
Understanding Sling Models in AEM
byAccunity Software
 
PDF
Basics of Solr and Solr Integration with AEM6
byDEEPAK KHETAWAT
 
PDF
Use Symfony Messenger Component and CQRS!
byŽilvinas Kuusas
 
PPTX
Everything you need to know about sharing files in SharePoint & OneDrive - SP...
byDrew Madelung
 
PPTX
AEM Rich Text Editor (RTE) Deep Dive
byHanish Bansal
 
PPTX
Oak, the architecture of Apache Jackrabbit 3
byJukka Zitting
 
PPTX
Introduction to jmeter & how to view jmeter Test Result in Real-Time
byBugRaptors
 
PDF
Scouter와 influx db – grafana 연동 가이드
byJi-Woong Choi
 
Jquery Giriş
byOğuzhan TAŞ Akademi
 
AWS 클라우드로 천만명 웹 서비스 확장하기 - 윤석찬 백승현 - AWS Summit 2016
byAmazon Web Services Korea
 
PyCon Korea 2018 - 파이썬으로 학생 들여다보기
byYungon Park
 
시작하자 단위테스트
byYongEun Choi
 
마이크로서비스를 위한 AWS 아키텍처 패턴 및 모범 사례 - AWS Summit Seoul 2017
byAmazon Web Services Korea
 
ASP.NET Core Interview Questions PDF By ScholarHat.pdf
byScholarhat
 
[IMQA] performance consulting
byIMQA
 
카오스 엔지니어링을 활용한 마이크로서비스 안정성 개선하기 - 정준우, AWS 솔루션즈 아키텍트:: AWS Summit Online Kor...
byAmazon Web Services Korea
 
도커의 기초 - 김상필 솔루션즈 아키텍트 :: AWS Container Day
byAmazon Web Services Korea
 
모바일 게임 테스트 자동화 (Appium 확장)
byJongwon Kim
 
Lambda@Edge를통한멀티리전기반글로벌트래픽길들이기::이상현::AWS Summit Seoul 2018
byAmazon Web Services Korea
 
JavaScript Basic
byFinsa Nurpandi
 
Understanding Sling Models in AEM
byAccunity Software
 
Basics of Solr and Solr Integration with AEM6
byDEEPAK KHETAWAT
 
Use Symfony Messenger Component and CQRS!
byŽilvinas Kuusas
 
Everything you need to know about sharing files in SharePoint & OneDrive - SP...
byDrew Madelung
 
AEM Rich Text Editor (RTE) Deep Dive
byHanish Bansal
 
Oak, the architecture of Apache Jackrabbit 3
byJukka Zitting
 
Introduction to jmeter & how to view jmeter Test Result in Real-Time
byBugRaptors
 
Scouter와 influx db – grafana 연동 가이드
byJi-Woong Choi
 

Viewers also liked

PPTX
Authorization - it's not just about who you are
byDavid Brossard
 
PPTX
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
byDavid Brossard
 
PPTX
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
byDavid Brossard
 
PPTX
Access Control Pitfalls v2
byJim Manico
 
PDF
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
byCloudIDSummit
 
PDF
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
byCloudIDSummit
 
Authorization - it's not just about who you are
byDavid Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
byDavid Brossard
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
byDavid Brossard
 
Access Control Pitfalls v2
byJim Manico
 
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
byCloudIDSummit
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
byCloudIDSummit
 

Similar to Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

PPTX
Policy enabling your services - using elastic dynamic authorization to contro...
byDavid Brossard
 
PDF
Uncovering XACML to solve real world business use cases
byWSO2
 
PDF
Axiomatics webinar 13 june 2013 shared
byFinn Frisch
 
PPTX
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
byDavid Brossard
 
PDF
Opa in the api management world
byRed Hat
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
byWSO2
 
PPTX
OpenID AuthZEN ALFA PEP-PDP Prior Art
byDavid Brossard
 
PPTX
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
byNordic APIs
 
PPTX
Top Ten Reasons Why Developers Don't Adopt ABAC
byForgeRock
 
PDF
Authorization The Missing Piece of the Puzzle
byNordic APIs
 
PPTX
Fine grained access control for cloud-based services using ABAC and XACML
byDavid Brossard
 
PPTX
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
byDavid Brossard
 
PPTX
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
byDavid Brossard
 
PPTX
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
byDavid Brossard
 
PDF
CIS14: The Very Latest in Authorization Standards
byCloudIDSummit
 
PDF
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
byggebel
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
PPTX
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
byNordic APIs
 
PPTX
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
byDavid Brossard
 
Policy enabling your services - using elastic dynamic authorization to contro...
byDavid Brossard
 
Uncovering XACML to solve real world business use cases
byWSO2
 
Axiomatics webinar 13 june 2013 shared
byFinn Frisch
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
byDavid Brossard
 
Opa in the api management world
byRed Hat
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
byWSO2
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
byDavid Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
byNordic APIs
 
Top Ten Reasons Why Developers Don't Adopt ABAC
byForgeRock
 
Authorization The Missing Piece of the Puzzle
byNordic APIs
 
Fine grained access control for cloud-based services using ABAC and XACML
byDavid Brossard
 
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
byDavid Brossard
 
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
byDavid Brossard
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
byDavid Brossard
 
CIS14: The Very Latest in Authorization Standards
byCloudIDSummit
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
byggebel
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
byNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
byDavid Brossard
 

More from David Brossard

PPTX
The Holy Grail of IAM: Getting to Grips with Authorization
byDavid Brossard
 
PPTX
Unpacking Authorization Approaches: Policy as Code Versus Traditional Busines...
byDavid Brossard
 
PPTX
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
byDavid Brossard
 
PPTX
XACML - Fight For Your Love
byDavid Brossard
 
PPTX
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
byDavid Brossard
 
PPTX
OpenID Foundation AuthZEN WG Update
byDavid Brossard
 
PPTX
Authenticate 2024: We know who you are, now… What can you do?
byDavid Brossard
 
PPTX
OpenID AuthZEN Interop Read Out - Authorization
byDavid Brossard
 
PDF
AuthZEN the OpenID Connect of Authorization
byDavid Brossard
 
PDF
AuthZEN The OpenID Connect of Authorization - Gartner IAM EMEA 2025
byDavid Brossard
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
byDavid Brossard
 
PPTX
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
PPTX
Don't Ask for Forgiveness, Ask for Permission
byDavid Brossard
 
PPTX
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
byDavid Brossard
 
PPTX
To the cloud and beyond: delivering policy-driven authorization for cloud app...
byDavid Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
byDavid Brossard
 
Unpacking Authorization Approaches: Policy as Code Versus Traditional Busines...
byDavid Brossard
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
byDavid Brossard
 
XACML - Fight For Your Love
byDavid Brossard
 
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
byDavid Brossard
 
OpenID Foundation AuthZEN WG Update
byDavid Brossard
 
Authenticate 2024: We know who you are, now… What can you do?
byDavid Brossard
 
OpenID AuthZEN Interop Read Out - Authorization
byDavid Brossard
 
AuthZEN the OpenID Connect of Authorization
byDavid Brossard
 
AuthZEN The OpenID Connect of Authorization - Gartner IAM EMEA 2025
byDavid Brossard
 
OpenID AuthZEN - Analyst Briefing July 2025
byDavid Brossard
 
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
Don't Ask for Forgiveness, Ask for Permission
byDavid Brossard
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
byDavid Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
byDavid Brossard
 
In this document
Powered by AI

Introduction comparing lasagna to spaghetti. Building apps with JSON, REST & ALFA, emphasizing spaghetti code and a history of pasta.

Historical overview of access control models (DAC, MAC, RBAC, ABAC) with statistical data and the addition of attributes in policies.

Layered approach to authorization, introduction to ALFA for easier policy writing and application of attribute-based and policy-based controls.

Introduction of JSON and REST profiles to streamline XACML requests, emphasizing simplicity and reduced verboseness.

Wrap-up with focus on ABAC and PBAC models, summary of key terms, and providing references for further information.

Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

  • 1.
    Why lasagna isbetter than spaghetti Building authorization into your apps, APIs, and DB using JSON, REST & ALFA © Axiomatics 2014 - @axiomatics
  • 2.
    Before we begin,a little draw Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker © Axiomatics 2014 - @axiomatics
  • 3.
    A little historyof pasta Meet Sally And her precious one And so lasagna kicked spaghetti out© Axiomatics 2014 - @axiomatics
  • 4.
    Doesn’t your codefeel like spaghetti? © Axiomatics 2014 - @axiomatics
  • 5.
    A little historyof access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges © Axiomatics 2014 - @axiomatics
  • 6.
    What’s Our SecretIngredient? Attributes… Attributes… Attributes…
  • 7.
    Attribute-Based Access Control Who…What… Where… When… Why… Attributes can describe everything (not just who) How…
  • 8.
    The Secret Sauce? Policy-BasedAccess Control Centralized… Easy to audit… eXtensible…Standardized… Attribute-based…
  • 9.
    XACML – eXtensibleAccess Control = + (ABAC) (PBAC)
  • 10.
  • 11.
    Bake in layers ©Axiomatics 2014 - @axiomatics Authorization at the right place Business tier…API tier… Data tier…Web app tier…Presentation tier…
  • 12.
    Data Tier Bake once,enjoy everywhere Presentation Tier API & WS Tier Business Tier eXternalized Authorization Service
  • 13.
    How does Chef Gebeltake it to the next level? I use ALFA, 100% XACML I use JSON and REST too – easy on the developers
  • 14.
    THE ALFA PLUGIN FOR ECLIPSE Authorization’sKitchenAid © Axiomatics 2014 - @axiomatics
  • 15.
    What’s ALFA • AbbreviatedLanguage for Authorization • OASIS – Axiomatics language donated to OASIS XACML – In the process of standardization • Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibilities • Audience – Aimed at developers initially – Very popular with business analysts © Axiomatics 2014 - @axiomatics
  • 16.
    What’s the ALFAplugin? • Add-on to Eclipse, the popular IDE • Lets you write ALFA easily – Auto-complete – Syntax checking – Syntax coloring • Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies © Axiomatics 2014 - @axiomatics
  • 17.
    An example: theinsurance use case • Authorization requirement – A customer can view his/her own policies and the policies of a spouse that are not marked as private • Identify the attributes – User type; action; policy owner; policy private flag; spouse; object type; user identity • Rework the rule – A user with type==customer can do action==view on object of type==policy… • if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse • Implement in ALFA © Axiomatics 2014 - @axiomatics
  • 18.
    THE JSON PROFILE OFXACML Delicious & Healthy © Axiomatics 2014 - @axiomatics
  • 19.
    Objectives • Lightweight notation •Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes © Axiomatics 2014 - @axiomatics
  • 20.
    The JSON Profile- Basics • The profile is a close mirror of the XML XACML request / response • It is possible to omit information and use inference – Reasonable defaults – E.g. String is not specified. • Default category names – AccessSubject, Resource, Action, Environment © Axiomatics 2014 - @axiomatics
  • 21.
    Example in HTML/Javascript <scriptlanguage="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> © Axiomatics 2014 - @axiomatics
  • 22.
    Size of aXACML request © Axiomatics 2014 - @axiomatics 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
  • 23.
    THE REST PROFILEOF XACML The perfect way to serve your lasagna © Axiomatics 2014 - @axiomatics
  • 24.
    Why a “REST”profile? • No standard transport protocol in XACML core • Different implementations have different SOAP wrappings • SOAP in itself is losing in popularity • Provide easy means to send authorization request © Axiomatics 2014 - @axiomatics
  • 25.
    Posting the JSONRequest in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) ); } © Axiomatics 2014 - @axiomatics
  • 26.
  • 27.
  • 28.
    Forget spaghetti. Whipup lasagna! © Axiomatics 2014 - @axiomatics (Sorry Sergio Leone) Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
  • 29.
    Summary Acronym Name Description EAMeXternalized Authorization Management The act of cleanly separating business logic from authorization logic and maintaining each one independently ABAC Attribute-based access control An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access PBAC Policy-based access control An authorization model which uses attributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementation of ABAC and PBAC – done by OASIS.
  • 30.
    References • REST profileof XACML • JSON profile of XACML • ALFA profile of XACML Available on the OASIS XACML TC website oasis-open.org/committees/tc_home.php?wg_abbrev=xacml © Axiomatics 2014 - @axiomatics
  • 31.
    Grazie a tuttii tutte David Brossard Axiomatics – the leaders in ABAC & PBAC @davidjbrossard @axiomatics http://developers.axiomatics.com © Axiomatics 2014 - @axiomatics