axiomatics webinar 13 june 2013

Webinar: Preparing your applications for externalized authorization

Twitter @axiomatics

@srijith

#XACML

2

Axiomatics in brief

Common authorization patterns - background

Externalizing authorization

XACML

APS Developer Edition – Introduction and demo

Questions and Answer session

Agenda

3

Focus area Externalized authorization XACML standard

Company background

R&D since 2000 Axiomatics founded in 2006

OASIS XACML Technical Committee

Member since 2005 Editorial responsibilities

Products implementing XACML 2.0 and 3.0 The largest deployments world-wide

Axiomatics in brief

4

APS Developer Edition Non-production use Aimed at reducing lead time to use XACML Enabling devs. to easily use XACML in their apps Interested? Contact [email protected]

More Editions to follow – stay tuned Srijith Nair – Axiomatics Developer Relations

5

Today’s webinar – drivers

mailto:[email protected]

© 2013, Axiomatics AB

Preparing your applications for externalized authorization

Srijith Nair June 13, 2013

6


In the olden days, authorization was about

Who?

7


Authorization should really be about…

When? What? How? Where? Who? Why?

8


Access Control List (ACL) Resource centric Permissions attached to objects Specifies which subject has access

Role-Based Access Control (RBAC) User Centric Widely adopted Well understood Industry-standard around it Simple But….

Authorization Approaches

User Role(s) Permission(s)

Role 1

Role 2

P P

P P

P P

9


Static, predefined, inflexible Does not extend beyond user Doesn’t scale

Role explosion Difficult to define fine-grained access control rules How would one implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship

Where’s the role? Doctor What’s a patient? A record? A care relationship?

Problem with RBAC?

10


Pull out the highlighter

What if we were not limited to roles?

Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship

It is all about Attributes, Attributes, Attributes!

11


Attributes Are sets of labels or properties Describe all aspects of entities that must be considered for authorization purposes

Attribute-Based Access Control (ABAC) uses attributes as building blocks in a structured language used to define access control rules and to describe access requests

Attribute-based access control

12


ABAC vs. RBAC Role-Based Access Control Attribute-Based Access Control

User Role Permissions User + Action + Resource + Context

Attributes

Policies

Static & pre-defined Dynamic & Adaptive

Role 1

Role 2

P P

P P

P P

13


Declarative: Security roles, constrains are added to deployment descriptor of application (e.g. in J2EE, web constraints are added to web.xml, EJB constraints into ejb-jar.xml) Configured during assembly stage, enforced by security runtime Usually rely on roles

Programmatic: Enforcement of AuthZ is written in the code Gives app developers more control

JACC interface can be used to make calls to external AuthZ providers

Declarative vs. Programmatic AuthZ

14


Future-Proofing Authorization

External from Applications

Standards-Compliant

Authorization Service

Fine- Grained Context-Aware

Attribute-based Access Control

Externalized AuthZ

15


Externalizing Authorization

16


Consider distributed or multi-tiered apps Consider SOA, Cloud services AuthZ needs to be done at several tiers, places Move similar, often-used AuthZ code to own layer Some progress, but

Different programming patterns Frameworks providing coarse-grained AuthZ Fine-grained AuthZ still in code

Need for Externalizing AuthZ

17


A multitude of Authorization Frameworks

CanCan

Microsoft Claims

SalesForce PermissionSet

Spring Security

Rails AuthZ

Python Fedora

Flask-Auth

Slim for PHP

18


Cons They are specific to their language They are not standards-based Their capabilities are at times limited They require subject matter expertise They are expensive

Pros It’s the right step towards fine-grained authorization It’s the right step towards externalizing authorization

What’s with native authorization frameworks?

19


Enter XACML

20


eXtensible Access Control Markup Language Prominent ABAC system OASIS standard

V 3.0 approved in January 2013 V 1.0 approved in 2003 (10 years ago!)

XACML is expressed as a specification document Provides profiles for developers:

JSON REST

http://www.oasis-open.org/committees/xacml/

21

What is XACML?

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf

http://www.oasis-open.org/committees/xacml/

© 2013, Axiomatics AB 22

What does XACML contain?

XACML

Reference Architecture

Policy Language

Request / Response Protocol


The XACML Architecture

23

Manage Policy Administration Point

Decide Policy Decision Point

Support Policy Information Point Policy Retrieval Point

Enforce Policy Enforcement Point


XACML Architecture Flow

24

Decide Policy Decision Point

Manage Policy Administration Point

Support Policy Information Point Policy Retrieval Point

Enforce Policy Enforcement Point

Access Document #123

Access Document #123

Can Alice access Document #123? Yes, Permit

Load XACML policies

Retrieve user role, clearance and document classification



XACML


Policy Language



3 structural elements PolicySet Policy Rule

Root: either PolicySet or Policy PolicySets contain any number of PolicySets & Policies Policies contain Rules Rules contain an Effect: Permit / Deny Combining Algorithms for Rules and Policies

26

Language Elements of XACML


Root Policy Set

PolicySet

Policy

Rule

Effect=Permit

Rule

Effect = Deny

PolicySet

Policy

Rule

Effect = Permit

27

Sample XACML Policy


Language Structure: Russian dolls

PolicySet, Policy & Rule can contain

Targets Obligations Advice

Rules can contain Conditions

Policy Set

Policy

Rule

Effect=Permit

Target

Target

Target

Obligation

Obligation

Obligation

Condition



XACML


Policy Language



Environment

Subject Action

Resource Environment

Action

Resource

Subject

30

Request and Response It’s all about Attributes! ABAC Represented in XML

XACML Policies

XACML Request

XACML Response


Req/Resp

XACML and PEP

ENFORCE STOP ANALYZE FORWARD

E S

A

F

31


What are you protecting? What architecture? What framework?

J2EE? Web app server Servlet filter Web services JAX-WS Enterprise Service Bus? Apache Service Mix Interceptors IIS? ISAPI filter XML gateway? Custom vendor assertion

32

Stop the message: the form factor

S


Map from ‘native attributes’ to XACML attributes Two types of attributes

Attributes in the message Message headers

SOAPAction HTTP method Target URI…

Message payload Transaction amount

Attribute in the environment / framework Time of the day

Analyze the message: extract attributes

A

33


Extract Attributes - Example POST /login.jsp HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/4.0 Content-Length: 27 Content-Type: application/x-www-form-urlencoded userid=joe <?xml version="1.0" encoding="UTF-8"?>

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login.jsp </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">joe </xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>

Via the HTTPServletObject

34


How is the PDP exposed? In-process? RMI? JSON? SOAP? …

Create a XACML request and insert it inside the right “transporter”

Java XACML request and pass to the API method Java XACML request serialized using RMI JSON payload and send as HTTP(S) request XML XACML request inside SOAP message and send as HTTP request …

Forward access control request to the PDP

Req/Resp

F

35


Permit / Deny / Not Applicable / Indeterminate Check the bias Apply obligations & advice

Log access in the central log repository Send notification email Filter out some data from the response

Enforce: receive the PDP decision and act

E

36


APS Developer Edition

37


“(…)is an aggregate product that aims to simplify the process of working with Axiomatics products. It is primarily intended for developers and is designed to enable a quick and easy setup of the APS environment. The Developer Edition contains the standard releases of APS and other Axiomatics software of relevance to developers in a complete, self-contained and easy-to-install package.”

For non-production use only

What is APS Developer Edition?

38


APS components - ASM, PDP, PAP PEP SDK for Java and ALFA packages Sample demo application and XACML policy Sample Eclipse projects for

JSP demo application JSP PEP Java PEP ALFA

PAP workspace Single Tomcat for ASM, PDP and demo application Simplified initialization and management scripts

What it contains

39


APS Developer Edition does not include: Eclipse distribution Java distribution APS Developer Resources Anything else not mentioned in previous slide

What it does not contain

40


Quick Start Guide

41


Demo

42


Questions? Contact us at [email protected]

axiomatics webinar 13 june 2013

Technology

axiomatics abpreparing

axiomatics ababac

axiomatics abconsider

axiomatics ab22what

axiomatics abin

axiomatics abattributesare

axiomatics abconsthey

axiomatics abstatic