Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Apply fine-grained authorization to Java MVC applications


Published on

N-tier applications can be challenging from a security perspective. Security policies impact the user interface as well as the business layer and even the data layer. Users should only be presented with relevant UIs and widgets based on their permissions. At the same time, the underlying business objects should also be protected. Externalizing authorization lets architects and developers move security policies out of the code into a common layer or authorization service. With the rise of the eXtensible Access Control Markup Language (XACML), a policy-based, multi-factor authorization language, it has become easy to define and apply rich authorization policies. Still, how do you efficiently ensure that one single policy can be applied across all your M-V-C layers?

In this webinar we will discuss:
- An end-end scenario
- Policies and enforcement strategies for UIs
- Business objects
- The data tier.

We will also explain how you apply XACML-driven authorization via:
- Java annotations and aspect-oriented programming
- SQL filtering
- Checks on the presentation tier.

Published in: Technology
  • Be the first to comment

Apply fine-grained authorization to Java MVC applications

  1. 1. Webinar: Apply fine-grained authorization to Java MVC apps
  2. 2. Webinar: Apply fine-grained authorization to Java MVC apps this webinar will start in:
  3. 3. Guidelines You are muted centrally The webinar is recorded Slides available for download Q&A at the end 3
  4. 4. Twitter @axiomatics #XACML #MVC #Java 4
  5. 5. Speakers & Agenda  Today‟s speakers Andreas Sjöholm Saravana Kumar Sankaramoorthy  What‟s fine-grained authorization?  A note on XACML  Apply fine-grained authorization to an MVC app  Presentation tier  Business tier  Data tier  Today‟s use case: Acme, a car retailer David Brossard
  6. 6. What is fine-grained authorization? Fine-grained & Externalized Authorization
  7. 7. Today’s business challenge  Businesses are more dynamic  The will/need to share is more important  Provide better service / care  The amount of data is increasing  Everything is electronic from health records to book reviews  Consuming patterns are evolving  Consumers are going mobile
  8. 8. Introducing eXternalized authorization       Gartner: “Externalized Authorization Management” Centralized Decoupled from your applications‟ business logic Policy-based Multi-factor & fine-grained Standardized: XACML Who? What? When? Where? Why? How?
  9. 9. Any-Depth Authorization
  10. 10. Behold XACML!  eXtensible Access Control Markup Language  An OASIS standard  The de facto standard for fine-grained access control  Current version: 3.0  XACML defines  A policy language  A request / response scheme  An architecture Axiomatics
  11. 11. Three key points of XACML Policy-based Attributebased Technologyneutral Use policies to describe and implement complex AuthZ An attribute consists of an identifier, datatype, and value Apply XACML to Java, .NET, and more 11
  12. 12. More on eXternalized Authorization  Check out the Axiomatics webinar  Speaker: Srijith Nair (@srijith)  YouTube:  SlideShare:
  13. 13. Fine-grained authorization in the presentation tier
  14. 14. Challenge  Users should only be presented with the relevant UI  For instance controls should be enabled/disabled depending on user permissions  Use fine-grained authorization to deliver the best UX possible
  15. 15. Approach     Use widget properties Use JSP tags Use templates Use obligations and advice to help the user  Example: tell the user why they cannot approve a PO  Example: implement 2-factor authentication flow  Use the Axiomatics Policy Server  Enterprise authorization server
  16. 16. Fine-grained authorization in the business tier Using Annotations and Aspect Orientation
  17. 17. Challenge  Security seen as a hindrance  Authorization code is often mixed with application code  Authorization is often poorly implemented if at all
  18. 18. Approach  Use filters and interceptors on APIs  Use aspect-oriented programming (AOP) to inject authorization behavior in the business logic  Use the Axiomatics Policy Server  Enterprise authorization server
  19. 19. Introducing Aspects  First there was Object Orientation (OO)  Static models  Aspect Oriented Programming  Makes OO dynamic  Cross-cutting concerns  Provides Advice at certain Points  Non-intrusive to boilerplate code  XACML and AOP fit nicely together  Let a PDP provide decisions to handle authorization concerns  AOP implementations  AspectJ (the one used here)  Spring AOP
  20. 20. Axiomatics XACML AOP  Axiomatics XACML AOP  Adds fine-grained authorization to Java code  Supports legacy applications with minimal intrusion  Using it we can  Invoke PDP at various well-defined places  Avoid touching source code  Filter returned objects via obligations  Let UI adopt to security context  Attach to other frameworks to collect attributes (Spring...)  Auto-generate specific application documentation to be used by policy authors (attribute ontologies) based on src code
  21. 21. Fine-grained authorization in the data tier
  22. 22. Challenge  Control access to data stored in databases  The data is not known a priori  Traditional XACML does not scale to millions of records
  23. 23. Approach  Integrate with the database  Parse the SQL statement  Augment the SQL statement with a filter (WHERE clause)  Use the Axiomatics Data Access Filter  New in October 2013  Delivers row-level data filtering for Oracle databases
  24. 24. A Java MVC Demo The “Car demo”
  25. 25. The use case  Acme Inc. is a used-car retailer  Acme Inc. buys and sells vehicles  Acme Inc. is a highly-distributed company with stores across the 50 states  Acme Inc. wants to make sure only the right employees buy and sell vehicles at the right price  Acme Inc. wants a smooth experience for employees and customers alike  Acme Inc. also wants to go mobile  Offer mobile applications for its employees  Deliver better value to their customers
  26. 26. The architecture Authenticate (JAAS) User Directory Presentation tier Retrieve data via JPA Business tier Java Web-App Apache Tomcat 26
  27. 27. Apply authorization to the Java architecture Authenticate (JAAS) User Directory Presentation tier Retrieve data via JPA Business tier Java Web-App Apache Tomcat VPD Axiomatics 27
  28. 28. Sample authorization logic  Authorization requirements  Users in purchasing can view the purchasing menu  Users in purchasing can create purchase orders in their region  Managers in purchasing can approve purchase orders up to their approval limit  Policies about functions, data, and widgets…  Attributes  User: role, department, approval limit, location  Resource: type, location, amount  Action: action-id (view, create, edit)  Context: time of the day… Multi-factor authorization
  29. 29. Structure your authorization Purchasing Create View Same region Approve Same region & Approval Limit
  30. 30. Code Deep-dive: the presentation tier  In this demo, we control the menu  The menu is written in Java and Javascript using Jquery  Let‟s write some JSP if/else to control which parts of the menu are rendered  Note: consider using JSF or a presentation framework  You can then use widget properties to enable/disable show/hide the widgets
  31. 31. Code deep-dive: use AOP & annotations  Apply the @XacmlEnforcementPoint annotation public interface VehicleService { @XacmlEnforcementPoint Order createPurchaseOrder(); }  Annotate the POJOs with @XacmlAttribute class PurchaseOrder{ @XacmlAttribute String identifier; @XacmlAttribute Double amount; }
  32. 32. Code Deep-dive: Oracle VPD Integration  Configure the Java web app to pass down the client information  Configure VPD to reach out to the Data Access Filter  VPD appends the produced WHERE clause to the original SQL statement 3. WHERE location=„AZ‟ Oracle VPD 2. SELECT * FROM purchaseOrders 1. View purchase orders Java Web-App
  33. 33. Other areas      Spring Security JAAS integration JSP taglibs JMS Can you name any? Goal Provide a unified, standardized way of applying fine-grained authorization across multiple applications
  34. 34. eXternalized Authorization  Simpler management  The authorization logic is externalized into XACML policies  You no longer need to write Java code  If the authorization logic changes, update the policies  Strive for configuration-based authorization  E.g. via interceptors (servlet filters, JAX-WS handlers)  Configure the handlers using the target framework‟s config files (e.g. web.xml)
  35. 35. eXternalized Authorization saves time Before After 5% 20% Business logic Security 80% Business logic Security 95%
  36. 36. Beyond Java  Apply the same architectural approach and XACML policies to  .NET  Perl  Python  Ruby  Business apps  And more!
  37. 37. The Axiomatics XACML Developers Website      Community for XACML developers Technical blog Download code samples Understand policy modeling XACML Reference Library  Functions  Data types…  Download the ALFA plugin for Eclipse
  38. 38. Upcoming events  Gartner IAM Summit  Los Angeles  Nov. 18th – 20th  InfoSec Financial  London  Nov 19th and 20th Axiomatics
  39. 39. Questions? Contact us at © 2013 Axiomatics AB 39