access control patterns & practices with wso2 middleware
DESCRIPTION
Access Control Patterns & Practices with WSO2 Middleware. Prabath Siriwardena. About Me. Director of Security Architecture at WSO2 Leads WSO2 Identity Server – an open source identity and entitlement management product. Apache Axis2/Rampart committer / PMC - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/1.jpg)
Access Control Patterns & Practiceswith
WSO2 Middleware
Prabath Siriwardena
![Page 2: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/2.jpg)
About Me• Director of Security Architecture at WSO2• Leads WSO2 Identity Server – an open source identity and
entitlement management product.• Apache Axis2/Rampart committer / PMC• A member of OASIS Identity Metasystem Interoperability (IMI)
TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC.
• Twitter : @prabath• Email : [email protected]• Blog : http://blog.facilelogin.com• LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
![Page 3: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/3.jpg)
Discretionary Access Control (DAC)
vs. Mandatory Access Control (MAC)
![Page 4: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/4.jpg)
With the Discretionary Access Control, the user can be the owner
of the data and at his discretion can transfer the rights to another
user.
![Page 5: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/5.jpg)
With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot
transfer them.
![Page 6: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/6.jpg)
All WSO2 Carbon based products are based on Mandatory Access
Control.
![Page 7: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/7.jpg)
Group is a collection of Users - while a Role is a collection of
permissions.
![Page 8: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/8.jpg)
Authorization Table vs.
Access Control Lists vs.
Capabilities
![Page 9: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/9.jpg)
Authorization Table is a three column table with subject, action
and resource.
![Page 10: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/10.jpg)
With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can
exercise on the resource.
![Page 11: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/11.jpg)
With Capabilities, each subject has an associated list, called capability list,
indicating, for each resource, the accesses that the user is allowed to exercise on the
resource.
![Page 12: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/12.jpg)
Access Control List is resource driven while capabilities are
subject driven.
![Page 13: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/13.jpg)
With policy based access control we can have authorization policies
with a fine granularity.
![Page 14: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/14.jpg)
Capabilities and Access Control Lists can be dynamically derived
from policies.
![Page 15: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/15.jpg)
XACML is the de facto standard for policy based access control.
![Page 16: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/16.jpg)
XACML provides a reference architecture, a request response protocol and a policy language.
![Page 17: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/17.jpg)
Policy Enforcement Point (PEP)
Policy Information Point (PIP)
Policy Administration Point (PAP)
Policy Decision Point (PDP)
Policy Store
XACML Reference Architecture
![Page 18: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/18.jpg)
WSO2 Application Server (SOAP Service)
WSO2 Identity Server (STS)
Client Application
SAML token request
SAML token with Authentication and
Authorization Assertions (Capabilities)SAML token with Authentication
and Authorization Assertion
+Service Request
WSO2 Identity Server (XACML PDP)
XACML ResponseXACML Request
XACML with Capabilities (WS-Trust) Hierarchical Resource Profile
![Page 19: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/19.jpg)
WSO2 Application Server (Web Application)
WSO2 Identity Server (SAML2 IdP)
Browser Redirect with SAML Request
WSO2 Identity Server (XACML PDP)
Unauthenticated Request
SAML token with Authentication and
Authorization Assertion (Capabilities)
XACML ResponseXACML Request
XACML with Capabilities (WS-Trust) Hierarchical Resource Profile
![Page 20: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/20.jpg)
WSO2 ESB(Policy Enforcement
Point)Client Application
Service Request + Credentials
WSO2 Application Server (SOAP Service)
RBAC
Role Based Access Control
![Page 21: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/21.jpg)
WSO2 ESB(Policy Enforcement
Point)Client Application
Service Request + Credentials
WSO2 Identity Server (XACML PDP)
WSO2 Application Server (SOAP Service)XACML Response
XACML Request
WSO2 ESB as the XACML PEP (SOAP and REST)
![Page 22: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/22.jpg)
WSO2 Application ServerClient Application
Service Request + Credentials
WSO2 Identity Server (XACML PDP) XACML Response
XACML Request
XACML Servlet Filter
XACML PEP as a Servlet Filter
![Page 23: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/23.jpg)
WSO2 Identity Server (XACML PDP)
XACML ResponseXACML Request
WSO2 Identity Server (OAuth Authorization
Server)API Gateway
Access Token
Client Application
Validate()
OAuth + XACML
![Page 24: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/24.jpg)
WSO2 Application Server (Web Application)
External SAML2 IdP (Salesforce)
Browser Redirect with SAML RequestUnauthenticated Request
SAML token with Authentication and Attribute Assertions with IdP groups
WSO2 Identity Server
Web App roles
IdP Groups
Authorization with External IdPs (Role Mapping)
![Page 25: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/25.jpg)
Login
WSO2 Identity Server(XAML PDP)
XACML Request
XACML Response
Liferay Portal
XACML Multiple Decisions and Application Specific Roles
![Page 26: Access Control Patterns & Practices with WSO2 Middleware](https://reader036.vdocuments.site/reader036/viewer/2022062301/568161da550346895dd1e3ca/html5/thumbnails/26.jpg)
lean . enterprise . middleware