why lasagna is better than spaghetti: baking authorization into your applications using alfa, json,...

© Axiomatics 2014 - @axiomatics

Why lasagna is better than spaghetti

Building authorization into your apps, APIs, and DB using JSON, REST & ALFA


Before we begin, a little draw

Drop in your card at the Axiomatics booth for a chance to win a Bose bluetooth speaker


A little history of pasta

Meet Sally And her precious one And so lasagna kickedspaghetti out


Doesn’t your code feel like spaghetti?

(if/then/else mixology)


A little history of access control

Based on: Hilbert and Lopez, 2011

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07

300

250

200

150

100

50

0

~93% digital

~0,7% digital

DAC

MAC

RBAC

ABACIncreasing access control challenges

What’s Our Secret Ingredient?

Attributes…Attributes…

Attributes…

Attribute-Based Access Control

Who… What… Where… When… Why…

Attributes can describe everything (not just who)

How…

The Secret Sauce?

Policy-Based Access Control

Centralized…Easy to audit…

eXtensible…Standardized…Attribute-based…

XACML – eXtensible Access Control

XACML

= +

(ABAC) (PBAC)

XACML supports Schrodinger's cat

Paul Madsen’s


Bake in layers

Authorization at the right placeBusiness tier…API tier… Data tier…Web app tier…Presentation tier…

Data Tier

Bake once, enjoy everywhere

Presentation Tier

API & WS Tier

Business TiereXternalized

AuthorizationService

How does Chef Gebel take it to the next level?

I use ALFA, 100%

XACML

I use JSON and REST too – easy on the

developers


THE ALFA PLUGIN FOR ECLIPSE

Authorization’s KitchenAid


What’s ALFA• Abbreviated Language for Authorization• OASIS

– Axiomatics language donated to OASIS XACML– In the process of standardization

• Goals– Makes XACML policies easier to write– Simplifies XACML structure– Enhances possibilities

• Audience– Aimed at developers initially– Very popular with business analysts


What’s the ALFA plugin?• Add-on to Eclipse, the popular IDE• Lets you write ALFA easily– Auto-complete– Syntax checking– Syntax coloring

• Converts ALFA into XACML 3.0 policies on the fly• Lets you test your policies

Available for free from

Axiomatics


An example: the insurance use case• Authorization requirement

– A customer can view his/her own policies and the policies of a spouse that are not marked as private

• Identify the attributes– User type; action; policy owner; policy private flag; spouse; object type; user

identity• Rework the rule

– A user with type==customer can do action==view on object of type==policy…• if and only if policyOwner == userId or,• If and only if policyPrivateFlag==false && policy.owner==user.spouse

• Implement in ALFA


THE JSON PROFILE OF XACML

Delicious & Healthy


Objectives• Lightweight notation• Get rid of the verboseness of XML• Easy to write• Broader support for languages (JS, Python…)• Remove the XACML / XML redundancy• Infer certain things e.g. datatypes


The JSON Profile - Basics• The profile is a close mirror of the XML XACML

request / response• It is possible to omit information and use inference– Reasonable defaults– E.g. String is not specified.

• Default category names– AccessSubject, Resource, Action, Environment


Example in HTML/Javascript<script language="javascript">

var jsonRequest = new Object();jsonRequest.Request = new Object();jsonRequest.Request.AccessSubject = new Object();// jsonRequest.Request.AccessSubject.Attributevar userId = new Object();userId.AttributeId="userId";userId.Value="John";var role = new Object();role.AttributeId="role";role.Value="manager";jsonRequest.Request.AccessSubject.Attribute = [userId,role];

</script>


Size of a XACML request

Word count05

1015202530354045

XMLJSON

Char. Count0

200

400

600

800

1000

1200

1400

XMLJSON


THE REST PROFILE OF XACML The perfect way to serve your lasagna


Why a “REST” profile?• No standard transport protocol in XACML core• Different implementations have different

SOAP wrappings• SOAP in itself is losing in popularity• Provide easy means to send authorization

request


Posting the JSON Request in Javascriptvar xmlHttp = null;function authorize() {

var xacmlRequest = document.getElementById( "xacmlrequest" ).value;

var Url = "https://localhost:5443/axio/authorize";xmlHttp = new XMLHttpRequest();xmlHttp.onreadystatechange = ProcessRequest;xmlHttp.withCredentials = true;xmlHttp.open( "POST", Url, false );xmlHttp.setRequestHeader("Accept","application/

xacml+json");xmlHttp.setRequestHeader("Content-

Type","application/xacml+json");xmlHttp.setRequestHeader("Authorization","Basic

cGVwOnBhc3N3b3Jk");xmlHttp.send( JSON.stringify(xacmlRequest) );

}

And now, let’s bake!

Ok, so it’s time to wrap up


Forget spaghetti. Whip up lasagna!(Sorry Sergio Leone)

REST + ALFA + JSON

A recipe for success

Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommendations

SummaryAcronym Name Description

EAM eXternalized Authorization Management

The act of cleanly separating business logic from authorization logic and maintaining each one independently

ABAC Attribute-based access control

An authorization model whereby parameters about the user, resource, action, and environment can be used to determine access

PBAC Policy-based access control

An authorization model which uses attributes combined together inside policies to define granted or denied access

XACML eXtensible Access Control Markup Language

The standard implementation of ABAC and PBAC – done by OASIS.


References• REST profile of XACML• JSON profile of XACML• ALFA profile of XACMLAvailable on the OASIS XACML TC websiteoasis-open.org/committees/tc_home.php?wg_abbrev=xacml


Grazie a tutti i tutte

David BrossardAxiomatics – the leaders in ABAC & PBAC@davidjbrossard@axiomaticshttp://developers.axiomatics.com

why lasagna is better than spaghetti: baking authorization into your applications using alfa, json,...

Documents