Access Control Patterns & Practices with WSO2 Middleware. Prabath Siriwardena. About Me. Director of Security Architecture at WSO2 Leads WSO2 Identity Server an open source identity and entitlement management product. Apache Axis2/Rampart committer / PMC - PowerPoint PPT Presentation
Open Source Platform as a Service
Access Control Patterns & Practiceswith WSO2 Middleware
About MeDirector of Security Architecture at WSO2Leads WSO2 Identity Server an open source identity and entitlement management product.Apache Axis2/Rampart committer / PMCA member of OASIS Identity Metasystem Interoperability (IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC.Twitter : @prabathEmail : firstname.lastname@example.orgBlog : http://blog.facilelogin.comLinkedIn : http://www.linkedin.com/in/prabathsiriwardena
2 Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)3With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the rights to another user.4With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them. 5All WSO2 Carbon based products are based on Mandatory Access Control.6Group is a collection of Users - while a Role is a collection of permissions.7Authorization Table vs. Access Control Lists vs. Capabilities8Authorization Table is a three column table with subject, action and resource.
9With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can exercise on the resource.
10With Capabilities, each subject has an associated list, called capability list, indicating, for each resource, the accesses that the user is allowed to exercise on the resource.
11Access Control List is resource driven while capabilities are subject driven.12With policy based access control we can have authorization policies with a fine granularity.13Capabilities and Access Control Lists can be dynamically derived from policies. 14XACML is the de facto standard for policy based access control.15XACML provides a reference architecture, a request response protocol and a policy language.16Policy Enforcement Point (PEP)Policy Information Point (PIP)Policy Administration Point (PAP)Policy Decision Point (PDP)Policy StoreXACML Reference Architecture17WSO2 Application Server (SOAP Service)WSO2 Identity Server (STS)Client ApplicationSAML token requestSAML token with Authentication and Authorization Assertions (Capabilities)SAML token with Authentication and Authorization Assertion+Service RequestWSO2 Identity Server (XACML PDP)XACML ResponseXACML RequestXACML with Capabilities (WS-Trust) Hierarchical Resource Profile
18WSO2 Application Server (Web Application)WSO2 Identity Server (SAML2 IdP)Browser Redirect with SAML RequestWSO2 Identity Server (XACML PDP)Unauthenticated RequestSAML token with Authentication and Authorization Assertion (Capabilities)XACML ResponseXACML RequestXACML with Capabilities (WS-Trust) Hierarchical Resource Profile
19WSO2 ESB(Policy Enforcement Point)Client ApplicationService Request + CredentialsWSO2 Application Server (SOAP Service)RBACRole Based Access Control20WSO2 ESB(Policy Enforcement Point)Client ApplicationService Request + CredentialsWSO2 Identity Server (XACML PDP)WSO2 Application Server (SOAP Service)XACML ResponseXACML RequestWSO2 ESB as the XACML PEP (SOAP and REST)21WSO2 Application ServerClient ApplicationService Request + CredentialsWSO2 Identity Server (XACML PDP)XACML ResponseXACML RequestXACML Servlet FilterXACML PEP as a Servlet Filter22WSO2 Identity Server (XACML PDP)XACML ResponseXACML RequestWSO2 Identity Server (OAuth Authorization Server)API GatewayAccess TokenClient ApplicationValidate()OAuth + XACML23WSO2 Application Server (Web Application)External SAML2 IdP (Salesforce)Browser Redirect with SAML RequestUnauthenticated RequestSAML token with Authentication and Attribute Assertions with IdP groupsWSO2 Identity ServerWeb App rolesIdP GroupsAuthorization with External IdPs (Role Mapping)24LoginWSO2 Identity Server(XAML PDP)XACML RequestXACML ResponseLiferay Portal
XACML Multiple Decisions and Application Specific Roles25lean . enterprise . middleware