Access control patterns


Published on

Published in: Business, Technology
  • Be the first to comment

Access control patterns

  1. 1. Access  Control  Pa.erns  &  Prac0ces   with     WSO2  Middleware     Prabath  Siriwardena      
  2. 2. About  Me   •  Director  of  Security  Architecture  at  WSO2   •  Leads  WSO2  Iden8ty  Server  –  an  open  source  iden8ty  and   en8tlement  management  product.   •  Apache  Axis2/Rampart  commiCer  /  PMC   •  A  member  of  OASIS  Iden8ty  Metasystem  Interoperability   (IMI)  TC,  OASIS  eXtensible  Access  Control  Markup  Language   (XACML)  TC  and  OASIS  Security  Services  (SAML)  TC.   •  TwiCer  :  @prabath   •  Email  :   •  Blog  :  hCp://   •  LinkedIn  :  hCp://    
  3. 3.      Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)
  4. 4.     With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the rights to another user.
  5. 5.     With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them.
  6. 6.     All WSO2 Carbon based products are based on Mandatory Access Control.
  7. 7.     Group is a collection of Users - while a Role is a collection of permissions.
  8. 8.     Authorization Table vs. Access Control Lists vs. Capabilities
  9. 9.     Authorization Table is a three column table with subject, action and resource.
  10. 10. With Access Control Lists, each resource is associated with a list, indicating, for each   subject, the actions that the subject can exercise on the resource.  
  11. 11. With Capabilities, each subject has an associated list, called capability list, indicating,   for each resource, the accesses that the user is allowed to exercise on the resource.  
  12. 12.     Access Control List is resource driven while capabilities are subject driven.
  13. 13.     With policy based access control we can have authorization policies with a fine granularity.
  14. 14.     Capabilities and Access Control Lists can be dynamically derived from policies.
  15. 15.     XACML is the de facto standard for policy based access control.
  16. 16.     XACML provides a reference architecture, a request response protocol and a policy language.
  17. 17. XACML  Reference  Architecture   Policy  Administra0on   Point  (PAP)   Policy  Decision  Point   (PDP)   Policy  Store   Policy  Enforcement  Point   (PEP)   Policy  Informa0on  Point   (PIP)  
  18. 18. WSO2  Iden0ty  Server   (XACML  PDP)   XACML     Request   XACML  with  Capabili0es  (WS-­‐Trust)     Hierarchical  Resource  Profile     XACML  Response   WSO2  Iden0ty  Server   (STS)   WSO2  Applica0on  Server   (SOAP  Service)   SAML  token  with  Authen0ca0on     and     Authoriza0on  Asser0ons  (Capabili0es)   SAML  token  request   Client  Applica0on   SAML  token  with   Authen0ca0on     and     Authoriza0on  Asser0on   +   Service  Request  
  19. 19. WSO2  Iden0ty  Server   (XACML  PDP)   XACML     Request   XACML  with  Capabili0es  (WS-­‐Trust)     Hierarchical  Resource  Profile     XACML  Response   WSO2  Iden0ty  Server   (SAML2  IdP)   WSO2  Applica0on  Server   (Web  Applica0on)   SAML  token  with  Authen0ca0on     and     Authoriza0on  Asser0on  (Capabili0es)   Browser  Redirect  with  SAML  Request   Unauthen0cated  Request  
  20. 20. Role  Based  Access  Control   WSO2  Applica0on  Server   (SOAP  Service)   Client  Applica0on   Service  Request  +  Creden0als   WSO2  ESB   (Policy  Enforcement   Point)   RBAC  
  21. 21. WSO2  ESB  as  the  XACML  PEP  (SOAP  and  REST)   WSO2  Iden0ty  Server   (XACML  PDP)   XACML  Response   WSO2  Applica0on  Server   (SOAP  Service)   XACML  Request   WSO2  ESB   (Policy  Enforcement   Point)   Client  Applica0on   Service  Request  +  Creden0als  
  22. 22. XACML  PEP  as  a  Servlet  Filter   WSO2  Iden0ty  Server   (XACML  PDP)   XACML  Response   XACML  Request   XACML    Servlet  Filter   Client  Applica0on   WSO2  Applica0on  Server   Service  Request  +  Creden0als  
  23. 23. OAuth  +  XACML   WSO2  Iden0ty  Server   (OAuth   Authoriza0on  Server)   XACML     Request   Validate()   XACML  Response   WSO2  Iden0ty  Server   (XACML  PDP)   API  Gateway   Access   Token   Client  Applica0on  
  24. 24. Authoriza0on  with  External  IdPs  (Role  Mapping)   WSO2  Iden0ty  Server   IdP   Groups   External  SAML2  IdP   (Salesforce)   SAML  token  with  Authen0ca0on     and  A.ribute  Asser0ons  with  IdP  groups   Web  App     roles   WSO2  Applica0on  Server   (Web  Applica0on)   Browser  Redirect  with  SAML  Request   Unauthen0cated  Request  
  25. 25.       Liferay  Portal                             XACML  Mul0ple  Decisions  and     Applica0on  Specific  Roles   XACML  Request   WSO2  Iden0ty  Server   (XAML  PDP)   XACML  Response   Login  
  26. 26. lean  .  enterprise  .  middleware