access control patterns & practices with wso2 middleware
Post on 22-Feb-2016
62 Views
Preview:
DESCRIPTION
TRANSCRIPT
Access Control Patterns & Practiceswith
WSO2 Middleware
Prabath Siriwardena
About Me• Director of Security Architecture at WSO2• Leads WSO2 Identity Server – an open source identity and
entitlement management product.• Apache Axis2/Rampart committer / PMC• A member of OASIS Identity Metasystem Interoperability (IMI)
TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC.
• Twitter : @prabath• Email : prabath@apache.org• Blog : http://blog.facilelogin.com• LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
Discretionary Access Control (DAC)
vs. Mandatory Access Control (MAC)
With the Discretionary Access Control, the user can be the owner
of the data and at his discretion can transfer the rights to another
user.
With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot
transfer them.
All WSO2 Carbon based products are based on Mandatory Access
Control.
Group is a collection of Users - while a Role is a collection of
permissions.
Authorization Table vs.
Access Control Lists vs.
Capabilities
Authorization Table is a three column table with subject, action
and resource.
With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can
exercise on the resource.
With Capabilities, each subject has an associated list, called capability list,
indicating, for each resource, the accesses that the user is allowed to exercise on the
resource.
Access Control List is resource driven while capabilities are
subject driven.
With policy based access control we can have authorization policies
with a fine granularity.
Capabilities and Access Control Lists can be dynamically derived
from policies.
XACML is the de facto standard for policy based access control.
XACML provides a reference architecture, a request response protocol and a policy language.
Policy Enforcement Point (PEP)
Policy Information Point (PIP)
Policy Administration Point (PAP)
Policy Decision Point (PDP)
Policy Store
XACML Reference Architecture
WSO2 Application Server (SOAP Service)
WSO2 Identity Server (STS)
Client Application
SAML token request
SAML token with Authentication and
Authorization Assertions (Capabilities)SAML token with Authentication
and Authorization Assertion
+Service Request
WSO2 Identity Server (XACML PDP)
XACML ResponseXACML Request
XACML with Capabilities (WS-Trust) Hierarchical Resource Profile
WSO2 Application Server (Web Application)
WSO2 Identity Server (SAML2 IdP)
Browser Redirect with SAML Request
WSO2 Identity Server (XACML PDP)
Unauthenticated Request
SAML token with Authentication and
Authorization Assertion (Capabilities)
XACML ResponseXACML Request
XACML with Capabilities (WS-Trust) Hierarchical Resource Profile
WSO2 ESB(Policy Enforcement
Point)Client Application
Service Request + Credentials
WSO2 Application Server (SOAP Service)
RBAC
Role Based Access Control
WSO2 ESB(Policy Enforcement
Point)Client Application
Service Request + Credentials
WSO2 Identity Server (XACML PDP)
WSO2 Application Server (SOAP Service)XACML Response
XACML Request
WSO2 ESB as the XACML PEP (SOAP and REST)
WSO2 Application ServerClient Application
Service Request + Credentials
WSO2 Identity Server (XACML PDP) XACML Response
XACML Request
XACML Servlet Filter
XACML PEP as a Servlet Filter
WSO2 Identity Server (XACML PDP)
XACML ResponseXACML Request
WSO2 Identity Server (OAuth Authorization
Server)API Gateway
Access Token
Client Application
Validate()
OAuth + XACML
WSO2 Application Server (Web Application)
External SAML2 IdP (Salesforce)
Browser Redirect with SAML RequestUnauthenticated Request
SAML token with Authentication and Attribute Assertions with IdP groups
WSO2 Identity Server
Web App roles
IdP Groups
Authorization with External IdPs (Role Mapping)
Login
WSO2 Identity Server(XAML PDP)
XACML Request
XACML Response
Liferay Portal
XACML Multiple Decisions and Application Specific Roles
lean . enterprise . middleware
top related