Uncovering XACML to solve real world business use cases
Asela Pathberiya
Associate Technical Lead
About WSO2
๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.
๏ Driven by Innovation
๏ Launched first open source API Management solution in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
What WSO2 Deliver
What is in Today’s Webinar
o Introduction to Access Control & XACMLo Advantages of XACMLo Challenges with XACMLo Business use cases implemented with XACML
o Fine Grained access control for SOAP/REST APIs
o Building access control for Web applications
o Adding entitlement for enterprise data
o Building centralized entitlement system with existing legacy authorization data
Introduction
Access Control Concepts
Policy Based Access Control
Attribute Based Access Control
Role Based Access Control
Dynamic Access Control
Fine Grained Access Control
Externalized Access Control
Standardized Access Control
Location Based Access Control
Real Time Access Control
Access Control Concepts
@#@^!(&%%@
We need to build an Externalized, Standardized, Policy based, Attribute based and Dynamic Authorization System….. ASAP?
Access Control Concepts
Access Control Concepts
DONE
X A C M L
XACML
What is XACML
o XACML is standard for eXtensible Access Control Markup Language
o Standard is ratified by OASIS standards organization
The First meeting 21st March 2001
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 22 January 2013
XACML Core Specificationo Standardized Policy Language
o Standard way to write access control rules.
o Request/Response Protocol
o Standard way to query authorization requests & authorization decisions must be responded back.
o Reference Architecture
o Standard components in an authorization system and integration of each other.
o PDP - Policy Decision Point
o PEP - Policy Enforcement Point
o PIP - Policy Information Point
o PAP - Policy Administration Point
XACML Core Specification
XACML Associated Profiles
o Multiple Decision Profile
o Sending multiple authorization queries in single
request & Responding back with multiple decisions.
o REST profile of XACML
o Standard way to communicate between PDP & PEP.
o Request / Response Interface based on JSON and HTTP (Draft)o JSON based request & response messages.
Advantages of XACML
o Externalized o Standardized o Policy Basedo Attribute Basedo Fine Grainedo Dynamic
Challenges with XACML
o XACML is too complexo XML language with many syntax
o Difficult to write & understand policies
o Integrating current authorization system with XACML
o Converting existing authorization rules in to XACML
o Standard extension point to integrate
Challenges with XACML
o Performance Bottleneck
o PDP - PEP communication
o Boolean decision results
o What are the resources that Bob can access?
o Policy Distribution
o Large scale deployments
Use Cases
XACML for SOAP/REST Services
o Access Control for SOAP Web Service o Fine Grained into Operational & Message level
o Filtering response messages
XACML for SOAP/REST Services
o Access Control for REST APIso Fine Grained into Resources & HTTP Methods
o Scope validation - OAuth 2.0
XACML Business Use Case - 1
o Use Caseo X.509 Certificate based Authentication
o Authorization for Web Service operations based
on X.509 Certificate’s details such as CN, OU and O.
XACML Business Use Case - 1
o Key Challenges
o Implementing PEP to extract data from X.509 Certificate
o Writing XACML policies
o Managing and Updating XACML policies efficiently
o Solutions
o X.509 authentication with WSO2ESB
o WSO2ESB Entitlement Mediator as PEP
o Policy Editors in WSO2 Identity Server
o Policy References
XACML Business Use Case - 1
XACML for Web Applications
o Presentation layer differ with the authenticated User
XACML for Web Applications
o Multiple Decision Profileo Hierarchical Resource Profile
XACML Business Use Case - 2
o Use Caseo Externalized Authorization system for Liferay Portal
o Authorized menu items, images and links are shown for authenticated users
o ABAC using the existing OpenDJ user store
o Reusing Authorization system for Web Service & API access control
XACML Business Use Case - 2
XACML Business Use Case - 2
o Key Challengeso Implementing PEP for Liferay Portal
o Performance with XACML
o Writing & Managing XACML policies
o Solutions
o Liferay handler as PEP
o Thrift Protocol for improving PDP - PEP communication
o Caching at PEP level
o Custom built PAP with Policy Editor
XACML Business Use Case - 2
XACML for Data Entitlement
o Filter data access in database level
XACML for Data Entitlement
o Filtering data returned from the database
XACML for Data Entitlement
o Modifying input parameters before data is retrieved
XACML Business Use Case - 3
o Use Caseo Access Control for Web Application
o Authorized data must be filtered from large number of database entries
o Key Challengeso Performance of PEP-PDP communication
o Performance of filtering data from large database entries
XACML Business Use Case - 3
o Solutionso De-Centralized PDP
o OSGI Service level communication
o Modifying SQL queries based authorization decisions
XACML Business Use Case - 3
XACML for Centralized Entitlement
o Multiple Applications with their own legacy Access Control Systems
XACML for Centralized Entitlement
o Centralized Externalized and Standardized
XACML Business Use Case - 4
o Use Caseo Centralized management for access control
o Get rid from legacy authorization systems
o Externalized and Standardized approaches
o Large scale deployment
o Key Challengeso Integrating with legacy authorization data
o Policy generation with existing data
o Performance
o Policy distribution
o Auditing
XACML Business Use Case - 4
o Solutionso Policy generation tools
o Policy information points for integrations
o Thrift Protocol for improving PDP - PEP communication
o Policy distribution patterns
o Policy notifications
o Policy reverse search for auditing
XACML Business Use Case - 4
XACML Business Use Case - 4
XACML Business Use Case - 4
Q & A
Top Related