Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

2,850 views

Published on

Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.
With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.

Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

  1. 1. Why lasagna is better than spaghetti Building authorization into your apps, APIs, and DB using JSON, REST & ALFA © Axiomatics 2014 - @axiomatics
  2. 2. Before we begin, a little draw Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker © Axiomatics 2014 - @axiomatics
  3. 3. A little history of pasta Meet Sally And her precious one And so lasagna kicked spaghetti out© Axiomatics 2014 - @axiomatics
  4. 4. Doesn’t your code feel like spaghetti? © Axiomatics 2014 - @axiomatics
  5. 5. A little history of access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges © Axiomatics 2014 - @axiomatics
  6. 6. What’s Our Secret Ingredient? Attributes… Attributes… Attributes…
  7. 7. Attribute-Based Access Control Who… What… Where… When… Why… Attributes can describe everything (not just who) How…
  8. 8. The Secret Sauce? Policy-Based Access Control Centralized… Easy to audit… eXtensible…Standardized… Attribute-based…
  9. 9. XACML – eXtensible Access Control = + (ABAC) (PBAC)
  10. 10. XACML supports Schrodinger's cat Paul Madsen’s
  11. 11. Bake in layers © Axiomatics 2014 - @axiomatics Authorization at the right place Business tier…API tier… Data tier…Web app tier…Presentation tier…
  12. 12. Data Tier Bake once, enjoy everywhere Presentation Tier API & WS Tier Business Tier eXternalized Authorization Service
  13. 13. How does Chef Gebel take it to the next level? I use ALFA, 100% XACML I use JSON and REST too – easy on the developers
  14. 14. THE ALFA PLUGIN FOR ECLIPSE Authorization’s KitchenAid © Axiomatics 2014 - @axiomatics
  15. 15. What’s ALFA • Abbreviated Language for Authorization • OASIS – Axiomatics language donated to OASIS XACML – In the process of standardization • Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibilities • Audience – Aimed at developers initially – Very popular with business analysts © Axiomatics 2014 - @axiomatics
  16. 16. What’s the ALFA plugin? • Add-on to Eclipse, the popular IDE • Lets you write ALFA easily – Auto-complete – Syntax checking – Syntax coloring • Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies © Axiomatics 2014 - @axiomatics
  17. 17. An example: the insurance use case • Authorization requirement – A customer can view his/her own policies and the policies of a spouse that are not marked as private • Identify the attributes – User type; action; policy owner; policy private flag; spouse; object type; user identity • Rework the rule – A user with type==customer can do action==view on object of type==policy… • if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse • Implement in ALFA © Axiomatics 2014 - @axiomatics
  18. 18. THE JSON PROFILE OF XACML Delicious & Healthy © Axiomatics 2014 - @axiomatics
  19. 19. Objectives • Lightweight notation • Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes © Axiomatics 2014 - @axiomatics
  20. 20. The JSON Profile - Basics • The profile is a close mirror of the XML XACML request / response • It is possible to omit information and use inference – Reasonable defaults – E.g. String is not specified. • Default category names – AccessSubject, Resource, Action, Environment © Axiomatics 2014 - @axiomatics
  21. 21. Example in HTML/Javascript <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> © Axiomatics 2014 - @axiomatics
  22. 22. Size of a XACML request © Axiomatics 2014 - @axiomatics 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
  23. 23. THE REST PROFILE OF XACML The perfect way to serve your lasagna © Axiomatics 2014 - @axiomatics
  24. 24. Why a “REST” profile? • No standard transport protocol in XACML core • Different implementations have different SOAP wrappings • SOAP in itself is losing in popularity • Provide easy means to send authorization request © Axiomatics 2014 - @axiomatics
  25. 25. Posting the JSON Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) ); } © Axiomatics 2014 - @axiomatics
  26. 26. And now, let’s bake!
  27. 27. Ok, so it’s time to wrap up
  28. 28. Forget spaghetti. Whip up lasagna! © Axiomatics 2014 - @axiomatics (Sorry Sergio Leone) Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
  29. 29. Summary Acronym Name Description EAM eXternalized Authorization Management The act of cleanly separating business logic from authorization logic and maintaining each one independently ABAC Attribute-based access control An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access PBAC Policy-based access control An authorization model which uses attributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementation of ABAC and PBAC – done by OASIS.
  30. 30. References • REST profile of XACML • JSON profile of XACML • ALFA profile of XACML Available on the OASIS XACML TC website oasis-open.org/committees/tc_home.php?wg_abbrev=xacml © Axiomatics 2014 - @axiomatics
  31. 31. Grazie a tutti i tutte David Brossard Axiomatics – the leaders in ABAC & PBAC @davidjbrossard @axiomatics http://developers.axiomatics.com © Axiomatics 2014 - @axiomatics

×