Axiomatics webinar 13 june 2013 shared


Published on

These are the presentation slides from the Axiomatics webinar on June 13. A recording of the webinar with audio can be viewed at

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Axiomatics webinar 13 june 2013 shared

  1. 1. Webinar:Preparing your applications forexternalized authorization
  2. 2. Twitter@axiomatics@srijith#XACML2
  3. 3. Axiomatics in briefCommon authorization patterns - backgroundExternalizing authorizationXACMLAPS Developer Edition – Introduction and demoQuestions and Answer sessionAgenda3
  4. 4. Focus areaExternalized authorizationXACML standardCompany backgroundR&D since 2000Axiomatics founded in 2006OASIS XACML Technical CommitteeMember since 2005Editorial responsibilitiesProducts implementing XACML 2.0 and 3.0The largest deployments world-wideAxiomatics in brief4
  5. 5. APS Developer EditionNon-production useAimed at reducing lead time to use XACMLEnabling devs. to easily use XACML in their appsInterested? Contact sales@axiomatics.comMore Editions to follow – stay tunedSrijith Nair – Axiomatics Developer Relations5Today’s webinar – drivers
  6. 6. © 2013, Axiomatics ABPreparing your applications forexternalized authorizationSrijith NairJune 13, 20136
  7. 7. © 2013, Axiomatics ABIn the olden days, authorization was aboutWho?7
  8. 8. © 2013, Axiomatics ABAuthorization should really be about…When?What? How?Where?Who? Why?8
  9. 9. © 2013, Axiomatics ABAccess Control List (ACL)Resource centricPermissions attached to objectsSpecifies which subject has accessRole-Based Access Control (RBAC)User CentricWidely adoptedWell understoodIndustry-standard around itSimpleBut….Authorization ApproachesUser  Role(s)  Permission(s)Role 1Role 2PPPPPP9
  10. 10. © 2013, Axiomatics ABStatic, predefined, inflexibleDoes not extend beyond userDoesn’t scaleRole explosionDifficult to define fine-grained access control rulesHow would one implement the rule:Doctors should be able to view the records of patientsassigned to their unit and edit the records of those patientswith whom they have a care relationshipWhere’s the role? DoctorWhat’s a patient? A record? A care relationship?Problem with RBAC?10
  11. 11. © 2013, Axiomatics ABPull out the highlighterWhat if we were not limited to roles?Doctors should be able to view therecords of patients assigned to theirunit and edit the records of thosepatients with whom they have a carerelationshipIt is all about Attributes, Attributes, Attributes!11
  12. 12. © 2013, Axiomatics ABAttributesAre sets of labels or propertiesDescribe all aspects of entities that must beconsidered for authorization purposesAttribute-Based Access Control (ABAC)uses attributes as building blocksin a structured language used to define accesscontrol rules andto describe access requestsAttribute-based access control12
  13. 13. © 2013, Axiomatics ABABAC vs. RBACRole-Based Access Control Attribute-Based Access ControlUser  Role  Permissions User + Action + Resource + ContextAttributesPoliciesStatic & pre-defined Dynamic & AdaptiveRole 1Role 2PPPPPP13
  14. 14. © 2013, Axiomatics ABDeclarative:Security roles, constrains are added to deploymentdescriptor of application (e.g. in J2EE, web constraintsare added to web.xml, EJB constraints into ejb-jar.xml)Configured during assembly stage, enforced by securityruntimeUsually rely on rolesProgrammatic:Enforcement of AuthZ is written in the codeGives app developers more controlJACC interface can be used to make calls to externalAuthZ providersDeclarative vs. Programmatic AuthZ14
  15. 15. © 2013, Axiomatics ABFuture-Proofing AuthorizationExternal fromApplicationsStandards-CompliantAuthorization ServiceFine-GrainedContext-AwareAttribute-based AccessControlExternalizedAuthZ15
  16. 16. © 2013, Axiomatics ABExternalizing Authorization16
  17. 17. © 2013, Axiomatics ABConsider distributed or multi-tiered appsConsider SOA, Cloud servicesAuthZ needs to be done at several tiers, placesMove similar, often-used AuthZ code to ownlayerSome progress, butDifferent programming patternsFrameworks providing coarse-grained AuthZFine-grained AuthZ still in codeNeed for Externalizing AuthZ17
  18. 18. © 2013, Axiomatics ABA multitude of Authorization FrameworksCanCanMicrosoft ClaimsSalesForcePermissionSetSpring SecurityRails AuthZPython FedoraFlask-AuthSlim for PHP18
  19. 19. © 2013, Axiomatics ABConsThey are specific to their languageThey are not standards-basedTheir capabilities are at times limitedThey require subject matter expertiseThey are expensiveProsIt’s the right step towards fine-grained authorizationIt’s the right step towards externalizing authorizationWhat’s with native authorization frameworks?19
  20. 20. © 2013, Axiomatics ABEnter XACML20
  21. 21. © 2013, Axiomatics ABeXtensible Access Control Markup LanguageProminent ABAC systemOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed as a specification documentProvides profiles for developers:JSONREST is XACML?
  22. 22. © 2013, Axiomatics AB22What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  23. 23. © 2013, Axiomatics ABThe XACML Architecture23ManagePolicy Administration PointDecidePolicy Decision PointSupportPolicy Information PointPolicy Retrieval PointEnforcePolicy Enforcement Point
  24. 24. © 2013, Axiomatics ABXACML Architecture Flow24DecidePolicy Decision PointManagePolicy Administration PointSupportPolicy Information PointPolicy Retrieval PointEnforcePolicy Enforcement PointAccessDocument #123AccessDocument #123Can Alice accessDocument #123?Yes, PermitLoad XACMLpoliciesRetrieve userrole, clearanceand documentclassification
  25. 25. © 2013, Axiomatics AB25What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  26. 26. © 2013, Axiomatics AB3 structural elementsPolicySetPolicyRuleRoot: either PolicySet or PolicyPolicySets contain any number of PolicySets &PoliciesPolicies contain RulesRules contain an Effect: Permit / DenyCombining Algorithms for Rules and Policies26Language Elements of XACML
  27. 27. © 2013, Axiomatics ABRoot PolicySetPolicySetPolicyRuleEffect=PermitRuleEffect = DenyPolicySetPolicyRuleEffect =Permit27Sample XACML Policy
  28. 28. © 2013, Axiomatics AB28Language Structure: Russian dollsPolicySet, Policy & Rulecan containTargetsObligationsAdviceRules can containConditionsPolicy SetPolicyRuleEffect=PermitTargetTargetTargetObligationObligationObligationCondition
  29. 29. © 2013, Axiomatics AB29What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  30. 30. © 2013, Axiomatics ABEnvironmentSubject ActionResource EnvironmentActionResourceSubject30Request and ResponseIt’s all about Attributes! ABACRepresented in XMLXACML PoliciesXACML RequestXACML Response
  31. 31. © 2013, Axiomatics ABReq/RespXACML and PEPENFORCESTOP ANALYZE FORWARDESAF31
  32. 32. © 2013, Axiomatics ABWhat are you protecting?What architecture? What framework?J2EE?Web app server  Servlet filterWeb services  JAX-WSEnterprise Service Bus?Apache Service Mix  InterceptorsIIS?  ISAPI filterXML gateway?  Custom vendor assertion32Stop the message: the form factorS
  33. 33. © 2013, Axiomatics ABMap from ‘native attributes’ to XACML attributesTwo types of attributesAttributes in the messageMessage headersSOAPActionHTTP methodTarget URI…Message payloadTransaction amountAttribute in the environment / frameworkTime of the dayAnalyze the message: extract attributesA33
  34. 34. © 2013, Axiomatics ABExtract Attributes - ExamplePOST /login.jsp HTTP/1.1Host: www.mysite.comUser-Agent: Mozilla/4.0Content-Length: 27Content-Type: application/x-www-form-urlencodeduserid=joe <?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true"CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><xacml-ctx:AttributesCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">POST</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:AttributesCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><xacml-ctx:AttributeAttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">login.jsp</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:AttributesCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></xacml-ctx:Attributes><xacml-ctx:AttributesCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"><xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">joe</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes></xacml-ctx:Request>Via the HTTPServletObject34
  35. 35. © 2013, Axiomatics ABHow is the PDP exposed?In-process?RMI?JSON?SOAP?…Create a XACML request and insert it inside the right“transporter”Java XACML request and pass to the API methodJava XACML request serialized using RMIJSON payload and send as HTTP(S) requestXML XACML request inside SOAP message and send as HTTPrequest…Forward access control request to the PDPReq/RespF35
  36. 36. © 2013, Axiomatics ABPermit / Deny / Not Applicable / IndeterminateCheck the biasApply obligations & adviceLog access in the central log repositorySend notification emailFilter out some data from the responseEnforce: receive the PDP decision and actE36
  37. 37. © 2013, Axiomatics ABAPS Developer Edition37
  38. 38. © 2013, Axiomatics AB“(…)is an aggregate product that aims to simplifythe process of working with Axiomatics products. Itis primarily intended for developers and isdesigned to enable a quick and easy setup of theAPS environment. The Developer Edition containsthe standard releases of APS and other Axiomaticssoftware of relevance to developers in a complete,self-contained and easy-to-install package.”For non-production use onlyWhat is APS Developer Edition?38
  39. 39. © 2013, Axiomatics ABAPS components - ASM, PDP, PAPPEP SDK for Java and ALFA packagesSample demo application and XACML policySample Eclipse projects forJSP demo applicationJSP PEPJava PEPALFAPAP workspaceSingle Tomcat for ASM, PDP and demo applicationSimplified initialization and management scriptsWhat it contains39
  40. 40. © 2013, Axiomatics ABAPS Developer Edition does not include:Eclipse distributionJava distributionAPS Developer ResourcesAnything else not mentioned in previous slide What it does not contain40
  41. 41. © 2013, Axiomatics ABQuick Start Guide41
  42. 42. © 2013, Axiomatics ABDemo42
  43. 43. © 2013, Axiomatics ABQuestions?Contact us