Authorization - it's not just about who you are

David Brossard
David BrossardChief Technology Officer at Axiomatics
Authorization…
It’s not just about who you are
David Brossard, @davidjbrossard
Product Manager Axiomatics AB
Member of the OASIS XACML Technical Committee
Axiomatics 2
What’s authorization?
“The authorization function determines whether a
particular entity is authorized to perform a given
activity, typically inherited from authentication
when logging on to an application or service.”
3
What happens when authorization isn’t done right?
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
New York City Health & Hospitals
Corporation Releases Electronic
Health Records
1 700 000
Citi Exposes Details of 150,000
Individuals Who Went into
Bankruptcy
150 000
6 000 000 Facebook’s Download Your
Information releases too much
information about your contacts
Axiomatics 4
Authorization is that necessary evil developers must do
But I want to do
app development
Daddy…
You will secure your
app first my son…
Axiomatics 5
But we, developers, hate spending time on security
80%
20%
Time spent developing an application
Business logic
Security
* And no this isn’t PacMan
Axiomatics 6
So how do developers do it today?
{nothing}
{application
frameworks}
{home-
grown}
7
We tend to reinvent the wheel
Axiomatics 8
Examples of authorization frameworks (Java & Others)
JAAS
CanCan
Apache Shiro
Spring Security
Rails AuthZ
Microsoft Claims
Slim for PHP
In the olden days, authorization was about
Who?
Axiomatics 10
So how do you handle additional information?
Context Location Relationship
Classification Parent Delegation Guardian IP
address Device Pattern Behavior Risk
Clearance Employment Citizenship Time
Intellectual PropertyExport Control
Authorization should really be about…
When?What? How?Where?Who? Why?
11
Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
Attribute-based Access Control
Welcome to…
Axiomatics 12
What’s an attribute?
An identifier
e.g. citizenship
A datatype
e.g. string
A category / object it describes
e.g. the user, the resource
An introduction to XACML
Axiomatics
Axiomatics
Behold XACML!
 eXtensible Access Control Markup Language
 An OASIS standard
 The de facto standard for fine-grained access control
 Current version: 3.0
 XACML defines
 A policy language
 A request / response scheme
 An architecture
15
Three key points of XACML
Policy-based Attribute-based Technology-
neutral
Apply XACML to
Java, .NET, and more
Use policies to describe and
implement complex AuthZ
An attribute consists
of an
identifier, datatype, a
nd value
XACML Architecture Flow
16
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
Access
Document #123
Access
Document #123
Can Alice access
Document #123?
Yes, Permit
Load XACML
policies
Retrieve user
role, clearance
and document
classification
17
Any-depth Authorization
Anywhere Authorization
18
 3 structural elements
 PolicySet
 Policy
 Rule
 Root: either of PolicySet or Policy
 PolicySets contain any number of PolicySets & Policies
 Policies contain Rules
 Rules contain an Effect: Permit / Deny
 Combining Algorithms are used to resolve conflicts
between rules
Language Elements of XACML
Root Policy
Set
PolicySet
Policy
Rule
Effect=Permit
Rule
Effect = Deny
PolicySet
Policy
Rule
Effect =
Permit
Sample XACML Policy
Language Structure: Russian dolls
PolicySet, Policy &
Rule can contain
Targets
Obligations
Advice
Rules can contain
Conditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
Axiomatics 22
The one question that matters in XACML
Can Manager
Alice approve
Purchase
Order 12367?
Yes, she can!
• Subject
User id = Alice
Role = Manager
• Action
Action id = approve
• Resource
Resource type = Purchase Order
PO #= 12367
• Environment
Device Type = Laptop
23
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367?
Yes, she can
• Result
Decision: Permit
Status: ok
The core XACML specification does not
define any specific transport /
communication protocol:
-Developers can choose their own.
-The SAML profile defines a binding to send
requests/responses over SAML assertions
Sample Use Case
Axiomatics
Axiomatics
Sample Scenario – a CRM use case
 A customer representative of a large financial
organization needs to access customer data
 The compliance manager, the application owner, and
the chief security officer agree on certain “rules”
No one can access
data outside office
hours
Customer reps can
view accounts in
their region
Our customers can
blacklist some of our
employees
Customer reps
cannot work on
family accounts
XACML lets you define and group policies
 Sample policies
 No one can access data outside office hours
 Customer reps can view accounts in their region
 Customer reps cannot work on family accounts
 Our customers can blacklist some of our employees
 Note
 XACML lets you define negative and positive rules
 XACML can use any number of attributes
 XACML can combine policies together and define conflict
resolutions
 Policies are usually generic but can also be user-specific
The example reworked
 Overall policy: access customer record
 DENY if time < 9am OR time > 5pm
 DENY if employee.location!=customer.location
 DENY if customer.id belongs to employee.family
 ALLOW access
Implement the policies using ALFA
 ALFA plugin for Eclipse
 Add-on to the Eclipse IDE
 Write XACML using a pseudo-code called ALFA – the
Axiomatics Language for Authorization
 Free download from www.axiomatics.com
Hands-on demo
XACML for the Java
Developer
Axiomatics
30
Use the same enforcement SDK across all your apps
XACML Enforcement Point SDK
Axiomatics
Example: use Java Servlet Filters
 Protect Java web apps
public class ServletPEP implements javax.servlet.Filter{
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
Example: use JAX-WS interceptors
 Protect Java web services
 Can be applied inbound and outbound
 Inspect the payload of the messages
 Also applicable to JAX-RS services
/*
* (non-Javadoc)
*
* @see
javax.xml.ws.handler.Handler#handleMessage(javax.xml.ws.handler.
* MessageContext)
*/
public boolean handleMessage(SOAPMessageContext context) {
}
Example: use AOP – annotations
 Example: a Student Management Service
 Create, grade, and delete students
 Apply the @XacmlEnforcementPoint annotation
 Annotate the POJOs with @XacmlAttribute
public interface StudentService {
@XacmlEnforcementPoint
Student createStudent();
}
class Student {
@XacmlAttribute
String name;
@XacmlAttribute
Integer age;
}
Other areas
 Spring Security
 JAAS integration
 JSP taglibs
 JMS
 Can you name any?
 Goal: provide a unified, standardized way of applying
fine-grained authorization across multiple applications
XACML simplifies authorization management
 The authorization logic is externalized into XACML
policies
 You no longer need to write Java code
 If the authorization logic changes, update the policies
 Strive for configuration-based authorization
 E.g. via interceptors (servlet filters, JAX-WS handlers)
 Configure the handlers using the target framework’s config files
(e.g. web.xml)
XACML saves you time
80%
20%
Before
Business
logic
Security
95%
5%
After
Business
logic
Security
Beyond Java
 Apply the same architectural approach and XACML
policies to
 .NET
 Perl
 Python
 Ruby
 Business apps
 And more!
A few parting words
39
Just a spoonful of XACML makes…
Consolidated
authorization
Enhanced
security
Business
enabler
Compliance
Expose data and APIs
to new customers
Write once,
Enforce everywhere
Consistent
authorization
enforcement
Implement
legal frameworks
Axiomatics
Do you want to chip in?
 OASIS XACML TC
https://www.oasis-open.org/committees/xacml/
 Online resources
http://www.xacml.eu
Questions?
1 of 41

Recommended

DSO-LG 2021 Reboot: Policy As Code (Anders Eknert) by
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
448 views32 slides
Building secure applications with keycloak by
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
7.9K views20 slides
Introduction to OpenID Connect by
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
18.3K views86 slides
Authorization and Authentication in Microservice Environments by
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
48.5K views47 slides
Spring Security by
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
632 views24 slides
Secure your app with keycloak by
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
865 views48 slides

More Related Content

What's hot

Keycloak SSO basics by
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basicsJuan Vicente Herrera Ruiz de Alejo
286 views88 slides
“How to Secure Your Applications With a Keycloak? by
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
239 views17 slides
OpenID Connect: An Overview by
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
13.2K views17 slides
Nomad + Flatcar: a harmonious marriage of lightweights by
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
326 views28 slides
OAuth 2.0 and OpenId Connect by
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
3K views39 slides
Draft: building secure applications with keycloak (oidc/jwt) by
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
1.3K views8 slides

What's hot(20)

“How to Secure Your Applications With a Keycloak? by GlobalLogic Ukraine
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
OpenID Connect: An Overview by Pat Patterson
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson13.2K views
Nomad + Flatcar: a harmonious marriage of lightweights by Iago López Galeiras
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Draft: building secure applications with keycloak (oidc/jwt) by Abhishek Koserwal
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal1.3K views
Keycloak for Science Gateways - SGCI Technology Sampler Webinar by marcuschristie
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie356 views
Deploying WSO2 API Manager in Production-Grade Kubernetes by WSO2
Deploying WSO2 API Manager in Production-Grade KubernetesDeploying WSO2 API Manager in Production-Grade Kubernetes
Deploying WSO2 API Manager in Production-Grade Kubernetes
WSO21.3K views
Identity management and single sign on - how much flexibility by Ryan Dawson
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson855 views
Spring Framework - Data Access by Dzmitry Naskou
Spring Framework - Data AccessSpring Framework - Data Access
Spring Framework - Data Access
Dzmitry Naskou4.3K views
Architecting for Success: Designing Secure GCP Landing Zone for Enterprises by Bhuvaneswari Subramani
Architecting for Success: Designing Secure GCP Landing Zone for EnterprisesArchitecting for Success: Designing Secure GCP Landing Zone for Enterprises
Architecting for Success: Designing Secure GCP Landing Zone for Enterprises
APIConnect Security Best Practice by Shiu-Fun Poon
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon645 views
How to create a User Defined Policy with IBM APIc (v10) by Shiu-Fun Poon
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)
Shiu-Fun Poon687 views
Designing APIs with OpenAPI Spec by Adam Paxton
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
Adam Paxton6K views
Kafka Security 101 and Real-World Tips by confluent
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent6.6K views
Secure Spring Boot Microservices with Keycloak by Red Hat Developers
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers5.8K views
Securing and Hacking LINE OA Integration by Pichaya Morimoto
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
Pichaya Morimoto1.4K views

Viewers also liked

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
9.4K views40 slides
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)? by
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
2.6K views58 slides
RBAC & ABAC: гибридное решение для управления правами доступа by
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаCUSTIS
1.6K views17 slides
XACML - Fight For Your Love by
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
1.7K views21 slides
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
1.5K views28 slides
Uncovering XACML to solve real world business use cases by
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
4.5K views44 slides

Viewers also liked(18)

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by David Brossard
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
David Brossard9.4K views
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)? by David Brossard
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard2.6K views
RBAC & ABAC: гибридное решение для управления правами доступа by CUSTIS
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступа
CUSTIS1.6K views
XACML - Fight For Your Love by David Brossard
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard1.7K views
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by David Brossard
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
David Brossard1.5K views
Uncovering XACML to solve real world business use cases by WSO2
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
WSO24.5K views
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by David Brossard
EIC 2014   Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014   Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
David Brossard2.2K views
Fine grained access control for cloud-based services using ABAC and XACML by David Brossard
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
David Brossard2.8K views
Why lasagna is better than spaghetti: baking authorization into your applicat... by David Brossard
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard4.2K views
Vpd Virtual Private Database By Saurabh by guestd83b546
Vpd   Virtual Private Database By SaurabhVpd   Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
guestd83b5462.7K views
IDM and Automated Security Entitlement Systems by SRI Infotech
IDM and Automated Security Entitlement SystemsIDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement Systems
SRI Infotech2.2K views
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle by Nelson Calero
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Nelson Calero1.4K views
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard3.1K views
Профессиональная разработка в суровом Enterprise by Alexander Granin
Профессиональная разработка в суровом EnterpriseПрофессиональная разработка в суровом Enterprise
Профессиональная разработка в суровом Enterprise
Alexander Granin1.1K views
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo by Joe Stein
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache AccumuloReal-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Joe Stein3.1K views
Real time Analytics with Apache Kafka and Apache Spark by Rahul Jain
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache Spark
Rahul Jain84K views
SANS Institute Product Review: Oracle Entitlements Server by OracleIDM
SANS Institute Product Review: Oracle Entitlements ServerSANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements Server
OracleIDM2.1K views

Similar to Authorization - it's not just about who you are

Axiomatics webinar 13 june 2013 shared by
Axiomatics webinar 13 june 2013   sharedAxiomatics webinar 13 june 2013   shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
420 views43 slides
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s... by
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...ggebel
283 views36 slides
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
356 views27 slides
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6 by
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
3.5K views44 slides
project on Agile approach by
project on Agile approachproject on Agile approach
project on Agile approachPrachi desai
127 views6 slides
The WSO2 Identity Server - An answer to your common XACML dilemmas by
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
977 views56 slides

Similar to Authorization - it's not just about who you are(20)

Axiomatics webinar 13 june 2013 shared by Finn Frisch
Axiomatics webinar 13 june 2013   sharedAxiomatics webinar 13 june 2013   shared
Axiomatics webinar 13 june 2013 shared
Finn Frisch420 views
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s... by ggebel
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
ggebel283 views
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by David Brossard
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
David Brossard356 views
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6 by Kenneth Peeples
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples3.5K views
project on Agile approach by Prachi desai
project on Agile approachproject on Agile approach
project on Agile approach
Prachi desai127 views
The WSO2 Identity Server - An answer to your common XACML dilemmas by sureshattanayake
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake977 views
The WSO2 Identity Server - An answer to your common XACML dilemmas by sureshattanayake
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake835 views
The WSO2 Identity Server - An answer to your common XACML dilemmas by WSO2
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO24.8K views
IRJET- A Review On - Controlchain: Access Control using Blockchain by IRJET Journal
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal21 views
Application Security in the Cloud - Best Practices by RightScale
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best Practices
RightScale407 views
Authorization The Missing Piece of the Puzzle by Nordic APIs
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Nordic APIs1.8K views
Enterprise Library 3.0 Policy Injection Applicatoin Block by mcgurk
Enterprise Library 3.0 Policy Injection Applicatoin BlockEnterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin Block
mcgurk1.1K views
Automating Compliance Defense in the Cloud - September 2016 Webinar Series by Amazon Web Services
Automating Compliance Defense in the Cloud - September 2016 Webinar SeriesAutomating Compliance Defense in the Cloud - September 2016 Webinar Series
Automating Compliance Defense in the Cloud - September 2016 Webinar Series
Amazon Web Services3.3K views
Design patterns fast track by Binu Bhasuran
Design patterns fast trackDesign patterns fast track
Design patterns fast track
Binu Bhasuran114 views
Interview Questions For Microsoft Dynamics CRM by Kumari Warsha Goel
Interview Questions For Microsoft Dynamics CRMInterview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRM
Kumari Warsha Goel43.3K views
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina... by Amazon Web Services
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Amazon Web Services6.2K views
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ... by Amazon Web Services
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...

Recently uploaded

Serverless computing with Google Cloud (2023-24) by
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)wesley chun
11 views33 slides
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
92 views32 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
11 views29 slides
Data Integrity for Banking and Financial Services by
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
25 views26 slides
20231123_Camunda Meetup Vienna.pdf by
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
41 views73 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
36 views43 slides

Recently uploaded(20)

Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson92 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc11 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely25 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman36 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi132 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views

Authorization - it's not just about who you are

  • 1. Authorization… It’s not just about who you are David Brossard, @davidjbrossard Product Manager Axiomatics AB Member of the OASIS XACML Technical Committee
  • 2. Axiomatics 2 What’s authorization? “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
  • 3. 3 What happens when authorization isn’t done right? http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ New York City Health & Hospitals Corporation Releases Electronic Health Records 1 700 000 Citi Exposes Details of 150,000 Individuals Who Went into Bankruptcy 150 000 6 000 000 Facebook’s Download Your Information releases too much information about your contacts
  • 4. Axiomatics 4 Authorization is that necessary evil developers must do But I want to do app development Daddy… You will secure your app first my son…
  • 5. Axiomatics 5 But we, developers, hate spending time on security 80% 20% Time spent developing an application Business logic Security * And no this isn’t PacMan
  • 6. Axiomatics 6 So how do developers do it today? {nothing} {application frameworks} {home- grown}
  • 7. 7 We tend to reinvent the wheel
  • 8. Axiomatics 8 Examples of authorization frameworks (Java & Others) JAAS CanCan Apache Shiro Spring Security Rails AuthZ Microsoft Claims Slim for PHP
  • 9. In the olden days, authorization was about Who?
  • 10. Axiomatics 10 So how do you handle additional information? Context Location Relationship Classification Parent Delegation Guardian IP address Device Pattern Behavior Risk Clearance Employment Citizenship Time Intellectual PropertyExport Control
  • 11. Authorization should really be about… When?What? How?Where?Who? Why? 11 Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins Attribute-based Access Control Welcome to…
  • 12. Axiomatics 12 What’s an attribute? An identifier e.g. citizenship A datatype e.g. string A category / object it describes e.g. the user, the resource
  • 13. An introduction to XACML Axiomatics
  • 14. Axiomatics Behold XACML!  eXtensible Access Control Markup Language  An OASIS standard  The de facto standard for fine-grained access control  Current version: 3.0  XACML defines  A policy language  A request / response scheme  An architecture
  • 15. 15 Three key points of XACML Policy-based Attribute-based Technology- neutral Apply XACML to Java, .NET, and more Use policies to describe and implement complex AuthZ An attribute consists of an identifier, datatype, a nd value
  • 16. XACML Architecture Flow 16 Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point Access Document #123 Access Document #123 Can Alice access Document #123? Yes, Permit Load XACML policies Retrieve user role, clearance and document classification
  • 19.  3 structural elements  PolicySet  Policy  Rule  Root: either of PolicySet or Policy  PolicySets contain any number of PolicySets & Policies  Policies contain Rules  Rules contain an Effect: Permit / Deny  Combining Algorithms are used to resolve conflicts between rules Language Elements of XACML
  • 20. Root Policy Set PolicySet Policy Rule Effect=Permit Rule Effect = Deny PolicySet Policy Rule Effect = Permit Sample XACML Policy
  • 21. Language Structure: Russian dolls PolicySet, Policy & Rule can contain Targets Obligations Advice Rules can contain Conditions Policy Set Policy Rule Effect=Permit Target Target Target Obligation Obligation Obligation Condition
  • 22. Axiomatics 22 The one question that matters in XACML Can Manager Alice approve Purchase Order 12367? Yes, she can!
  • 23. • Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 23 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions
  • 25. Axiomatics Sample Scenario – a CRM use case  A customer representative of a large financial organization needs to access customer data  The compliance manager, the application owner, and the chief security officer agree on certain “rules” No one can access data outside office hours Customer reps can view accounts in their region Our customers can blacklist some of our employees Customer reps cannot work on family accounts
  • 26. XACML lets you define and group policies  Sample policies  No one can access data outside office hours  Customer reps can view accounts in their region  Customer reps cannot work on family accounts  Our customers can blacklist some of our employees  Note  XACML lets you define negative and positive rules  XACML can use any number of attributes  XACML can combine policies together and define conflict resolutions  Policies are usually generic but can also be user-specific
  • 27. The example reworked  Overall policy: access customer record  DENY if time < 9am OR time > 5pm  DENY if employee.location!=customer.location  DENY if customer.id belongs to employee.family  ALLOW access
  • 28. Implement the policies using ALFA  ALFA plugin for Eclipse  Add-on to the Eclipse IDE  Write XACML using a pseudo-code called ALFA – the Axiomatics Language for Authorization  Free download from www.axiomatics.com Hands-on demo
  • 29. XACML for the Java Developer Axiomatics
  • 30. 30 Use the same enforcement SDK across all your apps XACML Enforcement Point SDK
  • 31. Axiomatics Example: use Java Servlet Filters  Protect Java web apps public class ServletPEP implements javax.servlet.Filter{ @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { } @Override public void init(FilterConfig arg0) throws ServletException { } }
  • 32. Example: use JAX-WS interceptors  Protect Java web services  Can be applied inbound and outbound  Inspect the payload of the messages  Also applicable to JAX-RS services /* * (non-Javadoc) * * @see javax.xml.ws.handler.Handler#handleMessage(javax.xml.ws.handler. * MessageContext) */ public boolean handleMessage(SOAPMessageContext context) { }
  • 33. Example: use AOP – annotations  Example: a Student Management Service  Create, grade, and delete students  Apply the @XacmlEnforcementPoint annotation  Annotate the POJOs with @XacmlAttribute public interface StudentService { @XacmlEnforcementPoint Student createStudent(); } class Student { @XacmlAttribute String name; @XacmlAttribute Integer age; }
  • 34. Other areas  Spring Security  JAAS integration  JSP taglibs  JMS  Can you name any?  Goal: provide a unified, standardized way of applying fine-grained authorization across multiple applications
  • 35. XACML simplifies authorization management  The authorization logic is externalized into XACML policies  You no longer need to write Java code  If the authorization logic changes, update the policies  Strive for configuration-based authorization  E.g. via interceptors (servlet filters, JAX-WS handlers)  Configure the handlers using the target framework’s config files (e.g. web.xml)
  • 36. XACML saves you time 80% 20% Before Business logic Security 95% 5% After Business logic Security
  • 37. Beyond Java  Apply the same architectural approach and XACML policies to  .NET  Perl  Python  Ruby  Business apps  And more!
  • 38. A few parting words
  • 39. 39 Just a spoonful of XACML makes… Consolidated authorization Enhanced security Business enabler Compliance Expose data and APIs to new customers Write once, Enforce everywhere Consistent authorization enforcement Implement legal frameworks
  • 40. Axiomatics Do you want to chip in?  OASIS XACML TC https://www.oasis-open.org/committees/xacml/  Online resources http://www.xacml.eu

Editor's Notes

  1. Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O&apos;Sheaclock: Brandon Hopkins
  2. Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules &amp; conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
  3. Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location