Your SlideShare is downloading. ×
0
Uncovering XACML to solve real
world business use cases
Asela Pathberiya
Associate Technical Lead
About WSO2
๏ Global enterprise, founded in
2005 by acknowledged leaders in
XML, web services technologies,
standards and o...
What WSO2 Deliver
What is in Today’s Webinar
o Introduction to Access Control & XACML
o Advantages of XACML
o Challenges with XACML
o Busine...
Introduction
Access Control Concepts
Policy Based Access Control
Attribute Based Access Control
Role Based Access Control
Dynamic Acces...
Access Control Concepts
@#@^!(&%%@
We need to build an Externalized,
Standardized, Policy based,
Attribute based and Dynam...
Access Control Concepts
Access Control Concepts
DONE
X A C M L
XACML
What is XACML
o XACML is standard for eXtensible Access
Control Markup Language
o Standard is ratified by OASIS standards
...
XACML Core Specification
o Standardized Policy Language
o Standard way to write access control rules.
o Request/Response P...
XACML Core Specification
XACML Associated Profiles
o Multiple Decision Profile
o Sending multiple authorization queries in single
request & Respond...
Advantages of XACML
o Externalized
o Standardized
o Policy Based
o Attribute Based
o Fine Grained
o Dynamic
Challenges with XACML
o XACML is too complex
o XML language with many syntax
o Difficult to write & understand policies
o ...
Challenges with XACML
o Performance Bottleneck
o PDP - PEP communication
o Boolean decision results
o What are the resourc...
Use Cases
XACML for SOAP/REST Services
o Access Control for SOAP Web Service
o Fine Grained into Operational & Message level
o Filte...
XACML for SOAP/REST Services
o Access Control for REST APIs
o Fine Grained into Resources & HTTP Methods
o Scope validatio...
XACML Business Use Case - 1
o Use Case
o X.509 Certificate based Authentication
o Authorization for Web Service operations...
XACML Business Use Case - 1
o Key Challenges
o Implementing PEP to extract data from X.509
Certificate
o Writing XACML pol...
XACML Business Use Case - 1
XACML for Web Applications
o Presentation layer differ with the authenticated
User
XACML for Web Applications
o Multiple Decision Profile
o Hierarchical Resource Profile
XACML Business Use Case - 2
o Use Case
o Externalized Authorization system for Liferay Portal
o Authorized menu items, ima...
XACML Business Use Case - 2
XACML Business Use Case - 2
o Key Challenges
o Implementing PEP for Liferay Portal
o Performance with XACML
o Writing & Ma...
XACML Business Use Case - 2
XACML for Data Entitlement
o Filter data access in database level
XACML for Data Entitlement
o Filtering data returned from the database
XACML for Data Entitlement
o Modifying input parameters before data is
retrieved
XACML Business Use Case - 3
o Use Case
o Access Control for Web Application
o Authorized data must be filtered from large ...
XACML Business Use Case - 3
o Solutions
o De-Centralized PDP
o OSGI Service level communication
o Modifying SQL queries ba...
XACML Business Use Case - 3
XACML for Centralized Entitlement
o Multiple Applications with their own legacy
Access Control Systems
XACML for Centralized Entitlement
o Centralized Externalized and Standardized
XACML Business Use Case - 4
o Use Case
o Centralized management for access control
o Get rid from legacy authorization sys...
XACML Business Use Case - 4
o Solutions
o Policy generation tools
o Policy information points for integrations
o Thrift Pr...
XACML Business Use Case - 4
XACML Business Use Case - 4
XACML Business Use Case - 4
Q & A
Contact us !
Upcoming SlideShare
Loading in...5
×

Uncovering XACML to solve real world business use cases

1,303

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,303
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
69
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Uncovering XACML to solve real world business use cases "

  1. 1. Uncovering XACML to solve real world business use cases Asela Pathberiya Associate Technical Lead
  2. 2. About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C. ๏ Driven by Innovation ๏ Launched first open source API Management solution in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
  3. 3. What WSO2 Deliver
  4. 4. What is in Today’s Webinar o Introduction to Access Control & XACML o Advantages of XACML o Challenges with XACML o Business use cases implemented with XACML o Fine Grained access control for SOAP/REST APIs o Building access control for Web applications o Adding entitlement for enterprise data o Building centralized entitlement system with existing legacy authorization data
  5. 5. Introduction
  6. 6. Access Control Concepts Policy Based Access Control Attribute Based Access Control Role Based Access Control Dynamic Access Control Fine Grained Access Control Externalized Access Control Standardized Access Control Location Based Access Control Real Time Access Control
  7. 7. Access Control Concepts @#@^!(&%%@ We need to build an Externalized, Standardized, Policy based, Attribute based and Dynamic Authorization System….. ASAP?
  8. 8. Access Control Concepts
  9. 9. Access Control Concepts DONE X A C M L
  10. 10. XACML
  11. 11. What is XACML o XACML is standard for eXtensible Access Control Markup Language o Standard is ratified by OASIS standards organization The First meeting 21st March 2001 XACML 1.0 - OASIS Standard – 6 February 2003 XACML 2.0 – OASIS Standard – 1 February 2005 XACML 3.0 – OASIS Standard – 22 January 2013
  12. 12. XACML Core Specification o Standardized Policy Language o Standard way to write access control rules. o Request/Response Protocol o Standard way to query authorization requests & authorization decisions must be responded back. o Reference Architecture o Standard components in an authorization system and integration of each other. o PDP - Policy Decision Point o PEP - Policy Enforcement Point o PIP - Policy Information Point o PAP - Policy Administration Point
  13. 13. XACML Core Specification
  14. 14. XACML Associated Profiles o Multiple Decision Profile o Sending multiple authorization queries in single request & Responding back with multiple decisions. o REST profile of XACML o Standard way to communicate between PDP & PEP. o Request / Response Interface based on JSON and HTTP (Draft) o JSON based request & response messages.
  15. 15. Advantages of XACML o Externalized o Standardized o Policy Based o Attribute Based o Fine Grained o Dynamic
  16. 16. Challenges with XACML o XACML is too complex o XML language with many syntax o Difficult to write & understand policies o Integrating current authorization system with XACML o Converting existing authorization rules in to XACML o Standard extension point to integrate
  17. 17. Challenges with XACML o Performance Bottleneck o PDP - PEP communication o Boolean decision results o What are the resources that Bob can access? o Policy Distribution o Large scale deployments
  18. 18. Use Cases
  19. 19. XACML for SOAP/REST Services o Access Control for SOAP Web Service o Fine Grained into Operational & Message level o Filtering response messages
  20. 20. XACML for SOAP/REST Services o Access Control for REST APIs o Fine Grained into Resources & HTTP Methods o Scope validation - OAuth 2.0
  21. 21. XACML Business Use Case - 1 o Use Case o X.509 Certificate based Authentication o Authorization for Web Service operations based on X.509 Certificate’s details such as CN, OU and O.
  22. 22. XACML Business Use Case - 1 o Key Challenges o Implementing PEP to extract data from X.509 Certificate o Writing XACML policies o Managing and Updating XACML policies efficiently o Solutions o X.509 authentication with WSO2ESB o WSO2ESB Entitlement Mediator as PEP o Policy Editors in WSO2 Identity Server o Policy References
  23. 23. XACML Business Use Case - 1
  24. 24. XACML for Web Applications o Presentation layer differ with the authenticated User
  25. 25. XACML for Web Applications o Multiple Decision Profile o Hierarchical Resource Profile
  26. 26. XACML Business Use Case - 2 o Use Case o Externalized Authorization system for Liferay Portal o Authorized menu items, images and links are shown for authenticated users o ABAC using the existing OpenDJ user store o Reusing Authorization system for Web Service & API access control
  27. 27. XACML Business Use Case - 2
  28. 28. XACML Business Use Case - 2 o Key Challenges o Implementing PEP for Liferay Portal o Performance with XACML o Writing & Managing XACML policies o Solutions o Liferay handler as PEP o Thrift Protocol for improving PDP - PEP communication o Caching at PEP level o Custom built PAP with Policy Editor
  29. 29. XACML Business Use Case - 2
  30. 30. XACML for Data Entitlement o Filter data access in database level
  31. 31. XACML for Data Entitlement o Filtering data returned from the database
  32. 32. XACML for Data Entitlement o Modifying input parameters before data is retrieved
  33. 33. XACML Business Use Case - 3 o Use Case o Access Control for Web Application o Authorized data must be filtered from large number of database entries o Key Challenges o Performance of PEP-PDP communication o Performance of filtering data from large database entries
  34. 34. XACML Business Use Case - 3 o Solutions o De-Centralized PDP o OSGI Service level communication o Modifying SQL queries based authorization decisions
  35. 35. XACML Business Use Case - 3
  36. 36. XACML for Centralized Entitlement o Multiple Applications with their own legacy Access Control Systems
  37. 37. XACML for Centralized Entitlement o Centralized Externalized and Standardized
  38. 38. XACML Business Use Case - 4 o Use Case o Centralized management for access control o Get rid from legacy authorization systems o Externalized and Standardized approaches o Large scale deployment o Key Challenges o Integrating with legacy authorization data o Policy generation with existing data o Performance o Policy distribution o Auditing
  39. 39. XACML Business Use Case - 4 o Solutions o Policy generation tools o Policy information points for integrations o Thrift Protocol for improving PDP - PEP communication o Policy distribution patterns o Policy notifications o Policy reverse search for auditing
  40. 40. XACML Business Use Case - 4
  41. 41. XACML Business Use Case - 4
  42. 42. XACML Business Use Case - 4
  43. 43. Q & A
  44. 44. Contact us !
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×