Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

David Brossard
David BrossardChief Technology Officer at Axiomatics
Why lasagna is better than spaghetti Building authorization into your apps, APIs, and DB using JSON, REST & ALFA © Axiomatics 2014 - @axiomatics
Before we begin, a little draw Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker © Axiomatics 2014 - @axiomatics
A little history of pasta Meet Sally And her precious one And so lasagna kicked spaghetti out© Axiomatics 2014 - @axiomatics
Doesn’t your code feel like spaghetti? © Axiomatics 2014 - @axiomatics
A little history of access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges © Axiomatics 2014 - @axiomatics
What’s Our Secret Ingredient? Attributes… Attributes… Attributes…
Attribute-Based Access Control Who… What… Where… When… Why… Attributes can describe everything (not just who) How…
The Secret Sauce? Policy-Based Access Control Centralized… Easy to audit… eXtensible…Standardized… Attribute-based…
XACML – eXtensible Access Control = + (ABAC) (PBAC)
XACML supports Schrodinger's cat Paul Madsen’s
Bake in layers © Axiomatics 2014 - @axiomatics Authorization at the right place Business tier…API tier… Data tier…Web app tier…Presentation tier…
Data Tier Bake once, enjoy everywhere Presentation Tier API & WS Tier Business Tier eXternalized Authorization Service
How does Chef Gebel take it to the next level? I use ALFA, 100% XACML I use JSON and REST too – easy on the developers
THE ALFA PLUGIN FOR ECLIPSE Authorization’s KitchenAid © Axiomatics 2014 - @axiomatics
What’s ALFA • Abbreviated Language for Authorization • OASIS – Axiomatics language donated to OASIS XACML – In the process of standardization • Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibilities • Audience – Aimed at developers initially – Very popular with business analysts © Axiomatics 2014 - @axiomatics
What’s the ALFA plugin? • Add-on to Eclipse, the popular IDE • Lets you write ALFA easily – Auto-complete – Syntax checking – Syntax coloring • Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies © Axiomatics 2014 - @axiomatics
An example: the insurance use case • Authorization requirement – A customer can view his/her own policies and the policies of a spouse that are not marked as private • Identify the attributes – User type; action; policy owner; policy private flag; spouse; object type; user identity • Rework the rule – A user with type==customer can do action==view on object of type==policy… • if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse • Implement in ALFA © Axiomatics 2014 - @axiomatics
THE JSON PROFILE OF XACML Delicious & Healthy © Axiomatics 2014 - @axiomatics
Objectives • Lightweight notation • Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes © Axiomatics 2014 - @axiomatics
The JSON Profile - Basics • The profile is a close mirror of the XML XACML request / response • It is possible to omit information and use inference – Reasonable defaults – E.g. String is not specified. • Default category names – AccessSubject, Resource, Action, Environment © Axiomatics 2014 - @axiomatics
Example in HTML/Javascript <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> © Axiomatics 2014 - @axiomatics
Size of a XACML request © Axiomatics 2014 - @axiomatics 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
THE REST PROFILE OF XACML The perfect way to serve your lasagna © Axiomatics 2014 - @axiomatics
Why a “REST” profile? • No standard transport protocol in XACML core • Different implementations have different SOAP wrappings • SOAP in itself is losing in popularity • Provide easy means to send authorization request © Axiomatics 2014 - @axiomatics
Posting the JSON Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) ); } © Axiomatics 2014 - @axiomatics
And now, let’s bake!
Ok, so it’s time to wrap up
Forget spaghetti. Whip up lasagna! © Axiomatics 2014 - @axiomatics (Sorry Sergio Leone) Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
Summary Acronym Name Description EAM eXternalized Authorization Management The act of cleanly separating business logic from authorization logic and maintaining each one independently ABAC Attribute-based access control An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access PBAC Policy-based access control An authorization model which uses attributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementation of ABAC and PBAC – done by OASIS.
References • REST profile of XACML • JSON profile of XACML • ALFA profile of XACML Available on the OASIS XACML TC website oasis-open.org/committees/tc_home.php?wg_abbrev=xacml © Axiomatics 2014 - @axiomatics
Grazie a tutti i tutte David Brossard Axiomatics – the leaders in ABAC & PBAC @davidjbrossard @axiomatics http://developers.axiomatics.com © Axiomatics 2014 - @axiomatics
1 of 31

Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

Download to read offline

Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020. With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.

David Brossard
David BrossardChief Technology Officer at Axiomatics

Recommended

Sub-Consultas Oracle by
Sub-Consultas OracleSub-Consultas Oracle
Sub-Consultas OraclePablo Garcia
4K views18 slides
Basic Sql Handouts by
Basic Sql HandoutsBasic Sql Handouts
Basic Sql Handoutsjhe04
3.4K views16 slides
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
9.4K views40 slides
Access Control Pitfalls v2 by
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
2.4K views26 slides
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel by
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCloudIDSummit
897 views34 slides
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ... by
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...CloudIDSummit
1.2K views31 slides

More Related Content

Similar to Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

CIS14: The Very Latest in Authorization Standards by
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
1.9K views37 slides
Policy enabling your services - using elastic dynamic authorization to contro... by
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
430 views21 slides
Externalizing Authorization in Micro Services world by
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
505 views43 slides
Getting Started with AWS Lambda & Serverless Computing by
Getting Started with AWS Lambda & Serverless ComputingGetting Started with AWS Lambda & Serverless Computing
Getting Started with AWS Lambda & Serverless ComputingAmazon Web Services
711 views46 slides
Azure Web Scalability by
Azure Web ScalabilityAzure Web Scalability
Azure Web ScalabilityMatias Quaranta
2.1K views67 slides
Business Applications Integration In The Cloud by
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
751 views60 slides

Similar to Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014(20)

CIS14: The Very Latest in Authorization Standards by CloudIDSummit
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CloudIDSummit1.9K views
Policy enabling your services - using elastic dynamic authorization to contro... by David Brossard
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard430 views
Externalizing Authorization in Micro Services world by Sitaraman Lakshminarayanan
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan505 views
Getting Started with AWS Lambda & Serverless Computing by Amazon Web Services
Getting Started with AWS Lambda & Serverless ComputingGetting Started with AWS Lambda & Serverless Computing
Getting Started with AWS Lambda & Serverless Computing
Amazon Web Services711 views
Azure Web Scalability by Matias Quaranta
Azure Web ScalabilityAzure Web Scalability
Azure Web Scalability
Matias Quaranta2.1K views
Business Applications Integration In The Cloud by Anna Brzezińska
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The Cloud
Anna Brzezińska751 views
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway by Vadim Zendejas
AWS Summit Barcelona 2015 - Introducing Amazon API GatewayAWS Summit Barcelona 2015 - Introducing Amazon API Gateway
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway
Vadim Zendejas82 views
Going Headless with Craft CMS 3.3 by JustinHolt20
Going Headless with Craft CMS 3.3Going Headless with Craft CMS 3.3
Going Headless with Craft CMS 3.3
JustinHolt20546 views
AWS Certified Solutions Architect Slides v5.2.1.pdf by ssuserd7066a1
AWS Certified Solutions Architect Slides v5.2.1.pdfAWS Certified Solutions Architect Slides v5.2.1.pdf
AWS Certified Solutions Architect Slides v5.2.1.pdf
ssuserd7066a12.3K views
NASA SensorWeb Enterprise Services by Pat Cappelaere
NASA SensorWeb Enterprise ServicesNASA SensorWeb Enterprise Services
NASA SensorWeb Enterprise Services
Pat Cappelaere558 views
What is API - Understanding API Simplified by Jubin Aghara
What is API - Understanding API SimplifiedWhat is API - Understanding API Simplified
What is API - Understanding API Simplified
Jubin Aghara279 views
AWS DevDay AWS SAM을 이용한 백오피스 마이그레이션 by 창훈 현
AWS DevDay AWS SAM을 이용한 백오피스 마이그레이션AWS DevDay AWS SAM을 이용한 백오피스 마이그레이션
AWS DevDay AWS SAM을 이용한 백오피스 마이그레이션
창훈 현348 views
AWS SAM(Serverless Application Model) 을 이용한 백오피스 마이그레이션 (현창훈, HBSmith) :: AWS... by Amazon Web Services Korea
AWS SAM(Serverless Application Model) 을 이용한 백오피스 마이그레이션 (현창훈, HBSmith) :: AWS...AWS SAM(Serverless Application Model) 을 이용한 백오피스 마이그레이션 (현창훈, HBSmith) :: AWS...
AWS SAM(Serverless Application Model) 을 이용한 백오피스 마이그레이션 (현창훈, HBSmith) :: AWS...
Amazon Web Services Korea961 views
Exposing Salesforce REST Services Using Swagger by Salesforce Developers
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using Swagger
Salesforce Developers13.2K views
Axiomatics webinar 13 june 2013 shared by Finn Frisch
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 shared
Finn Frisch420 views
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s... by ggebel
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
ggebel283 views
AWS Certified Solutions Architect Slides v4.9.3.pdf by ssuser7f9e85
AWS Certified Solutions Architect Slides v4.9.3.pdfAWS Certified Solutions Architect Slides v4.9.3.pdf
AWS Certified Solutions Architect Slides v4.9.3.pdf
ssuser7f9e85222 views
AWS Certified Solutions Architect Slides v4.8.2.pdf by SangH32
AWS Certified Solutions Architect Slides v4.8.2.pdfAWS Certified Solutions Architect Slides v4.8.2.pdf
AWS Certified Solutions Architect Slides v4.8.2.pdf
SangH3291 views
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_... by Amazon Web Services
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...
Amazon Web Services885 views
Site templates, site life cycle management and Modern SharePoint by Albert-Jan Schot
Site templates, site life cycle management and Modern SharePointSite templates, site life cycle management and Modern SharePoint
Site templates, site life cycle management and Modern SharePoint
Albert-Jan Schot88 views

More from David Brossard

OpenID Foundation AuthZEN WG Update by
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
68 views9 slides
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
356 views27 slides
To the cloud and beyond: delivering policy-driven authorization for cloud app... by
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
265 views15 slides
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
2.2K views36 slides
Fine grained access control for cloud-based services using ABAC and XACML by
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
2.8K views27 slides
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
1.5K views28 slides

More from David Brossard(8)

OpenID Foundation AuthZEN WG Update by David Brossard
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
David Brossard68 views
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by David Brossard
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
David Brossard356 views
To the cloud and beyond: delivering policy-driven authorization for cloud app... by David Brossard
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...
David Brossard265 views
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by David Brossard
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
David Brossard2.2K views
Fine grained access control for cloud-based services using ABAC and XACML by David Brossard
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
David Brossard2.8K views
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by David Brossard
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
David Brossard1.5K views
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard3.1K views
XACML - Fight For Your Love by David Brossard
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard1.7K views

Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

  • 1. Why lasagna is better than spaghetti Building authorization into your apps, APIs, and DB using JSON, REST & ALFA © Axiomatics 2014 - @axiomatics
  • 2. Before we begin, a little draw Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker © Axiomatics 2014 - @axiomatics
  • 3. A little history of pasta Meet Sally And her precious one And so lasagna kicked spaghetti out© Axiomatics 2014 - @axiomatics
  • 4. Doesn’t your code feel like spaghetti? © Axiomatics 2014 - @axiomatics
  • 5. A little history of access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges © Axiomatics 2014 - @axiomatics
  • 6. What’s Our Secret Ingredient? Attributes… Attributes… Attributes…
  • 7. Attribute-Based Access Control Who… What… Where… When… Why… Attributes can describe everything (not just who) How…
  • 8. The Secret Sauce? Policy-Based Access Control Centralized… Easy to audit… eXtensible…Standardized… Attribute-based…
  • 9. XACML – eXtensible Access Control = + (ABAC) (PBAC)
  • 11. Bake in layers © Axiomatics 2014 - @axiomatics Authorization at the right place Business tier…API tier… Data tier…Web app tier…Presentation tier…
  • 12. Data Tier Bake once, enjoy everywhere Presentation Tier API & WS Tier Business Tier eXternalized Authorization Service
  • 13. How does Chef Gebel take it to the next level? I use ALFA, 100% XACML I use JSON and REST too – easy on the developers
  • 14. THE ALFA PLUGIN FOR ECLIPSE Authorization’s KitchenAid © Axiomatics 2014 - @axiomatics
  • 15. What’s ALFA • Abbreviated Language for Authorization • OASIS – Axiomatics language donated to OASIS XACML – In the process of standardization • Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibilities • Audience – Aimed at developers initially – Very popular with business analysts © Axiomatics 2014 - @axiomatics
  • 16. What’s the ALFA plugin? • Add-on to Eclipse, the popular IDE • Lets you write ALFA easily – Auto-complete – Syntax checking – Syntax coloring • Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies © Axiomatics 2014 - @axiomatics
  • 17. An example: the insurance use case • Authorization requirement – A customer can view his/her own policies and the policies of a spouse that are not marked as private • Identify the attributes – User type; action; policy owner; policy private flag; spouse; object type; user identity • Rework the rule – A user with type==customer can do action==view on object of type==policy… • if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse • Implement in ALFA © Axiomatics 2014 - @axiomatics
  • 18. THE JSON PROFILE OF XACML Delicious & Healthy © Axiomatics 2014 - @axiomatics
  • 19. Objectives • Lightweight notation • Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes © Axiomatics 2014 - @axiomatics
  • 20. The JSON Profile - Basics • The profile is a close mirror of the XML XACML request / response • It is possible to omit information and use inference – Reasonable defaults – E.g. String is not specified. • Default category names – AccessSubject, Resource, Action, Environment © Axiomatics 2014 - @axiomatics
  • 21. Example in HTML/Javascript <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> © Axiomatics 2014 - @axiomatics
  • 22. Size of a XACML request © Axiomatics 2014 - @axiomatics 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
  • 23. THE REST PROFILE OF XACML The perfect way to serve your lasagna © Axiomatics 2014 - @axiomatics
  • 24. Why a “REST” profile? • No standard transport protocol in XACML core • Different implementations have different SOAP wrappings • SOAP in itself is losing in popularity • Provide easy means to send authorization request © Axiomatics 2014 - @axiomatics
  • 25. Posting the JSON Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) ); } © Axiomatics 2014 - @axiomatics
  • 27. Ok, so it’s time to wrap up
  • 28. Forget spaghetti. Whip up lasagna! © Axiomatics 2014 - @axiomatics (Sorry Sergio Leone) Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
  • 29. Summary Acronym Name Description EAM eXternalized Authorization Management The act of cleanly separating business logic from authorization logic and maintaining each one independently ABAC Attribute-based access control An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access PBAC Policy-based access control An authorization model which uses attributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementation of ABAC and PBAC – done by OASIS.
  • 30. References • REST profile of XACML • JSON profile of XACML • ALFA profile of XACML Available on the OASIS XACML TC website oasis-open.org/committees/tc_home.php?wg_abbrev=xacml © Axiomatics 2014 - @axiomatics
  • 31. Grazie a tutti i tutte David Brossard Axiomatics – the leaders in ABAC & PBAC @davidjbrossard @axiomatics http://developers.axiomatics.com © Axiomatics 2014 - @axiomatics