Uncovering XACML to solve real world business use cases

Uncovering XACML to solve real world business use cases

Asela Pathberiya

Associate Technical Lead

About WSO2

๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source

๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments

๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.

๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.

๏ Driven by Innovation

๏ Launched first open source API Management solution in 2012

๏ Launched App Factory in 2Q 2013

๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013

What WSO2 Deliver

What is in Today’s Webinar

o Introduction to Access Control & XACMLo Advantages of XACMLo Challenges with XACMLo Business use cases implemented with XACML

o Fine Grained access control for SOAP/REST APIs

o Building access control for Web applications

o Adding entitlement for enterprise data

o Building centralized entitlement system with existing legacy authorization data

Introduction

Access Control Concepts

Policy Based Access Control

Attribute Based Access Control

Role Based Access Control

Dynamic Access Control

Fine Grained Access Control

Externalized Access Control

Standardized Access Control

Location Based Access Control

Real Time Access Control


@#@^!(&%%@

We need to build an Externalized, Standardized, Policy based, Attribute based and Dynamic Authorization System….. ASAP?



DONE

X A C M L

XACML

What is XACML

o XACML is standard for eXtensible Access Control Markup Language

o Standard is ratified by OASIS standards organization

The First meeting 21st March 2001

XACML 1.0 - OASIS Standard – 6 February 2003

XACML 2.0 – OASIS Standard – 1 February 2005

XACML 3.0 – OASIS Standard – 22 January 2013

XACML Core Specificationo Standardized Policy Language

o Standard way to write access control rules.

o Request/Response Protocol

o Standard way to query authorization requests & authorization decisions must be responded back.

o Reference Architecture

o Standard components in an authorization system and integration of each other.

o PDP - Policy Decision Point

o PEP - Policy Enforcement Point

o PIP - Policy Information Point

o PAP - Policy Administration Point

XACML Core Specification

XACML Associated Profiles

o Multiple Decision Profile

o Sending multiple authorization queries in single

request & Responding back with multiple decisions.

o REST profile of XACML

o Standard way to communicate between PDP & PEP.

o Request / Response Interface based on JSON and HTTP (Draft)o JSON based request & response messages.

Advantages of XACML

o Externalized o Standardized o Policy Basedo Attribute Basedo Fine Grainedo Dynamic

Challenges with XACML

o XACML is too complexo XML language with many syntax

o Difficult to write & understand policies

o Integrating current authorization system with XACML

o Converting existing authorization rules in to XACML

o Standard extension point to integrate

Challenges with XACML

o Performance Bottleneck

o PDP - PEP communication

o Boolean decision results

o What are the resources that Bob can access?

o Policy Distribution

o Large scale deployments

Use Cases

XACML for SOAP/REST Services

o Access Control for SOAP Web Service o Fine Grained into Operational & Message level

o Filtering response messages

XACML for SOAP/REST Services

o Access Control for REST APIso Fine Grained into Resources & HTTP Methods

o Scope validation - OAuth 2.0

XACML Business Use Case - 1

o Use Caseo X.509 Certificate based Authentication

o Authorization for Web Service operations based

on X.509 Certificate’s details such as CN, OU and O.


o Key Challenges

o Implementing PEP to extract data from X.509 Certificate

o Writing XACML policies

o Managing and Updating XACML policies efficiently

o Solutions

o X.509 authentication with WSO2ESB

o WSO2ESB Entitlement Mediator as PEP

o Policy Editors in WSO2 Identity Server

o Policy References


XACML for Web Applications

o Presentation layer differ with the authenticated User

XACML for Web Applications

o Multiple Decision Profileo Hierarchical Resource Profile


o Use Caseo Externalized Authorization system for Liferay Portal

o Authorized menu items, images and links are shown for authenticated users

o ABAC using the existing OpenDJ user store

o Reusing Authorization system for Web Service & API access control



o Key Challengeso Implementing PEP for Liferay Portal

o Performance with XACML

o Writing & Managing XACML policies

o Solutions

o Liferay handler as PEP

o Thrift Protocol for improving PDP - PEP communication

o Caching at PEP level

o Custom built PAP with Policy Editor


XACML for Data Entitlement

o Filter data access in database level


o Filtering data returned from the database


o Modifying input parameters before data is retrieved


o Use Caseo Access Control for Web Application

o Authorized data must be filtered from large number of database entries

o Key Challengeso Performance of PEP-PDP communication

o Performance of filtering data from large database entries


o Solutionso De-Centralized PDP

o OSGI Service level communication

o Modifying SQL queries based authorization decisions


XACML for Centralized Entitlement

o Multiple Applications with their own legacy Access Control Systems

XACML for Centralized Entitlement

o Centralized Externalized and Standardized


o Use Caseo Centralized management for access control

o Get rid from legacy authorization systems

o Externalized and Standardized approaches

o Large scale deployment

o Key Challengeso Integrating with legacy authorization data

o Policy generation with existing data

o Performance

o Policy distribution

o Auditing


o Solutionso Policy generation tools

o Policy information points for integrations

o Thrift Protocol for improving PDP - PEP communication

o Policy distribution patterns

o Policy notifications

o Policy reverse search for auditing




Q & A

Contact us !

http://wso2.com/contact

https://twitter.com/wso2

https://www.facebook.com/WSO2Inc

Uncovering XACML to solve real world business use cases

Documents

xacml o xacml

o attribute based o

o key challenges o

xacml o standard extension

authentication o authorization

grained o dynamic

xacml o business use

syntax o difficult