fine-grained authorization with xacml
DESCRIPTION
Fine-grained authorization with XACMLhttp://blog.facilelogin.com/TRANSCRIPT
Prabath Siriwardena – Software Architect, WSO2
Ronaldo Michael Jordan
eXtensible Access Control Markup Language
First Meeting – 21 May 2001
Requirements from Healthcare, DRM, Registry, Financial, Online Web
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 1.1 – Committee Specification – 7th August 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 10th Aug 2010
Policy Administration
Point
Administrator
Defines
Policy Evaluation
Point
Access
Policy Decision Point
<inSequence> <entitlementService remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath"/> </inSequence>
UT
UT
<inSequence> <entitlementService
callbackClass=“org.wso2.carbon.identity.entitlement.mediator. KerberosEntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” /> </inSequence>
Kerberos
Kerberos
<inSequence> <property name="xacml_use_rest" value=”true" scope=”axis2" type="STRING"/> <entitlementService remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” /> </inSequence> BasicAuth/
RESTful
BasicAuth/RESTful
<inSequence> <entitlementService
callbackClass=“org.wso2.carbon.identity.entitlement.mediator. X509EntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” /> </inSequence>
Sign
Sign
<inSequence> <entitlementService
callbackClass=“my.own.CustomEmtitlementCallbackhandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” /> </inSequence> Custom
Custom
package my.own; import org.wso2.carbon.identity.entitlement.mediator.EntitlementCallbackHandler; public class CustomEntitlementCallbackHandler extends EntitlementCallbackHandler { }
My PEP
XACML
http://blog.facilelogin.com/2010/11/net-client-web-app-authorization-with.html
Policy Decision Point
Policy Information
Point
Policy Decision Point
PIP Extension
(s)
Policy Evaluation
Point
package org.wso2.carbon.identity.entitlement.pip; import com.sun.xacml.ctx.RequestCtx; /** * PIPExtensions will be fired for each and every XACML request -‐ which will give a handle to the * incoming request. * */ public interface PIPExtension { /** * Gives a handle to the XACML request built. Can be used to carry out custom checks or updates * before sending to the PDP. * * @param request * Incoming XACML request. */ public void update(RequestCtx request); }
Policy Information
Point
PIP Designator
(s)
Policy Decision Point
package org.wso2.carbon.identity.entitlement.pip; import java.util.Set; /** * To register a PIP attribute handler with the PDP against their supported attributes -‐ you need to * implement this interface and add an entry to pip-‐config.xml file -‐ which should be inside * [CARBON_HOME]\repository\conf */ public interface PIPAttributeFinder { /** * Will be fired by CarbonAttributeFinder whenever it finds an attribute supported by this * module. * * @param subjectId Name of the subject the returned attributes should apply to. * @param resourceId The name of the resource the subject is trying to access. * @param attributeId The unique id of the required attribute. * @return Returns a <code>Set</code> of <code>String</code>s that represent the attribute values. * @throws Exception */ public Set<String> getAttributeValues(String subjectId, String resourceId, String attributeId) throws Exception; /** * Returns a <code>Set</code> of <code>String</code>s that represent the attributeIds handled by * this module, or null if this module doesn't handle any specific attributeIds. A return value * of null means that this module will not handle any attributes. */ public Set<String> getSupportedAttributes(); }
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
Allows PolicySet(s) or Policy(s) to be combined
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
PolicyCombiningAlgorithm
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
PolicyCombiningAlgorithm
Policy Administration
Point
Policy Store
<PolicySet/>
<PolicySet/>
<PolicySet/>
<PolicySet/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
Acts as an index to find out matching PolicySets
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
Allows Rule(s) be combined
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
RuleCombiningAlgorithm
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<PolicySet/>
<Policy/>
<Rule/>
<Target/>
<Subject/> <Resource/> <Action/>
<Environment/> <Condition/>
<Policy PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Policy for Conformance Test IIA003.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:rule" Effect="Permit"> <Description> A subject with a "bogus" attribute with a value of "Physician" can read or write Bart Simpson's medical record. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Physician </AttributeValue> <SubjectAttributeDesignator AttributeId=“urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> </Policy>
Data Types / Functions / Identifiers
Document Identifier: oasis-‐access_control-‐xacml-‐2.0-‐core-‐spec-‐os Section : 10
<Request/>
<Subject/>
<Resource/>
<Environment/>
<Action/>
<Attribute/>
<Response/>
<Result/>
<Decision/>
Conveying XACML Attributes in a SOAP Message
xacml-samlp:XACMLAuthzDecisionQuery
saml:Attribute
XACML Assertions
XACMLAuthzAssertion
XACMLPrivacyAssertion
Defines how to use SAML 2.0 to protect, store, transport, request, and respond with XACML schema instances and other
information needed by an XACML implementation.
<saml:Assertion Version="2.0" ID="9812368” IssueInstant="2006-05-31T13:20:00.000"> <saml:Issuer>https://XACMLPDP.example.com</saml:Issuer> <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType"> <xacml-context:Response> <xacml-context:Result> <xacml-context:Decision> NotApplicable </xacml-context:Decision> </xacml-context:Result> </xacml-context:Response> <xacml-context:Request> .... </xacml-context:Request> </saml:Statement> </saml:Assertion>
Optimizations in XPATH
User-defined attribute categories
New TARGET matching criteria : <AnyOf> <AllOf>
New Obligation Expressions
Advice
Delegation
Multiple Decision Profile
Enhancements to Policy Combining Algorithms
