Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© Axiomatics 2019 - All Rights Reserved 1© Axiomatics 2019 - All Rights Reserved 1
Easy Authorization with REST, JSON, and...
© Axiomatics 2019 - All Rights Reserved 2
What is XACML?
⁃ Founded in 2001 – https://www.oasis-open.org/committees/xacml/
...
© Axiomatics 2019 - All Rights Reserved 3
The challenge?
⁃ You’ve been tasked with developing a new application
⁃ Micro-se...
© Axiomatics 2019 - All Rights Reserved 4
You could…
⁃ Think really hard and design your own model
⁃ Use RBAC
⁃ Hard-code ...
© Axiomatics 2019 - All Rights Reserved 5
© Axiomatics 2019 - All Rights Reserved 6
Or you could…
⁃ Decouple your app code from your authorization logic
⁃ Focus on ...
© Axiomatics 2019 - All Rights Reserved 7
XACML is the de-facto standard for ABAC
⁃ Attribute-Based Access Control
⁃ Also ...
© Axiomatics 2019 - All Rights Reserved 8
XACML with respect to other standards
⁃ XACML is not
⁃ SAML
⁃ Identity federatio...
© Axiomatics 2019 - All Rights Reserved 9
What does XACML define?
XACML
Reference
Architecture
Policy
Language
Request /
R...
© Axiomatics 2019 - All Rights Reserved 10
The XACML Reference Architecture
Enforce
DecideManage
© Axiomatics 2019 - All Rights Reserved 11
The XACML Reference Architecture Flow
1.View record #123 6.View record #123
2. ...
© Axiomatics 2019 - All Rights Reserved 12
XACML Uses Attributes
⁃ Key-value pairs
⁃ Key: Department
⁃ Value: Engineering
...
© Axiomatics 2019 - All Rights Reserved 13
Did someone
say XML?
© Axiomatics 2019 - All Rights Reserved 14
Don’t get me wrong, I <love>XML</love>
© Axiomatics 2019 - All Rights Reserved 15© Axiomatics 2019 - All Rights Reserved 15
(abbreviated language for authorizati...
© Axiomatics 2019 - All Rights Reserved 16
Bringing XACML to Developers
REST
A standard means to POST
authorization reques...
© Axiomatics 2019 - All Rights Reserved 17
The REST Profile of XACML
⁃ Provide easy means to send authorization request
⁃ ...
© Axiomatics 2019 - All Rights Reserved 18
POSTing a Request in Javascript
var xmlHttp = null;
function authorize() {
var ...
© Axiomatics 2019 - All Rights Reserved 19
The JSON Profile of XACML – Building a JSON
request in Javascript
Create a new ...
© Axiomatics 2019 - All Rights Reserved 20
Sample JSON/XACML Request & Response
{
"Request": {
"ReturnPolicyIdList": true,...
© Axiomatics 2019 - All Rights Reserved 21
The ALFA Profile of XACML
⁃ Simplified C#-like language
⁃ Easy on the developer...
© Axiomatics 2019 - All Rights Reserved 22
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
...
© Axiomatics 2019 - All Rights Reserved 23
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
...
© Axiomatics 2019 - All Rights Reserved 24
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
...
© Axiomatics 2019 - All Rights Reserved 25
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
...
© Axiomatics 2019 - All Rights Reserved 26
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
...
© Axiomatics 2019 - All Rights Reserved 27© Axiomatics 2019 - All Rights Reserved 27
Live Demo
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Updates from the OASIS XACML Technical Committee - Making Authorization Developer-Friendly using ALFA, REST, and JSON

Download to read offline

In this 20-minute presentation, David of the OASIS XACML TC and Axiomatics will show how XACML can be used to address fine-grained authorization, attribute-based access control, and policy-based access control using the REST, JSON, and ALFA profiles of XACML making authorization easy to create and consume.
This presentation was initially delivered at Oxford University in 2019.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Updates from the OASIS XACML Technical Committee - Making Authorization Developer-Friendly using ALFA, REST, and JSON

  1. 1. © Axiomatics 2019 - All Rights Reserved 1© Axiomatics 2019 - All Rights Reserved 1 Easy Authorization with REST, JSON, and ALFA Updates from the OASIS XACML Technical Committee September 10th, University of Oxford David Brossard, OASIS XACML TC Member, IDPro Founding Member, @davidjbrossard
  2. 2. © Axiomatics 2019 - All Rights Reserved 2 What is XACML? ⁃ Founded in 2001 – https://www.oasis-open.org/committees/xacml/ ⁃ eXtensible Access Control Markup Language ⁃ Members include ⁃ Oracle, US Government, Axiomatics, IBM, Thales and others ⁃ Statement of purpose (from the first email on the ML) ⁃ To define a core schema and corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML. ⁃ The schema will be capable of representing the functionality of most policy representation mechanisms available at the time of adoption. ⁃ It is also intended that the schema be extensible in order to address that functionality not included, custom application requirements, or features not yet envisioned.
  3. 3. © Axiomatics 2019 - All Rights Reserved 3 The challenge? ⁃ You’ve been tasked with developing a new application ⁃ Micro-service, API, SPA... You name it ⁃ There are many non-functional requirements ⁃ Authentication ⁃ Logging ⁃ Authorization ⁃ Authorization ties together business logic and security ⁃ How can you achieve scalable, future-proof authorization? ⁃ Something you don’t have to rewrite all the time?
  4. 4. © Axiomatics 2019 - All Rights Reserved 4 You could… ⁃ Think really hard and design your own model ⁃ Use RBAC ⁃ Hard-code the authorization logic within your app
  5. 5. © Axiomatics 2019 - All Rights Reserved 5
  6. 6. © Axiomatics 2019 - All Rights Reserved 6 Or you could… ⁃ Decouple your app code from your authorization logic ⁃ Focus on your app ⁃ Make it spiffy! ⁃ Implement your authorization requirements as ⁃ policies & attributes ⁃ Integrate your app(s) with an externalized authorization service Aloha XACML
  7. 7. © Axiomatics 2019 - All Rights Reserved 7 XACML is the de-facto standard for ABAC ⁃ Attribute-Based Access Control ⁃ Also known as Policy-Based Access Control ⁃ Context-aware, dynamic, externalized Who? What? When? Where? Why? How?
  8. 8. © Axiomatics 2019 - All Rights Reserved 8 XACML with respect to other standards ⁃ XACML is not ⁃ SAML ⁃ Identity federation ⁃ OAuth ⁃ Access delegation ⁃ OpenID ⁃ This handles authentication ⁃ UMA ⁃ User-managed access & consent management ⁃ XACML can collaborate with any of these standards to deliver better authorization
  9. 9. © Axiomatics 2019 - All Rights Reserved 9 What does XACML define? XACML Reference Architecture Policy Language Request / Response Scheme
  10. 10. © Axiomatics 2019 - All Rights Reserved 10 The XACML Reference Architecture Enforce DecideManage
  11. 11. © Axiomatics 2019 - All Rights Reserved 11 The XACML Reference Architecture Flow 1.View record #123 6.View record #123 2. Can Alice view record #123? 5. Permit, Alice can view record #123 3. Evaluate policies 4. Retrieve additional attributes
  12. 12. © Axiomatics 2019 - All Rights Reserved 12 XACML Uses Attributes ⁃ Key-value pairs ⁃ Key: Department ⁃ Value: Engineering ⁃ Multi-valued ⁃ Grouped into different categories ⁃ Different data types ⁃ Unique identifier ⁃ Name and namespace
  13. 13. © Axiomatics 2019 - All Rights Reserved 13 Did someone say XML?
  14. 14. © Axiomatics 2019 - All Rights Reserved 14 Don’t get me wrong, I <love>XML</love>
  15. 15. © Axiomatics 2019 - All Rights Reserved 15© Axiomatics 2019 - All Rights Reserved 15 (abbreviated language for authorization) ALFA JSON (JavaScript Object Notation) REST (we all know what that means)
  16. 16. © Axiomatics 2019 - All Rights Reserved 16 Bringing XACML to Developers REST A standard means to POST authorization requests to the PDP Faster (than SOAP) Easier to integrate with JSON Lightweight representation of a XACML request & response 80% smaller than XML Easier to integrate with ALFA Abbreviated Language For Authorization Developer-friendly Easier to read and write (than XML)
  17. 17. © Axiomatics 2019 - All Rights Reserved 17 The REST Profile of XACML ⁃ Provide easy means to send authorization request ⁃ Just POST an authorization request ⁃ Provide standard transport protocol in XACML ⁃ Current implementations use proprietary bindings e.g. SOAP ⁃ SOAP in itself is losing has lost popularity ⁃ Integrate with more environments, languages, and SaaS
  18. 18. © Axiomatics 2019 - All Rights Reserved 18 POSTing a Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send(xacmlRequest); } Create an HTTP request to the PDP Choose to authenticate the call and use POST Set the content type and the username/password
  19. 19. © Axiomatics 2019 - All Rights Reserved 19 The JSON Profile of XACML – Building a JSON request in Javascript Create a new Request object Create a new AccessSubject attribute category Add an attribute and its value function createAttribute(identifier, value){ var attr = new Object(); attr.AttributeId=identifier; attr.Value=value; return attr; function generateXACMLRequest(){ // 1. Create empty request var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); jsonRequest.Request.AccessSubject.Attribute = []; // 2. Add attributes jsonRequest.Request.AccessSubject.Attribute.push(createAttribute("com.acme.user.employeeId", "Alice")); // 3. Return request return jsonRequest; }
  20. 20. © Axiomatics 2019 - All Rights Reserved 20 Sample JSON/XACML Request & Response { "Request": { "ReturnPolicyIdList": true, "AccessSubject": { "Attribute": [ { "AttributeId": "axiomatics.demo.user.userId", "Value": "Alice" } ] }, "Resource": { "Attribute": [ { "AttributeId": "axiomatics.demo.record.recordId", "Value": "123" }, { "AttributeId": "axiomatics.demo.resourceType", "Value": "record" } ] }, "Action": { "Attribute": [ { "AttributeId": "axiomatics.demo.actionId", "Value": "view" } ] }, } } { "Response" : [{ "Decision" : "Deny" }] }
  21. 21. © Axiomatics 2019 - All Rights Reserved 21 The ALFA Profile of XACML ⁃ Simplified C#-like language ⁃ Easy on the developer ⁃ Uses namespaces to organize policies ⁃ Easy to scale up to hundreds of policies ⁃ Easy to add comments ⁃ All the main keywords of XACML are in ALFA ⁃ PolicySet, Policy, Rule, Combing Algorithms ⁃ Target, Condition ⁃ Obligation, Advice ⁃ More on Wikipedia and StackOverflow
  22. 22. © Axiomatics 2019 - All Rights Reserved 22 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Same structural elements as XACML: • PolicySet • Policy • Rule
  23. 23. © Axiomatics 2019 - All Rights Reserved 23 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Combining algorithms help resolve conflicts between policies and rules. Choose from: • firstApplicable • denyOverrides • permitOverrides • denyUnlessPermit • …
  24. 24. © Axiomatics 2019 - All Rights Reserved 24 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Use targets to define the scope of the policy set / policy / rule
  25. 25. © Axiomatics 2019 - All Rights Reserved 25 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Use conditions for advanced matching and relationship checks
  26. 26. © Axiomatics 2019 - All Rights Reserved 26 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Lastly, we have the effect. Choose from: • Permit • Deny
  27. 27. © Axiomatics 2019 - All Rights Reserved 27© Axiomatics 2019 - All Rights Reserved 27 Live Demo
  • JohnsonMasillaVino

    May. 27, 2020
  • AngelaMariaDespotopo

    Jan. 10, 2020

In this 20-minute presentation, David of the OASIS XACML TC and Axiomatics will show how XACML can be used to address fine-grained authorization, attribute-based access control, and policy-based access control using the REST, JSON, and ALFA profiles of XACML making authorization easy to create and consume. This presentation was initially delivered at Oxford University in 2019.

Views

Total views

278

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

2

Shares

0

Comments

0

Likes

2

×