Download - CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON
Why lasagna is better than spaghetti
Building authoriza/on into your apps, APIs, and DB using JSON, REST & ALFA
© Axioma/cs 2014 -‐ @axioma/cs
Before we begin, a liPle draw
Drop in your card at the Axioma/cs booth for a chance to win a Bose bluetooth speaker
© Axioma/cs 2014 -‐ @axioma/cs
A liPle history of pasta
Meet Sally And her precious one And so lasagna kicked spaghe6 out © Axioma/cs 2014 -‐ @axioma/cs
Doesn’t your code feel like spagheS?
© Axioma/cs 2014 -‐ @axioma/cs
(if/then/else mixology)
A liPle history of access control
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC Increasing access control challenges
© Axioma/cs 2014 -‐ @axioma/cs
What’s Our Secret Ingredient?
APributes… APributes… APributes…
APribute-‐Based Access Control
Who… What… Where… When… Why…
APributes can describe everything (not just who)
How…
The Secret Sauce?
Policy-‐Based Access Control
Centralized… Easy to audit…
eXtensible… Standardized… APribute-‐based…
XACML – eXtensible Access Control
= +
(ABAC) (PBAC)
XACML supports
Schrodinger's cat Paul Madsen’s
Bake in layers
© Axioma/cs 2014 -‐ @axioma/cs
Authoriza/on at the right place Business /er… API /er… Data /er… Web app /er… Presenta/on /er…
Data Tier
Bake once, enjoy everywhere
PresentaJon Tier
API & WS Tier
Business Tier eXternalized AuthorizaJon
Service
How does Chef Gebel take it to the next level?
I use ALFA, 100% XACML
I use JSON and REST too – easy on the developers
THE ALFA PLUGIN FOR ECLIPSE
Authoriza/on’s KitchenAid
© Axioma/cs 2014 -‐ @axioma/cs
What’s ALFA • Abbreviated Language for Authoriza/on • OASIS
– Axioma/cs language donated to OASIS XACML – In the process of standardiza/on
• Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibili/es
• Audience – Aimed at developers ini/ally – Very popular with business analysts
© Axioma/cs 2014 -‐ @axioma/cs
What’s the ALFA plugin? • Add-‐on to Eclipse, the popular IDE • Lets you write ALFA easily
– Auto-‐complete – Syntax checking – Syntax coloring
• Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies
© Axioma/cs 2014 -‐ @axioma/cs
Available for free from Axioma/cs
An example: the insurance use case • Authoriza/on requirement
– A customer can view his/her own policies and the policies of a spouse that are not marked as private
• Iden/fy the aPributes – User type; ac/on; policy owner; policy private flag; spouse; object
type; user iden/ty • Rework the rule
– A user with type==customer can do ac/on==view on object of type==policy…
• if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse
• Implement in ALFA © Axioma/cs 2014 -‐ @axioma/cs
THE JSON PROFILE OF XACML
Delicious & Healthy
© Axioma/cs 2014 -‐ @axioma/cs
Objec/ves • Lightweight nota/on • Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes
© Axioma/cs 2014 -‐ @axioma/cs
The JSON Profile -‐ Basics • The profile is a close mirror of the XML XACML request / response
• It is possible to omit informa/on and use inference – Reasonable defaults – E.g. String is not specified.
• Default category names – AccessSubject, Resource, Ac/on, Environment
© Axioma/cs 2014 -‐ @axioma/cs
Example in HTML/Javascript <script language="javascript">
var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role];
</script> © Axioma/cs 2014 -‐ @axioma/cs
Size of a XACML request
© Axioma/cs 2014 -‐ @axioma/cs
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
THE REST PROFILE OF XACML The perfect way to serve your lasagna
© Axioma/cs 2014 -‐ @axioma/cs
Why a “REST” profile? • No standard transport protocol in XACML core • Different implementa/ons have different SOAP wrappings
• SOAP in itself is losing in popularity • Provide easy means to send authoriza/on request
© Axioma/cs 2014 -‐ @axioma/cs
Pos/ng the JSON Request in Javascript var xmlHttp = null; function authorize() {
var xacmlRequest = document.getElementById( "xacmlrequest" ).value;
var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic
cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) );
} © Axioma/cs 2014 -‐ @axioma/cs
And now, let’s bake!
Ok, so it’s /me to wrap up
Forget spagheS. Whip up lasagna!
© Axioma/cs 2014 -‐ @axioma/cs
(Sorry Sergio Leone)
REST + ALFA + JSON
A recipe for success
Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommenda/ons
Summary Acronym Name DescripJon
EAM eXternalized Authoriza/on Management
The act of cleanly separa0ng business logic from authoriza0on logic and maintaining each one independently
ABAC APribute-‐based access control
An authoriza0on model whereby parameters about the user, resource, ac0on, and environment can be used to determine access
PBAC Policy-‐based access control
An authoriza0on model which uses a<ributes combined together inside policies to define granted or denied access
XACML eXtensible Access Control Markup Language
The standard implementa0on of ABAC and PBAC – done by OASIS.
References • REST profile of XACML • JSON profile of XACML • ALFA profile of XACML è Available on the OASIS XACML TC website oasis-‐open.org/commiPees/tc_home.php?wg_abbrev=xacml
© Axioma/cs 2014 -‐ @axioma/cs
Grazie a tutti i tutte
David Brossard Axioma/cs – the leaders in ABAC & PBAC @davidjbrossard @axioma/cs hPp://developers.axioma/cs.com
© Axioma/cs 2014 -‐ @axioma/cs