why lasagna is better than spaghetti: baking authorization into your applications using alfa, json,...
DESCRIPTION
Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020. With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.TRANSCRIPT
© Axiomatics 2014 - @axiomatics
Why lasagna is better than spaghetti
Building authorization into your apps, APIs, and DB using JSON, REST & ALFA
© Axiomatics 2014 - @axiomatics
Before we begin, a little draw
Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker
© Axiomatics 2014 - @axiomatics
A little history of pasta
Meet Sally And her precious one And so lasagna kickedspaghetti out
© Axiomatics 2014 - @axiomatics
Doesn’t your code feel like spaghetti?
(if/then/else mixology)
© Axiomatics 2014 - @axiomatics
A little history of access control
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABACIncreasing access control challenges
What’s Our Secret Ingredient?
Attributes…Attributes…
Attributes…
Attribute-Based Access Control
Who… What… Where… When… Why…
Attributes can describe everything (not just who)
How…
The Secret Sauce?
Policy-Based Access Control
Centralized…Easy to audit…
eXtensible…Standardized…Attribute-based…
XACML – eXtensible Access Control
XACML
= +
(ABAC) (PBAC)
XACML supports Schrodinger's cat
Paul Madsen’s
© Axiomatics 2014 - @axiomatics
Bake in layers
Authorization at the right placeBusiness tier…API tier… Data tier…Web app tier…Presentation tier…
Data Tier
Bake once, enjoy everywhere
Presentation Tier
API & WS Tier
Business TiereXternalized
AuthorizationService
How does Chef Gebel take it to the next level?
I use ALFA, 100%
XACML
I use JSON and REST too – easy on the
developers
© Axiomatics 2014 - @axiomatics
THE ALFA PLUGIN FOR ECLIPSE
Authorization’s KitchenAid
© Axiomatics 2014 - @axiomatics
What’s ALFA• Abbreviated Language for Authorization• OASIS
– Axiomatics language donated to OASIS XACML– In the process of standardization
• Goals– Makes XACML policies easier to write– Simplifies XACML structure– Enhances possibilities
• Audience– Aimed at developers initially– Very popular with business analysts
© Axiomatics 2014 - @axiomatics
What’s the ALFA plugin?• Add-on to Eclipse, the popular IDE• Lets you write ALFA easily– Auto-complete– Syntax checking– Syntax coloring
• Converts ALFA into XACML 3.0 policies on the fly• Lets you test your policies
Available for free from
Axiomatics
© Axiomatics 2014 - @axiomatics
An example: the insurance use case• Authorization requirement
– A customer can view his/her own policies and the policies of a spouse that are not marked as private
• Identify the attributes– User type; action; policy owner; policy private flag; spouse; object type; user
identity• Rework the rule
– A user with type==customer can do action==view on object of type==policy…• if and only if policyOwner == userId or,• If and only if policyPrivateFlag==false && policy.owner==user.spouse
• Implement in ALFA
© Axiomatics 2014 - @axiomatics
THE JSON PROFILE OF XACML
Delicious & Healthy
© Axiomatics 2014 - @axiomatics
Objectives• Lightweight notation• Get rid of the verboseness of XML• Easy to write• Broader support for languages (JS, Python…)• Remove the XACML / XML redundancy• Infer certain things e.g. datatypes
© Axiomatics 2014 - @axiomatics
The JSON Profile - Basics• The profile is a close mirror of the XML XACML
request / response• It is possible to omit information and use inference– Reasonable defaults– E.g. String is not specified.
• Default category names– AccessSubject, Resource, Action, Environment
© Axiomatics 2014 - @axiomatics
Example in HTML/Javascript<script language="javascript">
var jsonRequest = new Object();jsonRequest.Request = new Object();jsonRequest.Request.AccessSubject = new Object();// jsonRequest.Request.AccessSubject.Attributevar userId = new Object();userId.AttributeId="userId";userId.Value="John";var role = new Object();role.AttributeId="role";role.Value="manager";jsonRequest.Request.AccessSubject.Attribute = [userId,role];
</script>
© Axiomatics 2014 - @axiomatics
Size of a XACML request
Word count05
1015202530354045
XMLJSON
Char. Count0
200
400
600
800
1000
1200
1400
XMLJSON
© Axiomatics 2014 - @axiomatics
THE REST PROFILE OF XACML The perfect way to serve your lasagna
© Axiomatics 2014 - @axiomatics
Why a “REST” profile?• No standard transport protocol in XACML core• Different implementations have different
SOAP wrappings• SOAP in itself is losing in popularity• Provide easy means to send authorization
request
© Axiomatics 2014 - @axiomatics
Posting the JSON Request in Javascriptvar xmlHttp = null;function authorize() {
var xacmlRequest = document.getElementById( "xacmlrequest" ).value;
var Url = "https://localhost:5443/axio/authorize";xmlHttp = new XMLHttpRequest();xmlHttp.onreadystatechange = ProcessRequest;xmlHttp.withCredentials = true;xmlHttp.open( "POST", Url, false );xmlHttp.setRequestHeader("Accept","application/
xacml+json");xmlHttp.setRequestHeader("Content-
Type","application/xacml+json");xmlHttp.setRequestHeader("Authorization","Basic
cGVwOnBhc3N3b3Jk");xmlHttp.send( JSON.stringify(xacmlRequest) );
}
And now, let’s bake!
Ok, so it’s time to wrap up
© Axiomatics 2014 - @axiomatics
Forget spaghetti. Whip up lasagna!(Sorry Sergio Leone)
REST + ALFA + JSON
A recipe for success
Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations
SummaryAcronym Name Description
EAM eXternalized Authorization Management
The act of cleanly separating business logic from authorization logic and maintaining each one independently
ABAC Attribute-based access control
An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access
PBAC Policy-based access control
An authorization model which uses attributes combined together inside policies to define granted or denied access
XACML eXtensible Access Control Markup Language
The standard implementation of ABAC and PBAC – done by OASIS.
© Axiomatics 2014 - @axiomatics
References• REST profile of XACML• JSON profile of XACML• ALFA profile of XACMLAvailable on the OASIS XACML TC websiteoasis-open.org/committees/tc_home.php?wg_abbrev=xacml
© Axiomatics 2014 - @axiomatics
Grazie a tutti i tutte
David BrossardAxiomatics – the leaders in ABAC & PBAC@davidjbrossard@axiomaticshttp://developers.axiomatics.com