CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON

802 views

Published on

Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
802
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON

  1. 1. Why lasagna is better than spaghetti Building  authoriza/on  into  your  apps,   APIs,  and  DB  using  JSON,  REST  &  ALFA   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  2. 2. Before  we  begin,  a  liPle  draw   Drop  in  your  card  at  the  Axioma/cs  booth  for  a   chance  to  win  a  Bose  bluetooth  speaker   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  3. 3. A  liPle  history  of  pasta   Meet  Sally   And  her  precious  one   And  so  lasagna  kicked   spaghe6  out  ©  Axioma/cs  2014  -­‐  @axioma/cs  
  4. 4. Doesn’t  your  code  feel  like  spagheS?   ©  Axioma/cs  2014  -­‐  @axioma/cs   (if/then/else mixology)
  5. 5. A  liPle  history  of  access  control   Based  on:  Hilbert  and  Lopez,  2011   86   87   88   89   90   91   92   93   94   95   96   97   98   99   00   01   02   03   04   05   06   07   300   250   200   150   100   50   0   ~93%  digital   ~0,7%  digital   DAC   MAC   RBAC   ABAC   Increasing  access     control  challenges   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  6. 6. What’s  Our  Secret  Ingredient?   APributes…   APributes…   APributes…  
  7. 7. APribute-­‐Based  Access  Control   Who…   What…   Where…   When…   Why…   APributes  can  describe  everything  (not  just  who)   How…  
  8. 8. The  Secret  Sauce?     Policy-­‐Based  Access  Control   Centralized…   Easy  to  audit…   eXtensible…  Standardized…   APribute-­‐based…  
  9. 9. XACML  –  eXtensible  Access  Control   =   +   (ABAC)   (PBAC)  
  10. 10. XACML   supports   Schrodinger's   cat   Paul Madsen’s
  11. 11. Bake  in  layers   ©  Axioma/cs  2014  -­‐  @axioma/cs   Authoriza/on  at  the  right  place   Business  /er…  API  /er…   Data  /er…  Web  app  /er…  Presenta/on  /er…  
  12. 12. Data  Tier   Bake  once,  enjoy  everywhere   PresentaJon  Tier   API  &  WS  Tier   Business  Tier   eXternalized   AuthorizaJon   Service  
  13. 13. How  does  Chef   Gebel  take  it  to   the  next  level?   I  use  ALFA,   100%   XACML   I  use  JSON   and  REST  too   –  easy  on  the   developers  
  14. 14. THE  ALFA   PLUGIN  FOR   ECLIPSE   Authoriza/on’s  KitchenAid   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  15. 15. What’s  ALFA   •  Abbreviated  Language  for  Authoriza/on   •  OASIS   –  Axioma/cs  language  donated  to  OASIS  XACML   –  In  the  process  of  standardiza/on   •  Goals   –  Makes  XACML  policies  easier  to  write   –  Simplifies  XACML  structure   –  Enhances  possibili/es   •  Audience   –  Aimed  at  developers  ini/ally   –  Very  popular  with  business  analysts   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  16. 16. What’s  the  ALFA  plugin?   •  Add-­‐on  to  Eclipse,  the  popular  IDE   •  Lets  you  write  ALFA  easily   –  Auto-­‐complete   –  Syntax  checking   –  Syntax  coloring   •  Converts  ALFA  into  XACML  3.0  policies  on  the  fly   •  Lets  you  test  your  policies   ©  Axioma/cs  2014  -­‐  @axioma/cs   Available  for   free  from   Axioma/cs  
  17. 17. An  example:  the  insurance  use  case   •  Authoriza/on  requirement   –  A  customer  can  view  his/her  own  policies  and  the  policies  of  a  spouse   that  are  not  marked  as  private   •  Iden/fy  the  aPributes   –  User  type;  ac/on;  policy  owner;  policy  private  flag;  spouse;  object   type;  user  iden/ty   •  Rework  the  rule   –  A  user  with  type==customer  can  do  ac/on==view  on  object  of   type==policy…   •  if  and  only  if  policyOwner  ==  userId  or,   •  If  and  only  if  policyPrivateFlag==false    &&  policy.owner==user.spouse   •  Implement  in  ALFA   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  18. 18. THE  JSON  PROFILE   OF  XACML   Delicious  &  Healthy   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  19. 19. Objec/ves   •  Lightweight  nota/on   •  Get  rid  of  the  verboseness  of  XML   •  Easy  to  write   •  Broader  support  for  languages  (JS,  Python…)   •  Remove  the  XACML  /  XML  redundancy   •  Infer  certain  things  e.g.  datatypes   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  20. 20. The  JSON  Profile  -­‐  Basics   •  The  profile  is  a  close  mirror  of  the  XML  XACML   request  /  response   •  It  is  possible  to  omit  informa/on  and  use   inference   –  Reasonable  defaults   –  E.g.  String  is  not  specified.   •  Default  category  names   –  AccessSubject,  Resource,  Ac/on,  Environment   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  21. 21. Example  in  HTML/Javascript   <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> ©  Axioma/cs  2014  -­‐  @axioma/cs  
  22. 22. Size  of  a  XACML  request   ©  Axioma/cs  2014  -­‐  @axioma/cs   0   10   20   30   40   50   Word  count   XML   JSON   0   200   400   600   800   1000   1200   1400   Char.  Count   XML   JSON  
  23. 23. THE  REST  PROFILE  OF  XACML     The  perfect  way  to  serve  your  lasagna   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  24. 24. Why  a  “REST”  profile?   •  No  standard  transport  protocol  in  XACML  core   •  Different  implementa/ons  have  different   SOAP  wrappings   •  SOAP  in  itself  is  losing  in  popularity   •  Provide  easy  means  to  send  authoriza/on   request   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  25. 25. Pos/ng  the  JSON  Request  in  Javascript   var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) );©  Axioma/cs  2014  -­‐  @axioma/cs  
  26. 26. And  now,   let’s  bake!  
  27. 27. Ok,  so  it’s   /me  to   wrap  up  
  28. 28. Forget  spagheS.  Whip  up  lasagna!   ©  Axioma/cs  2014  -­‐  @axioma/cs   (Sorry  Sergio  Leone)   REST  +  ALFA  +  JSON   A  recipe  for  success   Don’t  forget  to  pair  the  pasta  with  an  elegant   wine.  Ask  @ggebel,  our  head  sommelier,  for   recommenda/ons  
  29. 29. Summary   Acronym   Name   DescripJon   EAM   eXternalized   Authoriza/on   Management   The  act  of  cleanly  separa0ng  business  logic   from  authoriza0on  logic  and  maintaining  each   one  independently   ABAC   APribute-­‐based  access   control   An  authoriza0on  model  whereby  parameters   about  the  user,  resource,  ac0on,  and   environment  can  be  used  to  determine  access   PBAC   Policy-­‐based  access   control   An  authoriza0on  model  which  uses  a<ributes   combined  together  inside  policies  to  define   granted  or  denied  access   XACML   eXtensible  Access  Control   Markup  Language   The  standard  implementa0on  of  ABAC  and   PBAC  –  done  by  OASIS.  
  30. 30. References   •  REST  profile  of  XACML   •  JSON  profile  of  XACML   •  ALFA  profile  of  XACML   è Available  on  the  OASIS  XACML  TC  website   oasis-­‐open.org/commiPees/tc_home.php?wg_abbrev=xacml   ©  Axioma/cs  2014  -­‐  @axioma/cs  
  31. 31. Grazie a tutti i tutte David  Brossard   Axioma/cs  –  the  leaders  in  ABAC  &  PBAC   @davidjbrossard   @axioma/cs   hPp://developers.axioma/cs.com   ©  Axioma/cs  2014  -­‐  @axioma/cs  

×