SlideShare a Scribd company logo

Industrial Strength Access Control for Spring Applications

Download as PPTX, PDF
VMware Tanzu
VMware Tanzu

SpringOne Platform 2016 Speaker: Dariush Amiri; Senior Software Architect, GE Digital Despite the plethora of open security standards and drafts, there is a dearth of comprehensive solutions that satisfy the requirements of RESTful access control in the industrial space. Standards like OAuth 2.0, geared towards consumer-facing applications, have gained wide support but only provide mechanisms for coarse-grained authorization. Newer standards like UMA build logical extensions to OAuth that allow for finer-grained access control but mention nothing about how to define policies and manage privileges. XACML-based solutions thrive in the enterprise but they are costly and have a steep learning curve. In this talk we will explore a novel solution to the problem of building access control for RESTful services in the industrial world.

Technology
1 of 20
Industrial Strength Access Control for Spring Applications By Dario Amiri @darioamiri
What is ACS? • Access Control Service • Fine-grained access control for RESTful APIs • Available on github • master branch for stable releases • develop branch for cutting edge features • Apache license version 2 • Spring Boot project • Extensions available for Spring Security integration 2
Why ACS? Limitations of OAuth 2.0 • Scope-based privileges are too coarse-grained • Scopes are tightly coupled to access token • Logout/login required for privilege changes to take effect • Not tuned for making access control decisions per resource request Architectural concerns • Need for a consistent and reusable solution decoupled from application • Need for a consistent way to define access control policies • Need for a sharable and distributed privilege store
Example Use Case 4 /sites/san-ramonanalyst tom@ge.com /assets/21 /sites/cincy-oh /assets/33 tom@ge.com GET GET Subjects ResourcesActions tom@ge.com is an analyst, with all associated privileges, when he operates on assets at the San Ramon site but not when he operates on assets at the Cincinnati site.
Components Attribute Based Access Control (ABAC) • Attribute store for • Subjects: entities that do things • Resources: entities that have things done to them • Policy store • How subject and resource attributes combine to determine privileges • Policy evaluation • Given a subject, action, and resource determine if operation is allowed
What are attributes? • A key value pair • Asserted by a trusted entity • Useful for making authorization decisions
What are attributes? • tom@ge.com is an analyst • tom@ge.com is a member of the research group role: analyst group: researchers attributes subject tom@ge.com identifier
What are attributes? • The asset with id 1234 is located at the San Ramon site • The asset with id 1234 belongs to users in the research group site: san-ramon group: researchers attributes resource /assets/1234 identifier
Breaking down policy evaluation • Client sends a request for authorization • Can a subject perform an action on a resource • Java library support today - route service tomorrow • ACS performs • Attribute discovery • Policy evaluation • Client receives • Authorization decision (permit | deny) • Discovered attributes
authorization request tom@ge.com subject /assets/1234 resource GET action attribute discovery policy evaluation authorization response PERMIT | DENY decision role: analyst group: researchers tom@ge.com site: san-ramon group: researchers /assets/1234 discovered attributes
authorization response discovered attributes subject.and(resource).haveSame(‘group’) policy condition attribute discovery role: analyst group: researchers tom@ge.com site: san-ramon group: researchers /assets/1234 discovered attributes AttributeStore authorization request tom@ge.com /assets/1234GET permit
Implementing RBAC with ACS Hierarchical attributes • Define attributes for roles, groups, etc. • Users can inherit attributes from these o E.g. Create an “role-analyst” subject and assign it attributes o E.g. Have “tom@ge.com” subject inherit attributes from “role-analyst”
Subject attribute inheritance example org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance
Resource attribute inheritance example org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance
Dynamic roles Subject roles depend on the resource accessed • Child subject conditionally inherits parent attributes • User X inherits attribute from role Y when accessing resource Z o tom@ge.com is an analyst for the “san-ramon” site o tom@ge.com is not an analyst for other sites • Subject attributes are scoped by resource attributes
Scoped attribute inheritance (permit) site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance Allow user access to asset performance report if • The asset belongs to the user’s group • The user is an analyst for the San Ramon site
Scoped attribute inheritance (deny) site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm org: ge site: cincy-oh /sites/02 group: research /sites/02/assets/33 report: asset-performance /sites/02/assets/33/reports/51 org: ge site: cincy-oh group: research report: asset-performance Allow user access to asset performance report if • The asset belongs to the user’s group • The user is an analyst for the San Ramon site
Technology stack runtime Apache Cassandra PostgreSQL java spring boot titan db spring data apache tinkerpop cloud foundry platform uaa spring mvc spring security
Resources • Demo • Documentation 19
Learn More. Stay Connected. amiri@ge.com @darioamiri @springcentral spring.io/blog @pivotal pivotal.io/blog @pivotalcf http://engineering.pivotal.io

Recommended

Microsoft Graph community call-December 2018
Microsoft Graph community call-December 2018Microsoft Graph community call-December 2018
Microsoft Graph community call-December 2018
Microsoft 365 Developer
 
Building Social Tools
Building Social ToolsBuilding Social Tools
Building Social Tools
Anand Hemmige
 
I've Pair Programmed for 30,000 Hours: Ask Me Anything!
I've Pair Programmed for 30,000 Hours: Ask Me Anything!I've Pair Programmed for 30,000 Hours: Ask Me Anything!
I've Pair Programmed for 30,000 Hours: Ask Me Anything!
VMware Tanzu
 
TDD: The Bad Parts
TDD: The Bad Parts TDD: The Bad Parts
TDD: The Bad Parts
VMware Tanzu
 
Cloud Native Key Management
Cloud Native Key ManagementCloud Native Key Management
Cloud Native Key Management
VMware Tanzu
 
Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode
Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode
Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode
VMware Tanzu
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid?
VMware Tanzu
 
Pivotal Cloud Foundry: Cloud Native Architecture
Pivotal Cloud Foundry: Cloud Native ArchitecturePivotal Cloud Foundry: Cloud Native Architecture
Pivotal Cloud Foundry: Cloud Native Architecture
Apigee | Google Cloud
 

Recommended

Microsoft Graph community call-December 2018
Microsoft Graph community call-December 2018Microsoft Graph community call-December 2018
Microsoft Graph community call-December 2018
Microsoft 365 Developer
 
Building Social Tools
Building Social ToolsBuilding Social Tools
Building Social Tools
Anand Hemmige
 
I've Pair Programmed for 30,000 Hours: Ask Me Anything!
I've Pair Programmed for 30,000 Hours: Ask Me Anything!I've Pair Programmed for 30,000 Hours: Ask Me Anything!
I've Pair Programmed for 30,000 Hours: Ask Me Anything!
VMware Tanzu
 
TDD: The Bad Parts
TDD: The Bad Parts TDD: The Bad Parts
TDD: The Bad Parts
VMware Tanzu
 
Cloud Native Key Management
Cloud Native Key ManagementCloud Native Key Management
Cloud Native Key Management
VMware Tanzu
 
Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode
Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode
Design Tradeoffs in Distributed Systems- How Southwest Airlines Uses Geode
VMware Tanzu
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid?
VMware Tanzu
 
Pivotal Cloud Foundry: Cloud Native Architecture
Pivotal Cloud Foundry: Cloud Native ArchitecturePivotal Cloud Foundry: Cloud Native Architecture
Pivotal Cloud Foundry: Cloud Native Architecture
Apigee | Google Cloud
 
Results Should Be More Fun
Results Should Be More FunResults Should Be More Fun
Results Should Be More Fun
VMware Tanzu
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Why Domain-Driven Design and Reactive Programming?
Why Domain-Driven Design and Reactive Programming?Why Domain-Driven Design and Reactive Programming?
Why Domain-Driven Design and Reactive Programming?
VMware Tanzu
 
Breaking the Monolith
Breaking the MonolithBreaking the Monolith
Breaking the Monolith
VMware Tanzu
 
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About ServerlessAdapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Apigee | Google Cloud
 
Understand the What, Why & How of Digital Transformation Featuring 451 Research
Understand the What, Why & How of Digital Transformation Featuring 451 ResearchUnderstand the What, Why & How of Digital Transformation Featuring 451 Research
Understand the What, Why & How of Digital Transformation Featuring 451 Research
VMware Tanzu
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
Apigee | Google Cloud
 
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
confluent
 
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
confluent
 
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
confluent
 
Building an Event-oriented Data Platform with Kafka, Eric Sammer
Building an Event-oriented Data Platform with Kafka, Eric Sammer Building an Event-oriented Data Platform with Kafka, Eric Sammer
Building an Event-oriented Data Platform with Kafka, Eric Sammer
confluent
 
A Practical Guide to Selecting a Stream Processing Technology
A Practical Guide to Selecting a Stream Processing Technology A Practical Guide to Selecting a Stream Processing Technology
A Practical Guide to Selecting a Stream Processing Technology
confluent
 
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
confluent
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Stream Processing with Kafka in Uber, Danny Yuan
Stream Processing with Kafka in Uber, Danny Yuan Stream Processing with Kafka in Uber, Danny Yuan
Stream Processing with Kafka in Uber, Danny Yuan
confluent
 
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
confluent
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
confluent
 
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
confluent
 
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
confluent
 
Data integration with Apache Kafka
Data integration with Apache KafkaData integration with Apache Kafka
Data integration with Apache Kafka
confluent
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Narendra Kumar
 

More Related Content

Viewers also liked

Results Should Be More Fun
Results Should Be More FunResults Should Be More Fun
Results Should Be More Fun
VMware Tanzu
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Why Domain-Driven Design and Reactive Programming?
Why Domain-Driven Design and Reactive Programming?Why Domain-Driven Design and Reactive Programming?
Why Domain-Driven Design and Reactive Programming?
VMware Tanzu
 
Breaking the Monolith
Breaking the MonolithBreaking the Monolith
Breaking the Monolith
VMware Tanzu
 
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About ServerlessAdapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Apigee | Google Cloud
 
Understand the What, Why & How of Digital Transformation Featuring 451 Research
Understand the What, Why & How of Digital Transformation Featuring 451 ResearchUnderstand the What, Why & How of Digital Transformation Featuring 451 Research
Understand the What, Why & How of Digital Transformation Featuring 451 Research
VMware Tanzu
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
Apigee | Google Cloud
 
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
confluent
 
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
confluent
 
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
confluent
 
Building an Event-oriented Data Platform with Kafka, Eric Sammer
Building an Event-oriented Data Platform with Kafka, Eric Sammer Building an Event-oriented Data Platform with Kafka, Eric Sammer
Building an Event-oriented Data Platform with Kafka, Eric Sammer
confluent
 
A Practical Guide to Selecting a Stream Processing Technology
A Practical Guide to Selecting a Stream Processing Technology A Practical Guide to Selecting a Stream Processing Technology
A Practical Guide to Selecting a Stream Processing Technology
confluent
 
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
confluent
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Stream Processing with Kafka in Uber, Danny Yuan
Stream Processing with Kafka in Uber, Danny Yuan Stream Processing with Kafka in Uber, Danny Yuan
Stream Processing with Kafka in Uber, Danny Yuan
confluent
 
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
confluent
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
confluent
 
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
confluent
 
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
confluent
 
Data integration with Apache Kafka
Data integration with Apache KafkaData integration with Apache Kafka
Data integration with Apache Kafka
confluent
 

Viewers also liked (20)

Results Should Be More Fun
Results Should Be More FunResults Should Be More Fun
Results Should Be More Fun
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Why Domain-Driven Design and Reactive Programming?
Why Domain-Driven Design and Reactive Programming?Why Domain-Driven Design and Reactive Programming?
Why Domain-Driven Design and Reactive Programming?
 
Breaking the Monolith
Breaking the MonolithBreaking the Monolith
Breaking the Monolith
 
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About ServerlessAdapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
 
Understand the What, Why & How of Digital Transformation Featuring 451 Research
Understand the What, Why & How of Digital Transformation Featuring 451 ResearchUnderstand the What, Why & How of Digital Transformation Featuring 451 Research
Understand the What, Why & How of Digital Transformation Featuring 451 Research
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
 
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
Building Large-Scale Stream Infrastructures Across Multiple Data Centers with...
 
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
When it Absolutely, Positively, Has to be There: Reliability Guarantees in Ka...
 
Building an Event-oriented Data Platform with Kafka, Eric Sammer
Building an Event-oriented Data Platform with Kafka, Eric Sammer Building an Event-oriented Data Platform with Kafka, Eric Sammer
Building an Event-oriented Data Platform with Kafka, Eric Sammer
 
A Practical Guide to Selecting a Stream Processing Technology
A Practical Guide to Selecting a Stream Processing Technology A Practical Guide to Selecting a Stream Processing Technology
A Practical Guide to Selecting a Stream Processing Technology
 
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
The Enterprise Service Bus is Dead! Long live the Enterprise Service Bus, Rim...
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Stream Processing with Kafka in Uber, Danny Yuan
Stream Processing with Kafka in Uber, Danny Yuan Stream Processing with Kafka in Uber, Danny Yuan
Stream Processing with Kafka in Uber, Danny Yuan
 
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
 
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
Real-Time Analytics Visualized w/ Kafka + Streamliner + MemSQL + ZoomData, An...
 
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
Introducing Kafka Streams: Large-scale Stream Processing with Kafka, Neha Nar...
 
Data integration with Apache Kafka
Data integration with Apache KafkaData integration with Apache Kafka
Data integration with Apache Kafka
 

Similar to Industrial Strength Access Control for Spring Applications

E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Narendra Kumar
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
David Brossard
 
CloudBrew 2018 - Azure Governance
CloudBrew 2018 - Azure GovernanceCloudBrew 2018 - Azure Governance
CloudBrew 2018 - Azure Governance
Tom Janetscheck
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
Amazon Web Services
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
android-vish
 
FeduShare TechEx15
FeduShare TechEx15FeduShare TechEx15
FeduShare TechEx15
jbasney
 
Tutorial: Best Practices for Data Sharing
Tutorial: Best Practices for Data SharingTutorial: Best Practices for Data Sharing
Tutorial: Best Practices for Data Sharing
Globus
 
Does Agile Enterprise Architecture = Agile + Enterprise Architecture?
Does Agile Enterprise Architecture = Agile + Enterprise Architecture?Does Agile Enterprise Architecture = Agile + Enterprise Architecture?
Does Agile Enterprise Architecture = Agile + Enterprise Architecture?
Jason Bloomberg
 
Meetup SF - Amundsen
Meetup SF - AmundsenMeetup SF - Amundsen
Meetup SF - Amundsen
Philippe Mizrahi
 
Authorisation: Concepts and Implementation
Authorisation: Concepts and ImplementationAuthorisation: Concepts and Implementation
Authorisation: Concepts and Implementation
Omar Bashir
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
Information Security Awareness Group
 
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Amazon Web Services
 
RDF Validation in a Linked Data World - A vision beyond structural and value ...
RDF Validation in a Linked Data World - A vision beyond structural and value ...RDF Validation in a Linked Data World - A vision beyond structural and value ...
RDF Validation in a Linked Data World - A vision beyond structural and value ...
Nandana Mihindukulasooriya
 
Tag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and RangerTag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and Ranger
Vimal Sharma
 
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
Globus
 
Software reusable repository management
Software reusable repository managementSoftware reusable repository management
Software reusable repository management
Vishnuvarthanan Moorthy
 
Operationalizing your Data Lake: Get Ready for Advanced Analytics
Operationalizing your Data Lake: Get Ready for Advanced AnalyticsOperationalizing your Data Lake: Get Ready for Advanced Analytics
Operationalizing your Data Lake: Get Ready for Advanced Analytics
IDEAS - Int'l Data Engineering and Science Association
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
Jason Chan
 

Similar to Industrial Strength Access Control for Spring Applications (20)

E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
 
CloudBrew 2018 - Azure Governance
CloudBrew 2018 - Azure GovernanceCloudBrew 2018 - Azure Governance
CloudBrew 2018 - Azure Governance
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
 
FeduShare TechEx15
FeduShare TechEx15FeduShare TechEx15
FeduShare TechEx15
 
Tutorial: Best Practices for Data Sharing
Tutorial: Best Practices for Data SharingTutorial: Best Practices for Data Sharing
Tutorial: Best Practices for Data Sharing
 
Does Agile Enterprise Architecture = Agile + Enterprise Architecture?
Does Agile Enterprise Architecture = Agile + Enterprise Architecture?Does Agile Enterprise Architecture = Agile + Enterprise Architecture?
Does Agile Enterprise Architecture = Agile + Enterprise Architecture?
 
Meetup SF - Amundsen
Meetup SF - AmundsenMeetup SF - Amundsen
Meetup SF - Amundsen
 
Authorisation: Concepts and Implementation
Authorisation: Concepts and ImplementationAuthorisation: Concepts and Implementation
Authorisation: Concepts and Implementation
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
 
RDF Validation in a Linked Data World - A vision beyond structural and value ...
RDF Validation in a Linked Data World - A vision beyond structural and value ...RDF Validation in a Linked Data World - A vision beyond structural and value ...
RDF Validation in a Linked Data World - A vision beyond structural and value ...
 
Tag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and RangerTag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and Ranger
 
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
 
Software reusable repository management
Software reusable repository managementSoftware reusable repository management
Software reusable repository management
 
Operationalizing your Data Lake: Get Ready for Advanced Analytics
Operationalizing your Data Lake: Get Ready for Advanced AnalyticsOperationalizing your Data Lake: Get Ready for Advanced Analytics
Operationalizing your Data Lake: Get Ready for Advanced Analytics
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
 

More from VMware Tanzu

Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
VMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
VMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
VMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 

More from VMware Tanzu (20)

Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
 
What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 

Recently uploaded

Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 

Industrial Strength Access Control for Spring Applications

  • 1. Industrial Strength Access Control for Spring Applications By Dario Amiri @darioamiri
  • 2. What is ACS? • Access Control Service • Fine-grained access control for RESTful APIs • Available on github • master branch for stable releases • develop branch for cutting edge features • Apache license version 2 • Spring Boot project • Extensions available for Spring Security integration 2
  • 3. Why ACS? Limitations of OAuth 2.0 • Scope-based privileges are too coarse-grained • Scopes are tightly coupled to access token • Logout/login required for privilege changes to take effect • Not tuned for making access control decisions per resource request Architectural concerns • Need for a consistent and reusable solution decoupled from application • Need for a consistent way to define access control policies • Need for a sharable and distributed privilege store
  • 4. Example Use Case 4 /sites/san-ramonanalyst tom@ge.com /assets/21 /sites/cincy-oh /assets/33 tom@ge.com GET GET Subjects ResourcesActions tom@ge.com is an analyst, with all associated privileges, when he operates on assets at the San Ramon site but not when he operates on assets at the Cincinnati site.
  • 5. Components Attribute Based Access Control (ABAC) • Attribute store for • Subjects: entities that do things • Resources: entities that have things done to them • Policy store • How subject and resource attributes combine to determine privileges • Policy evaluation • Given a subject, action, and resource determine if operation is allowed
  • 6. What are attributes? • A key value pair • Asserted by a trusted entity • Useful for making authorization decisions
  • 7. What are attributes? • tom@ge.com is an analyst • tom@ge.com is a member of the research group role: analyst group: researchers attributes subject tom@ge.com identifier
  • 8. What are attributes? • The asset with id 1234 is located at the San Ramon site • The asset with id 1234 belongs to users in the research group site: san-ramon group: researchers attributes resource /assets/1234 identifier
  • 9. Breaking down policy evaluation • Client sends a request for authorization • Can a subject perform an action on a resource • Java library support today - route service tomorrow • ACS performs • Attribute discovery • Policy evaluation • Client receives • Authorization decision (permit | deny) • Discovered attributes
  • 10. authorization request tom@ge.com subject /assets/1234 resource GET action attribute discovery policy evaluation authorization response PERMIT | DENY decision role: analyst group: researchers tom@ge.com site: san-ramon group: researchers /assets/1234 discovered attributes
  • 11. authorization response discovered attributes subject.and(resource).haveSame(‘group’) policy condition attribute discovery role: analyst group: researchers tom@ge.com site: san-ramon group: researchers /assets/1234 discovered attributes AttributeStore authorization request tom@ge.com /assets/1234GET permit
  • 12. Implementing RBAC with ACS Hierarchical attributes • Define attributes for roles, groups, etc. • Users can inherit attributes from these o E.g. Create an “role-analyst” subject and assign it attributes o E.g. Have “tom@ge.com” subject inherit attributes from “role-analyst”
  • 13. Subject attribute inheritance example org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance
  • 14. Resource attribute inheritance example org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance
  • 15. Dynamic roles Subject roles depend on the resource accessed • Child subject conditionally inherits parent attributes • User X inherits attribute from role Y when accessing resource Z o tom@ge.com is an analyst for the “san-ramon” site o tom@ge.com is not an analyst for other sites • Subject attributes are scoped by resource attributes
  • 16. Scoped attribute inheritance (permit) site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance Allow user access to asset performance report if • The asset belongs to the user’s group • The user is an analyst for the San Ramon site
  • 17. Scoped attribute inheritance (deny) site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm org: ge site: cincy-oh /sites/02 group: research /sites/02/assets/33 report: asset-performance /sites/02/assets/33/reports/51 org: ge site: cincy-oh group: research report: asset-performance Allow user access to asset performance report if • The asset belongs to the user’s group • The user is an analyst for the San Ramon site
  • 18. Technology stack runtime Apache Cassandra PostgreSQL java spring boot titan db spring data apache tinkerpop cloud foundry platform uaa spring mvc spring security
  • 20. Learn More. Stay Connected. amiri@ge.com @darioamiri @springcentral spring.io/blog @pivotal pivotal.io/blog @pivotalcf http://engineering.pivotal.io

Editor's Notes

  1. Now I’m going to switch to the subject of ACS and why it exists… 03m00s
  2. ACS was designed to address the access control limitations of OAuth. It is essentially a comprehensive solution for building a RESTful API that supports Attribute Based Access Control… In order to do this it is… 01m00s
  3. But what exactly are attributes? 00m30s
  4. The concept is best explained by example… 01m00s
  5. Attributes can also apply to resources… 01m00s
  6. But how do we make the access control decision??? 01m00s
  7. Here’s a diagram to help visualize the process… 02m00s
  8. Let’s delve into the ACS side of things… 02m00s
  9. The above example I just presented pretty basic. ACS can satisfy much more complicated use cases… 01m30s
  10. Very useful to manage complex systems of user attributes… 01m00s
  11. Resources can also inherit attributes… 01m00s
  12. Subject privileges can also depend on what user the subject is trying to access. 02m00s
  13. 01m00s
  14. 01m00s
  15. 02m00s