an answer to your common xacml dilemmas asela pathberiya senior software engineer
DESCRIPTION
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer. WSO2. Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source Producing entire middleware platform 100% open source under Apache license - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/1.jpg)
An answer to your common XACML dilemmas
Asela Pathberiya
Senior Software Engineer
![Page 2: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/2.jpg)
Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source
Producing entire middleware platform 100% open source under Apache license
Business model is to sell comprehensive support & maintenance for our products
Venture funded by Intel Capital and Quest Software. Global corporation with offices in USA, UK & Sri Lanka 150+ employees and growing
WSO2
![Page 3: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/3.jpg)
What are we going to cover
What is XACML? Why is XACML important for your
organization? What are the disadvantages of
XACML? How can WSO2 Identity Server help
you to overcome those disadvantages?
![Page 4: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/4.jpg)
ETag Group
ETag group is a trading company, which is established in 2001.
![Page 5: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/5.jpg)
Application System
ETag group deployed their 1st Application System in 2005.
![Page 6: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/6.jpg)
Authentication
Application System included an authentication mechanism
![Page 7: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/7.jpg)
Authentication
Some functions and data in the Application System must not be accessed by all employees in the company.
Therefore authentication is not enough..!!!
![Page 8: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/8.jpg)
Authorization
ETag group wanted to build an authorization logic for their Application System.
![Page 9: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/9.jpg)
Role Based Access Control (RBAC)
Set of people who has same set of privileges, put in to a role and assign permission for that role.
![Page 10: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/10.jpg)
Role Based Access Control (RBAC)
![Page 11: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/11.jpg)
Effect of company growth No. of Application Systems were increased.
For each application system, authorization logics were needed to implemented.
Authorization logics became more complex Authorization logics were needed to be
updated frequently Maintaining of authorization logics became a
tricky task
Growth of ETag Group
![Page 12: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/12.jpg)
Meeting
Decided implement a new authorization system
![Page 13: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/13.jpg)
ETag Common Authorization System (ECAS)
Denis was asked to lead “ECAS” project
“ECAS” project must fulfill following six requirements as decided in the board meeting.
![Page 14: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/14.jpg)
Externalized
Authorization system is not bound to an application. Each application must be able to query a single authorization system for all authorization queries
![Page 15: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/15.jpg)
Policy based
Authorization logics can be modified frequently without any source code changes.
![Page 16: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/16.jpg)
Standardized
Even business managers and external people must be aware of the technology which is used to design this.
![Page 17: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/17.jpg)
Attribute Based
"X resource can be accessed by the Users who are from etag.com domain and whose age is not less than 18 years old”
![Page 18: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/18.jpg)
Fine-grained
Need to achieve the fine grain without defining a large number of static combinations in the source code or database
![Page 19: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/19.jpg)
Real Time
“Can user, Bob transfer X amount from current account Y between 9.00am to 4.00pm”
![Page 20: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/20.jpg)
Externalized Policy based Standardized Attribute based Fine-grained Dynamic
Authorization Solution
![Page 21: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/21.jpg)
![Page 22: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/22.jpg)
XACML
XACML is standard for eXtensible Access Control Markup Language
![Page 23: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/23.jpg)
Standard which is ratified by OASIS standards organization
The first meeting 21st March 2001
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 1.1 – Committee Specification – 7th August 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 10th Aug 2010
![Page 24: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/24.jpg)
Policy language implemented using XML
![Page 25: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/25.jpg)
Externalization is provided by XACML Reference architecture
![Page 26: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/26.jpg)
Attribute Based Access Control (ABAC)
![Page 27: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/27.jpg)
Fine-grained authorization
Fine-grained authorization with higher level of abstraction by means of policy sets policies and rules.
![Page 28: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/28.jpg)
Real time evaluation
![Page 29: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/29.jpg)
XACML Implementation for ECAS
Denis was really happy as he found the solution for all requirements
Denis thought to start to implement XACML based authorization system for ECAS project
![Page 30: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/30.jpg)
Meeting
“Denis, It is hard to implement a XACML solution from the scratch”
“It is better to find an existing implementation and plug it in to ECAS project “
![Page 31: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/31.jpg)
Meeting
“We need a closer look on XACML... Let have a
review on it”
![Page 32: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/32.jpg)
Disadvantages Performances of XACML based authorization system
would be less than the existing system Complexity of defining and managing XACML policies How to integrate current authorization logics in to new
system as XACML policies. How to provide a standard interface to communicate
with with PDP. PDP would be able to handle lager number of (10000 -
100000) policies How to achieve reliability and High availability. Can XACML solutions support "What are the resources
that Bob can access?"
![Page 33: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/33.jpg)
XACML Implementations
![Page 34: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/34.jpg)
An Open source XACML Implementation
"Open source XACML solution, WSO2 identity Server, Just download and can run the PDP with out any configuration. how fast is that..? I do not want to write mail asking for evaluation copies"
"I can just write simple XACML policy and try this out... Nice web based UI. "
![Page 35: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/35.jpg)
WSO2 Identity Server
![Page 36: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/36.jpg)
WSO2 Identity Server
![Page 37: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/37.jpg)
Performance bottleneck
There would be less performance than the traditional authorization systems.
It is a trade-off for the advantages, offered But WSO2 Identity Server team has identify this
performance bottleneck and has provided a solution to overcome this to a greater extent.
Caching technologies
Thrift protocol for PDP – PEP communication
![Page 38: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/38.jpg)
Caching
![Page 39: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/39.jpg)
Load Test Figures Environment
Intel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS - Debian 6.0 (64bit) - with a single instance of Identity Server
[-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m]
Policy Complexity
L1: 10 rules per policy while one rule dealing with 1 attribute
L2: 100 rules per policy while one rule dealing with more than 10 attributes
Requests
one million XACML requests.
XACML requests are randomly retrieved from a pool where 10 000 different requests are available
Resources
http://people.wso2.com/~asela/xacml_load_test/
![Page 40: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/40.jpg)
Load Test Result - Caching
![Page 41: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/41.jpg)
Load Test Result - Thrift
![Page 42: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/42.jpg)
Complexity of defining and managing XACML policies
Web based UI as PAP for defining and managing XACML policies.
![Page 43: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/43.jpg)
XACML Policy Editors
Two policy editors, Basic and Advance.
![Page 44: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/44.jpg)
Integrating current authorization logics
![Page 45: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/45.jpg)
Standard interface for PDP and PAP
All PDP and PAP functionality has been exposed as Web services
![Page 46: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/46.jpg)
Handling large number of policies
Policy distribution On demand Policy Loading
![Page 47: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/47.jpg)
Reliability and High Availability
PDP clustering
![Page 48: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/48.jpg)
Listing entitled resources for user
![Page 49: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/49.jpg)
![Page 50: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/50.jpg)
![Page 51: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/51.jpg)
What we discussed Today
Identified XACML as a standard way of implementing authorization
How XACML answers the authorization requirements of your organization
What are the negative points of XACML How WSO2 Identity Server has provided an
answer for them
![Page 52: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/52.jpg)
References
www.oasis-open.org/committees/xacml
http://xacmlinfo.com/
http://blog.facilelogin.com
![Page 53: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/53.jpg)
Q and A
![Page 54: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/54.jpg)
Customers
![Page 55: An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer](https://reader035.vdocument.in/reader035/viewer/2022062805/56814d94550346895dbaeb4b/html5/thumbnails/55.jpg)
WSO2 Engagement Model
QuickStart
DevelopmentSupport
Development Services
Production Support
Turnkey Solutions
WSO2 Mobile Services Solution
WSO2 FIX Gateway Solution
WSO2 SAP Gateway Solution