Successfully reported this slideshow.

Authorization - it's not just about who you are

7

Share

Sep. 12, 2013
7 likes 7,198 views
Upcoming SlideShare
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
Loading in …3
×
1 of 41
1 of 41

Authorization - it's not just about who you are

Sep. 12, 2013
7 likes 7,198 views

7

Share

Download to read offline

Technology

Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.

Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.

The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”

During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.

In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!

Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.

Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.

The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”

During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.

In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!

Technology

Recommended

More Related Content

Viewers also liked

Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien
XML And Web Services Security Standards
guest68465b
Oracle Access Management - Customer presentation
Delivery Centric
CIS14: User-Managed Access
CloudIDSummit
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
Web Service Security
n|u - The Open Security Community
CIS 2015 User Managed Access - George Fletcher
CloudIDSummit
Oracle Access Manager Overview
guestf6dc99b
API Gateway - OFM Canberra October 2014
Joelith
Securing your Applications for the Cloud Age
Artur Alves

Similar to Authorization - it's not just about who you are

Axiomatics webinar 13 june 2013 shared
Finn Frisch
Attribute-Based Access Control in Symfony
Adam Elsodaney
Authorization The Missing Piece of the Puzzle
Nordic APIs
Identity Management for Web Application Developers
Prabath Siriwardena
SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications
SAP PartnerEdge program for Application Development
Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps
WSO2
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
Data Entitlement with WSO2 Enterprise Middleware Platform
WSO2
Zinro Eclipsecon 2011
Farooq Kamal
Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris.
OW2
Getting Started with Security for your Oracle SOA Suite Integrations
Revelation Technologies
Open sso fisl9.0
Startup Cursos
Lunch Learn - WCF Security
Paul Senatillaka
Bp209
Ryan Baxter
Security As A Service
guest536dd0e
securing-portlets-with-spring-security.pdf
jcarrey
Jpa
vantinhkhuc
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
L13: Scripting
medialeg gmbh
WSO2 Identity Server - Product Overview
WSO2

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free

Authorization - it's not just about who you are

  1. 1. Authorization… It’s not just about who you are David Brossard, @davidjbrossard Product Manager Axiomatics AB Member of the OASIS XACML Technical Committee
  2. 2. Axiomatics 2 What’s authorization? “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
  3. 3. 3 What happens when authorization isn’t done right? http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ New York City Health & Hospitals Corporation Releases Electronic Health Records 1 700 000 Citi Exposes Details of 150,000 Individuals Who Went into Bankruptcy 150 000 6 000 000 Facebook’s Download Your Information releases too much information about your contacts
  4. 4. Axiomatics 4 Authorization is that necessary evil developers must do But I want to do app development Daddy… You will secure your app first my son…
  5. 5. Axiomatics 5 But we, developers, hate spending time on security 80% 20% Time spent developing an application Business logic Security * And no this isn’t PacMan
  6. 6. Axiomatics 6 So how do developers do it today? {nothing} {application frameworks} {home- grown}
  7. 7. 7 We tend to reinvent the wheel
  8. 8. Axiomatics 8 Examples of authorization frameworks (Java & Others) JAAS CanCan Apache Shiro Spring Security Rails AuthZ Microsoft Claims Slim for PHP
  9. 9. In the olden days, authorization was about Who?
  10. 10. Axiomatics 10 So how do you handle additional information? Context Location Relationship Classification Parent Delegation Guardian IP address Device Pattern Behavior Risk Clearance Employment Citizenship Time Intellectual PropertyExport Control
  11. 11. Authorization should really be about… When?What? How?Where?Who? Why? 11 Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins Attribute-based Access Control Welcome to…
  12. 12. Axiomatics 12 What’s an attribute? An identifier e.g. citizenship A datatype e.g. string A category / object it describes e.g. the user, the resource
  13. 13. An introduction to XACML Axiomatics
  14. 14. Axiomatics Behold XACML!  eXtensible Access Control Markup Language  An OASIS standard  The de facto standard for fine-grained access control  Current version: 3.0  XACML defines  A policy language  A request / response scheme  An architecture
  15. 15. 15 Three key points of XACML Policy-based Attribute-based Technology- neutral Apply XACML to Java, .NET, and more Use policies to describe and implement complex AuthZ An attribute consists of an identifier, datatype, a nd value
  16. 16. XACML Architecture Flow 16 Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point Access Document #123 Access Document #123 Can Alice access Document #123? Yes, Permit Load XACML policies Retrieve user role, clearance and document classification
  17. 17. 17 Any-depth Authorization
  18. 18. Anywhere Authorization 18
  19. 19.  3 structural elements  PolicySet  Policy  Rule  Root: either of PolicySet or Policy  PolicySets contain any number of PolicySets & Policies  Policies contain Rules  Rules contain an Effect: Permit / Deny  Combining Algorithms are used to resolve conflicts between rules Language Elements of XACML
  20. 20. Root Policy Set PolicySet Policy Rule Effect=Permit Rule Effect = Deny PolicySet Policy Rule Effect = Permit Sample XACML Policy
  21. 21. Language Structure: Russian dolls PolicySet, Policy & Rule can contain Targets Obligations Advice Rules can contain Conditions Policy Set Policy Rule Effect=Permit Target Target Target Obligation Obligation Obligation Condition
  22. 22. Axiomatics 22 The one question that matters in XACML Can Manager Alice approve Purchase Order 12367? Yes, she can!
  23. 23. • Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 23 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions
  24. 24. Sample Use Case Axiomatics
  25. 25. Axiomatics Sample Scenario – a CRM use case  A customer representative of a large financial organization needs to access customer data  The compliance manager, the application owner, and the chief security officer agree on certain “rules” No one can access data outside office hours Customer reps can view accounts in their region Our customers can blacklist some of our employees Customer reps cannot work on family accounts
  26. 26. XACML lets you define and group policies  Sample policies  No one can access data outside office hours  Customer reps can view accounts in their region  Customer reps cannot work on family accounts  Our customers can blacklist some of our employees  Note  XACML lets you define negative and positive rules  XACML can use any number of attributes  XACML can combine policies together and define conflict resolutions  Policies are usually generic but can also be user-specific
  27. 27. The example reworked  Overall policy: access customer record  DENY if time < 9am OR time > 5pm  DENY if employee.location!=customer.location  DENY if customer.id belongs to employee.family  ALLOW access
  28. 28. Implement the policies using ALFA  ALFA plugin for Eclipse  Add-on to the Eclipse IDE  Write XACML using a pseudo-code called ALFA – the Axiomatics Language for Authorization  Free download from www.axiomatics.com Hands-on demo
  29. 29. XACML for the Java Developer Axiomatics
  30. 30. 30 Use the same enforcement SDK across all your apps XACML Enforcement Point SDK
  31. 31. Axiomatics Example: use Java Servlet Filters  Protect Java web apps public class ServletPEP implements javax.servlet.Filter{ @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { } @Override public void init(FilterConfig arg0) throws ServletException { } }
  32. 32. Example: use JAX-WS interceptors  Protect Java web services  Can be applied inbound and outbound  Inspect the payload of the messages  Also applicable to JAX-RS services /* * (non-Javadoc) * * @see javax.xml.ws.handler.Handler#handleMessage(javax.xml.ws.handler. * MessageContext) */ public boolean handleMessage(SOAPMessageContext context) { }
  33. 33. Example: use AOP – annotations  Example: a Student Management Service  Create, grade, and delete students  Apply the @XacmlEnforcementPoint annotation  Annotate the POJOs with @XacmlAttribute public interface StudentService { @XacmlEnforcementPoint Student createStudent(); } class Student { @XacmlAttribute String name; @XacmlAttribute Integer age; }
  34. 34. Other areas  Spring Security  JAAS integration  JSP taglibs  JMS  Can you name any?  Goal: provide a unified, standardized way of applying fine-grained authorization across multiple applications
  35. 35. XACML simplifies authorization management  The authorization logic is externalized into XACML policies  You no longer need to write Java code  If the authorization logic changes, update the policies  Strive for configuration-based authorization  E.g. via interceptors (servlet filters, JAX-WS handlers)  Configure the handlers using the target framework’s config files (e.g. web.xml)
  36. 36. XACML saves you time 80% 20% Before Business logic Security 95% 5% After Business logic Security
  37. 37. Beyond Java  Apply the same architectural approach and XACML policies to  .NET  Perl  Python  Ruby  Business apps  And more!
  38. 38. A few parting words
  39. 39. 39 Just a spoonful of XACML makes… Consolidated authorization Enhanced security Business enabler Compliance Expose data and APIs to new customers Write once, Enforce everywhere Consistent authorization enforcement Implement legal frameworks
  40. 40. Axiomatics Do you want to chip in?  OASIS XACML TC https://www.oasis-open.org/committees/xacml/  Online resources http://www.xacml.eu
  41. 41. Questions?

Editor's Notes

  • Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O&apos;Sheaclock: Brandon Hopkins
  • Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules &amp; conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
  • Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location

    • ×