Fine-grained authorization with XACML

4,987 views

Published on

Fine-grained authorization with XACML

http://blog.facilelogin.com/

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,987
On SlideShare
0
From Embeds
0
Number of Embeds
1,841
Actions
Shares
0
Downloads
89
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Fine-grained authorization with XACML

  1. 1. Prabath Siriwardena – Software Architect, WSO2
  2. 2. drdan nlaJoo ichae lM Ro
  3. 3. eXtensible Access Control Markup Language
  4. 4. First Meeting – 21 May 2001
  5. 5. Requirements from Healthcare, DRM, Registry, Financial, Online Web
  6. 6. XACML 1.0 - OASIS Standard – 6 February 2003
  7. 7. XACML 1.1 – Committee Specification – 7th August 2003
  8. 8. XACML 2.0 – OASIS Standard – 1 February 2005
  9. 9. XACML 3.0 – OASIS Standard – 10th Aug 2010
  10. 10. Defines Policy Administration PointAdministrator
  11. 11. Access Policy Evaluation Point Policy Decision Point
  12. 12. <inSequence> <entitlementService remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath"/> UT</inSequence> UT
  13. 13. <inSequence> <entitlementService callbackClass=“org.wso2.carbon.identity.entitlement.mediator.KerberosEntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" Kerberos remoteServiceUserName="prabath”/> Kerberos</inSequence>
  14. 14. <inSequence> <property  name="xacml_use_rest"  value=”true"  scope=”axis2"  type="STRING"/> <entitlementService remoteServicePassword=“********" BasicAuth/ remoteServiceUrl="https://identity-server:9443/services" RESTful remoteServiceUserName="prabath”/></inSequence> BasicAuth/ RESTful
  15. 15. <inSequence> <entitlementService callbackClass=“org.wso2.carbon.identity.entitlement.mediator.X509EntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" Sign remoteServiceUserName="prabath”/> Sign</inSequence>
  16. 16. <inSequence> <entitlementService callbackClass=“my.own.CustomEmtitlementCallbackhandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” Custom /> </inSequence> Custompackage my.own;import org.wso2.carbon.identity.entitlement.mediator.EntitlementCallbackHandler;public class CustomEntitlementCallbackHandler extends EntitlementCallbackHandler {}
  17. 17. My PEP XACMLhttp://blog.facilelogin.com/2010/11/net-client-web-app-authorization-with.html
  18. 18. Policy PolicyDecision Information Point Point
  19. 19. Policy PolicyEvaluation Decision Point Point PIP Extension (s)
  20. 20. package  org.wso2.carbon.identity.entitlement.pip;    import  com.sun.xacml.ctx.RequestCtx;    /**    *  PIPExtensions  will  be  fired  for  each  and  every  XACML  request  -­‐  which  will  give  a  handle  to  the    *  incoming  request.    *      */  public  interface  PIPExtension  {            /**            *  Gives  a  handle  to  the  XACML  request  built.  Can  be  used  to  carry  out  custom  checks  or  updates            *  before  sending  to  the  PDP.            *              *  @param  request            *                        Incoming  XACML  request.            */          public  void  update(RequestCtx  request);    }  
  21. 21. Policy Policy InformationDecision Point Point PIP Designator (s)
  22. 22. package  org.wso2.carbon.identity.entitlement.pip;    import  java.util.Set;    /**    *  To  register  a  PIP  attribute  handler  with  the  PDP  against  their  supported  attributes  -­‐  you  need  to    *  implement  this  interface  and  add  an  entry  to  pip-­‐config.xml  file  -­‐  which  should  be  inside    *  [CARBON_HOME]repositoryconf        */  public  interface  PIPAttributeFinder  {            /**            *  Will  be  fired  by  CarbonAttributeFinder  whenever  it  finds  an  attribute  supported  by  this            *  module.            *              *  @param  subjectId  Name  of  the  subject  the  returned  attributes  should  apply  to.            *  @param  resourceId  The  name  of  the  resource  the  subject  is  trying  to  access.            *  @param  attributeId  The  unique  id  of  the  required  attribute.            *  @return  Returns  a  <code>Set</code>  of  <code>String</code>s  that  represent  the  attribute  values.            *  @throws  Exception            */          public  Set<String>  getAttributeValues(String  subjectId,  String  resourceId,  String  attributeId)                          throws  Exception;            /**            *  Returns  a  <code>Set</code>  of  <code>String</code>s  that  represent  the  attributeIds  handled  by            *  this  module,  or  null  if  this  module  doesnt  handle  any  specific  attributeIds.  A  return  value            *  of  null  means  that  this  module  will  not  handle  any  attributes.            */          public  Set<String>  getSupportedAttributes();  }  
  23. 23. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  24. 24. <PolicySet/> <Policy/> Allows PolicySet(s) or Policy(s) to be combined <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  25. 25. PolicyCombiningAlgorithm <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  26. 26. PolicyCombiningAlgorithm <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  27. 27. Policy Administration Point<PolicySet/> <PolicySet/>     Policy Store <PolicySet/> <PolicySet/>    
  28. 28. <PolicySet/> <Policy/> <Rule/> Acts as an index to find out matching PolicySets <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  29. 29. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  30. 30. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  31. 31. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  32. 32. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  33. 33. <PolicySet/> <Policy/> <Rule/> <Subject/> Allows Rule(s) be combined <Resource/> <Target/> <Action/><Environment/> <Condition/>
  34. 34. <PolicySet/> RuleCombiningAlgorithm <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  35. 35. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  36. 36. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  37. 37. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  38. 38. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/><Environment/> <Condition/>
  39. 39. <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Policy for Conformance Test IIA003.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:rule" Effect="Permit"> <Description> A subject with a "bogus" attribute with a value of "Physician" can read or write Bart Simpsons medical record. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Physician </AttributeValue> <SubjectAttributeDesignator AttributeId=“urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule></Policy>
  40. 40. Data Types / Functions / IdentifiersDocument  Identifier:  oasis-­‐access_control-­‐xacml-­‐2.0-­‐core-­‐spec-­‐os   Section  :  10  
  41. 41. <Request/> <Subject/> <Resource/> <Attribute/> <Environment/> <Action/>
  42. 42. <Response/> <Result/> <Decision/>
  43. 43. Conveying XACML Attributes in a SOAP Message xacml-samlp:XACMLAuthzDecisionQuery  saml:Attribute
  44. 44. XACML Assertions XACMLAuthzAssertion  XACMLPrivacyAssertion
  45. 45. Defines how to use SAML 2.0 to protect, store, transport,request, and respond with XACML schema instances and other information needed by an XACML implementation.
  46. 46. <saml:Assertion Version="2.0" ID="9812368” IssueInstant="2006-05-31T13:20:00.000"> <saml:Issuer>https://XACMLPDP.example.com</saml:Issuer> <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType"> <xacml-context:Response> <xacml-context:Result> <xacml-context:Decision> NotApplicable </xacml-context:Decision> </xacml-context:Result> </xacml-context:Response> <xacml-context:Request> .... </xacml-context:Request> </saml:Statement></saml:Assertion>
  47. 47. Optimizations in XPATH User-defined attribute categoriesNew TARGET matching criteria : <AnyOf> <AllOf> Multiple Decision Profile New Obligation Expressions Advice DelegationEnhancements to Policy Combining Algorithms

×