cis14: baking fine-grained authorization into your apps and apis using alfa, rest, and json

Why lasagna is better than spaghetti

Building authoriza/on into your apps, APIs, and DB using JSON, REST & ALFA

© Axioma/cs 2014 -‐ @axioma/cs

Before we begin, a liPle draw

Drop in your card at the Axioma/cs booth for a chance to win a Bose bluetooth speaker


A liPle history of pasta

Meet Sally And her precious one And so lasagna kicked spaghe6 out © Axioma/cs 2014 -‐ @axioma/cs

Doesn’t your code feel like spagheS?


(if/then/else mixology)

A liPle history of access control

Based on: Hilbert and Lopez, 2011

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07

300

250

200

150

100

50

0

~93% digital

~0,7% digital

DAC

MAC

RBAC

ABAC Increasing access control challenges


What’s Our Secret Ingredient?

APributes… APributes… APributes…

APribute-‐Based Access Control

Who… What… Where… When… Why…

APributes can describe everything (not just who)

How…

The Secret Sauce?

Policy-‐Based Access Control

Centralized… Easy to audit…

eXtensible… Standardized… APribute-‐based…

XACML – eXtensible Access Control

= +

(ABAC) (PBAC)

XACML supports

Schrodinger's cat Paul Madsen’s

Bake in layers


Authoriza/on at the right place Business /er… API /er… Data /er… Web app /er… Presenta/on /er…

Data Tier

Bake once, enjoy everywhere

PresentaJon Tier

API & WS Tier

Business Tier eXternalized AuthorizaJon

Service

How does Chef Gebel take it to the next level?

I use ALFA, 100% XACML

I use JSON and REST too – easy on the developers

THE ALFA PLUGIN FOR ECLIPSE

Authoriza/on’s KitchenAid


What’s ALFA •  Abbreviated Language for Authoriza/on •  OASIS

–  Axioma/cs language donated to OASIS XACML –  In the process of standardiza/on

•  Goals –  Makes XACML policies easier to write –  Simplifies XACML structure –  Enhances possibili/es

•  Audience –  Aimed at developers ini/ally –  Very popular with business analysts


What’s the ALFA plugin? •  Add-‐on to Eclipse, the popular IDE •  Lets you write ALFA easily

– Auto-‐complete –  Syntax checking –  Syntax coloring

•  Converts ALFA into XACML 3.0 policies on the fly •  Lets you test your policies


Available for free from Axioma/cs

An example: the insurance use case •  Authoriza/on requirement

–  A customer can view his/her own policies and the policies of a spouse that are not marked as private

•  Iden/fy the aPributes –  User type; ac/on; policy owner; policy private flag; spouse; object

type; user iden/ty •  Rework the rule

–  A user with type==customer can do ac/on==view on object of type==policy…

•  if and only if policyOwner == userId or, •  If and only if policyPrivateFlag==false && policy.owner==user.spouse

•  Implement in ALFA © Axioma/cs 2014 -‐ @axioma/cs

THE JSON PROFILE OF XACML

Delicious & Healthy


Objec/ves •  Lightweight nota/on •  Get rid of the verboseness of XML •  Easy to write •  Broader support for languages (JS, Python…) •  Remove the XACML / XML redundancy •  Infer certain things e.g. datatypes


The JSON Profile -‐ Basics •  The profile is a close mirror of the XML XACML request / response

•  It is possible to omit informa/on and use inference –  Reasonable defaults –  E.g. String is not specified.

•  Default category names – AccessSubject, Resource, Ac/on, Environment


Example in HTML/Javascript <script language="javascript">

var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role];

</script> © Axioma/cs 2014 -‐ @axioma/cs

Size of a XACML request


0

10

20

30

40

50

Word count

XML

JSON

0

200

400

600

800

1000

1200

1400

Char. Count

XML

JSON

THE REST PROFILE OF XACML The perfect way to serve your lasagna


Why a “REST” profile? •  No standard transport protocol in XACML core •  Different implementa/ons have different SOAP wrappings

•  SOAP in itself is losing in popularity •  Provide easy means to send authoriza/on request


Pos/ng the JSON Request in Javascript var xmlHttp = null; function authorize() {

var xacmlRequest = document.getElementById( "xacmlrequest" ).value;

var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic

cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) );

} © Axioma/cs 2014 -‐ @axioma/cs

And now, let’s bake!

Ok, so it’s /me to wrap up

Forget spagheS. Whip up lasagna!


(Sorry Sergio Leone)

REST + ALFA + JSON

A recipe for success

Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommenda/ons

Summary Acronym Name DescripJon

EAM eXternalized Authoriza/on Management

The act of cleanly separa0ng business logic from authoriza0on logic and maintaining each one independently

ABAC APribute-‐based access control

An authoriza0on model whereby parameters about the user, resource, ac0on, and environment can be used to determine access

PBAC Policy-‐based access control

An authoriza0on model which uses a<ributes combined together inside policies to define granted or denied access

XACML eXtensible Access Control Markup Language

The standard implementa0on of ABAC and PBAC – done by OASIS.

References •  REST profile of XACML •  JSON profile of XACML •  ALFA profile of XACML è Available on the OASIS XACML TC website oasis-‐open.org/commiPees/tc_home.php?wg_abbrev=xacml


Grazie a tutti i tutte

David Brossard Axioma/cs – the leaders in ABAC & PBAC @davidjbrossard @axioma/cs hPp://developers.axioma/cs.com


cis14: baking fine-grained authorization into your apps and apis using alfa, rest, and json

Technology

datatypes axiomacs2014

restalfa axiomacs2014

environment axiomacs2014

bakeinlayers axiomacs2014

json xmlhttp

axiomacs sorrysergioleone

axiomacs ifthenelse

processrequest xmlhttp