cis14: baking fine-grained authorization into your apps and apis using alfa, rest, and json

Download CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON

Post on 18-May-2015

390 views

Category:

Technology

5 download

Embed Size (px)

DESCRIPTION

Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.

TRANSCRIPT

  • 1. Why lasagna is better than spaghetti Buildingauthoriza/onintoyourapps, APIs,andDBusingJSON,REST&ALFA Axioma/cs2014-@axioma/cs

2. Beforewebegin,aliPledraw DropinyourcardattheAxioma/csboothfora chancetowinaBosebluetoothspeaker Axioma/cs2014-@axioma/cs 3. AliPlehistoryofpasta MeetSally Andherpreciousone Andsolasagnakicked spaghe6outAxioma/cs2014-@axioma/cs 4. DoesntyourcodefeellikespagheS? Axioma/cs2014-@axioma/cs (if/then/else mixology) 5. AliPlehistoryofaccesscontrol Basedon:HilbertandLopez,2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93%digital ~0,7%digital DAC MAC RBAC ABAC Increasingaccess controlchallenges Axioma/cs2014-@axioma/cs 6. WhatsOurSecretIngredient? APributes APributes APributes 7. APribute-BasedAccessControl Who What Where When Why APributescandescribeeverything(notjustwho) How 8. TheSecretSauce? Policy-BasedAccessControl Centralized Easytoaudit eXtensibleStandardized APribute-based 9. XACMLeXtensibleAccessControl = + (ABAC) (PBAC) 10. XACML supports Schrodinger's cat Paul Madsens 11. Bakeinlayers Axioma/cs2014-@axioma/cs Authoriza/onattherightplace Business/erAPI/er Data/erWebapp/erPresenta/on/er 12. DataTier Bakeonce,enjoyeverywhere PresentaJonTier API&WSTier BusinessTier eXternalized AuthorizaJon Service 13. HowdoesChef Gebeltakeitto thenextlevel? IuseALFA, 100% XACML IuseJSON andRESTtoo easyonthe developers 14. THEALFA PLUGINFOR ECLIPSE Authoriza/onsKitchenAid Axioma/cs2014-@axioma/cs 15. WhatsALFA AbbreviatedLanguageforAuthoriza/on OASIS Axioma/cslanguagedonatedtoOASISXACML Intheprocessofstandardiza/on Goals MakesXACMLpolicieseasiertowrite SimpliesXACMLstructure Enhancespossibili/es Audience Aimedatdevelopersini/ally Verypopularwithbusinessanalysts Axioma/cs2014-@axioma/cs 16. WhatstheALFAplugin? Add-ontoEclipse,thepopularIDE LetsyouwriteALFAeasily Auto-complete Syntaxchecking Syntaxcoloring ConvertsALFAintoXACML3.0policiesonthey Letsyoutestyourpolicies Axioma/cs2014-@axioma/cs Availablefor freefrom Axioma/cs 17. Anexample:theinsuranceusecase Authoriza/onrequirement Acustomercanviewhis/herownpoliciesandthepoliciesofaspouse thatarenotmarkedasprivate Iden/fytheaPributes Usertype;ac/on;policyowner;policyprivateag;spouse;object type;useriden/ty Reworktherule Auserwithtype==customercandoac/on==viewonobjectof type==policy ifandonlyifpolicyOwner==userIdor, IfandonlyifpolicyPrivateFlag==false&&policy.owner==user.spouse ImplementinALFA Axioma/cs2014-@axioma/cs 18. THEJSONPROFILE OFXACML Delicious&Healthy Axioma/cs2014-@axioma/cs 19. Objec/ves Lightweightnota/on GetridoftheverbosenessofXML Easytowrite Broadersupportforlanguages(JS,Python) RemovetheXACML/XMLredundancy Infercertainthingse.g.datatypes Axioma/cs2014-@axioma/cs 20. TheJSONProle-Basics TheproleisaclosemirroroftheXMLXACML request/response Itispossibletoomitinforma/onanduse inference Reasonabledefaults E.g.Stringisnotspecied. Defaultcategorynames AccessSubject,Resource,Ac/on,Environment Axioma/cs2014-@axioma/cs 21. ExampleinHTML/Javascript Axioma/cs2014-@axioma/cs 22. SizeofaXACMLrequest Axioma/cs2014-@axioma/cs 0 10 20 30 40 50 Wordcount XML JSON 0 200 400 600 800 1000 1200 1400 Char.Count XML JSON 23. THERESTPROFILEOFXACML Theperfectwaytoserveyourlasagna Axioma/cs2014-@axioma/cs 24. WhyaRESTprole? NostandardtransportprotocolinXACMLcore Dierentimplementa/onshavedierent SOAPwrappings SOAPinitselfislosinginpopularity Provideeasymeanstosendauthoriza/on request Axioma/cs2014-@axioma/cs 25. Pos/ngtheJSONRequestinJavascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) );Axioma/cs2014-@axioma/cs 26. Andnow, letsbake! 27. Ok,soits /meto wrapup 28. ForgetspagheS.Whipuplasagna! Axioma/cs2014-@axioma/cs (SorrySergioLeone) REST+ALFA+JSON Arecipeforsuccess Dontforgettopairthepastawithanelegant wine.Ask@ggebel,ourheadsommelier,for recommenda/ons 29. Summary Acronym Name DescripJon EAM eXternalized Authoriza/on Management Theactofcleanlysepara0ngbusinesslogic fromauthoriza0onlogicandmaintainingeach oneindependently ABAC APribute-basedaccess control Anauthoriza0onmodelwherebyparameters abouttheuser,resource,ac0on,and environmentcanbeusedtodetermineaccess PBAC Policy-basedaccess control Anauthoriza0onmodelwhichusesa