why lasagna is better than spaghetti: baking authorization into your applications using alfa, json,...

Download Why lasagna is better than spaghetti: baking authorization into your applications using ALFA, JSON, and REST - Cloud Identity Summit 2014

Post on 29-Nov-2014




0 download

Embed Size (px)


Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020. With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.


  • 1. Why lasagna is better than spaghetti Building authorization into your apps, APIs, and DB using JSON, REST & ALFA Axiomatics 2014 - @axiomatics
  • 2. Before we begin, a little draw Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker Axiomatics 2014 - @axiomatics
  • 3. A little history of pasta Meet Sally And her precious one And so lasagna kicked spaghetti out Axiomatics 2014 - @axiomatics
  • 4. Doesnt your code feel like spaghetti? Axiomatics 2014 - @axiomatics
  • 5. A little history of access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges Axiomatics 2014 - @axiomatics
  • 6. Whats Our Secret Ingredient? Attributes Attributes Attributes
  • 7. Attribute-Based Access Control Who What Where When Why Attributes can describe everything (not just who) How
  • 8. The Secret Sauce? Policy-Based Access Control Centralized Easy to audit eXtensibleStandardized Attribute-based
  • 9. XACML eXtensible Access Control = + (ABAC) (PBAC)
  • 10. XACML supports Schrodinger's cat Paul Madsens
  • 11. Bake in layers Axiomatics 2014 - @axiomatics Authorization at the right place Business tierAPI tier Data tierWeb app tierPresentation tier
  • 12. Data Tier Bake once, enjoy everywhere Presentation Tier API & WS Tier Business Tier eXternalized Authorization Service
  • 13. How does Chef Gebel take it to the next level? I use ALFA, 100% XACML I use JSON and REST too easy on the developers
  • 14. THE ALFA PLUGIN FOR ECLIPSE Authorizations KitchenAid Axiomatics 2014 - @axiomatics
  • 15. Whats ALFA Abbreviated Language for Authorization OASIS Axiomatics language donated to OASIS XACML In the process of standardization Goals Makes XACML policies easier to write Simplifies XACML structure Enhances possibilities Audience Aimed at developers initially Very popular with business analysts Axiomatics 2014 - @axiomatics
  • 16. Whats the ALFA plugin? Add-on to Eclipse, the popular IDE Lets you write ALFA easily Auto-complete Syntax checking Syntax coloring Converts ALFA into XACML 3.0 policies on the fly Lets you test your policies Axiomatics 2014 - @axiomatics
  • 17. An example: the insurance use case Authorization requirement A customer can view his/her own policies and the policies of a spouse that are not marked as private Identify the attributes User type; action; policy owner; policy private flag; spouse; object type; user identity Rework the rule A user with type==customer can do action==view on object of type==policy if and only if policyOwner == userId or, If and only if policyPrivateFlag==false && policy.owner==user.spouse Implement in ALFA Axiomatics 2014 - @axiomatics
  • 18. THE JSON PROFILE OF XACML Delicious & Healthy Axiomatics 2014 - @axiomatics
  • 19. Objectives Lightweight notation Get rid of the verboseness of XML Easy to write Broader support for languages (JS, Python) Remove the XACML / XML redundancy Infer certain things e.g. datatypes Axiomatics 2014 - @axiomatics
  • 20. The JSON Profile - Basics The profile is a close mirror of the XML XACML request / response It is possible to omit information and use inference Reasonable defaults E.g. String is not specified. Default category names AccessSubject, Resource, Action, Environment Axiomatics 2014 - @axiomatics
  • 21. Example in HTML/Javascript Axiomatics 2014 - @axiomatics
  • 22. Size of a XACML request Axiomatics 2014 - @axiomatics 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
  • 23. THE REST PROFILE OF XACML The perfect way to serve your lasagna Axiomatics 2014 - @axiomatics
  • 24. Why a REST profile? No standard transport protocol in XACML core Different implementations have different SOAP wrappings SOAP in itself is losing in popularity Provide easy means to send authorization request Axiomatics 2014 - @axiomatics
  • 25. Posting the JSON Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) ); } Axiomatics 2014 - @axiomatics
  • 26. And now, lets bake!
  • 27. Ok, so its time to wrap up
  • 28. Forget spaghetti. Whip up lasagna! Axiomatics 2014 - @axiomatics (Sorry Sergio Leone) Dont forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
  • 29. Summary Acronym Name Description EAM eXternalized Authorization Management The act of cleanly separating business logic from authorization logic and maintaining each one independently ABAC Attribute-based access control An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access PBAC Policy-based access control An authorization model which uses attributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementation of ABAC and PBAC done by OASIS.
  • 30. References REST profile of XACML JSON profile of XACML ALFA profile of XACML Available on the OASIS XACML TC website oasis-open.o


View more >