CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON
•
1 like•1,225 views
This document discusses lasagna and why it is better than spaghetti. It begins with a brief history of pasta, noting how lasagna kicked spaghetti out. It then suggests that code can feel like spaghetti and introduces the idea of using attributes and policies to control access in a more organized way, similar to the layers in lasagna. Finally, it promotes putting authorization at different layers in applications, similar to the layers in baking lasagna.
Report
Share
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, REST, and JSON
- 1. Why lasagna is better than spaghetti Building authoriza/on into your apps, APIs, and DB using JSON, REST & ALFA © Axioma/cs 2014 -‐ @axioma/cs
- 2. Before we begin, a liPle draw Drop in your card at the Axioma/cs booth for a chance to win a Bose bluetooth speaker © Axioma/cs 2014 -‐ @axioma/cs
- 3. A liPle history of pasta Meet Sally And her precious one And so lasagna kicked spaghe6 out © Axioma/cs 2014 -‐ @axioma/cs
- 4. Doesn’t your code feel like spagheS? © Axioma/cs 2014 -‐ @axioma/cs (if/then/else mixology)
- 5. A liPle history of access control Based on: Hilbert and Lopez, 2011 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 300 250 200 150 100 50 0 ~93% digital ~0,7% digital DAC MAC RBAC ABAC Increasing access control challenges © Axioma/cs 2014 -‐ @axioma/cs
- 6. What’s Our Secret Ingredient? APributes… APributes… APributes…
- 7. APribute-‐Based Access Control Who… What… Where… When… Why… APributes can describe everything (not just who) How…
- 8. The Secret Sauce? Policy-‐Based Access Control Centralized… Easy to audit… eXtensible… Standardized… APribute-‐based…
- 9. XACML – eXtensible Access Control = + (ABAC) (PBAC)
- 10. XACML supports Schrodinger's cat Paul Madsen’s
- 11. Bake in layers © Axioma/cs 2014 -‐ @axioma/cs Authoriza/on at the right place Business /er… API /er… Data /er… Web app /er… Presenta/on /er…
- 12. Data Tier Bake once, enjoy everywhere PresentaJon Tier API & WS Tier Business Tier eXternalized AuthorizaJon Service
- 13. How does Chef Gebel take it to the next level? I use ALFA, 100% XACML I use JSON and REST too – easy on the developers
- 14. THE ALFA PLUGIN FOR ECLIPSE Authoriza/on’s KitchenAid © Axioma/cs 2014 -‐ @axioma/cs
- 15. What’s ALFA • Abbreviated Language for Authoriza/on • OASIS – Axioma/cs language donated to OASIS XACML – In the process of standardiza/on • Goals – Makes XACML policies easier to write – Simplifies XACML structure – Enhances possibili/es • Audience – Aimed at developers ini/ally – Very popular with business analysts © Axioma/cs 2014 -‐ @axioma/cs
- 16. What’s the ALFA plugin? • Add-‐on to Eclipse, the popular IDE • Lets you write ALFA easily – Auto-‐complete – Syntax checking – Syntax coloring • Converts ALFA into XACML 3.0 policies on the fly • Lets you test your policies © Axioma/cs 2014 -‐ @axioma/cs Available for free from Axioma/cs
- 17. An example: the insurance use case • Authoriza/on requirement – A customer can view his/her own policies and the policies of a spouse that are not marked as private • Iden/fy the aPributes – User type; ac/on; policy owner; policy private flag; spouse; object type; user iden/ty • Rework the rule – A user with type==customer can do ac/on==view on object of type==policy… • if and only if policyOwner == userId or, • If and only if policyPrivateFlag==false && policy.owner==user.spouse • Implement in ALFA © Axioma/cs 2014 -‐ @axioma/cs
- 18. THE JSON PROFILE OF XACML Delicious & Healthy © Axioma/cs 2014 -‐ @axioma/cs
- 19. Objec/ves • Lightweight nota/on • Get rid of the verboseness of XML • Easy to write • Broader support for languages (JS, Python…) • Remove the XACML / XML redundancy • Infer certain things e.g. datatypes © Axioma/cs 2014 -‐ @axioma/cs
- 20. The JSON Profile -‐ Basics • The profile is a close mirror of the XML XACML request / response • It is possible to omit informa/on and use inference – Reasonable defaults – E.g. String is not specified. • Default category names – AccessSubject, Resource, Ac/on, Environment © Axioma/cs 2014 -‐ @axioma/cs
- 21. Example in HTML/Javascript <script language="javascript"> var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); // jsonRequest.Request.AccessSubject.Attribute var userId = new Object(); userId.AttributeId="userId"; userId.Value="John"; var role = new Object(); role.AttributeId="role"; role.Value="manager"; jsonRequest.Request.AccessSubject.Attribute = [userId,role]; </script> © Axioma/cs 2014 -‐ @axioma/cs
- 22. Size of a XACML request © Axioma/cs 2014 -‐ @axioma/cs 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON
- 23. THE REST PROFILE OF XACML The perfect way to serve your lasagna © Axioma/cs 2014 -‐ @axioma/cs
- 24. Why a “REST” profile? • No standard transport protocol in XACML core • Different implementa/ons have different SOAP wrappings • SOAP in itself is losing in popularity • Provide easy means to send authoriza/on request © Axioma/cs 2014 -‐ @axioma/cs
- 25. Pos/ng the JSON Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send( JSON.stringify(xacmlRequest) );© Axioma/cs 2014 -‐ @axioma/cs
- 26. And now, let’s bake!
- 27. Ok, so it’s /me to wrap up
- 28. Forget spagheS. Whip up lasagna! © Axioma/cs 2014 -‐ @axioma/cs (Sorry Sergio Leone) REST + ALFA + JSON A recipe for success Don’t forget to pair the pasta with an elegant wine. Ask @ggebel, our head sommelier, for recommenda/ons
- 29. Summary Acronym Name DescripJon EAM eXternalized Authoriza/on Management The act of cleanly separa0ng business logic from authoriza0on logic and maintaining each one independently ABAC APribute-‐based access control An authoriza0on model whereby parameters about the user, resource, ac0on, and environment can be used to determine access PBAC Policy-‐based access control An authoriza0on model which uses a<ributes combined together inside policies to define granted or denied access XACML eXtensible Access Control Markup Language The standard implementa0on of ABAC and PBAC – done by OASIS.
- 30. References • REST profile of XACML • JSON profile of XACML • ALFA profile of XACML è Available on the OASIS XACML TC website oasis-‐open.org/commiPees/tc_home.php?wg_abbrev=xacml © Axioma/cs 2014 -‐ @axioma/cs
- 31. Grazie a tutti i tutte David Brossard Axioma/cs – the leaders in ABAC & PBAC @davidjbrossard @axioma/cs hPp://developers.axioma/cs.com © Axioma/cs 2014 -‐ @axioma/cs