• No results found

XACML. extensible Access Control Markup Language

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "XACML. extensible Access Control Markup Language"

Copied!
32
0
0

Loading.... (view fulltext now)

Download now ( 32 Page )

Full text

(1)

XACML

eXtensible Access Control Markup Language

Author

Francisco Alexandre de Gouveia

Coordinator

Doutor Diogo Gomes

Collaborator

(2)

XACML – What is it?

Standard defined by OASIS for extensible and

generic access control

Consists on:

Extensible policy language in XML

Extensible request-response language in XML

Distributed architecture based on:

Policy Enforcement Point

Policy Decision Point

Policy Information Point

(3)

XACML – What is it used for?

Access control

As it is generic and extensible, can be applied in

any context:

Door access control

Web page access control

Service access control

Only takes decisions!

(4)

XACML – How it works?

Request-response system

(5)

XACML – Request

Can a subject

make an

action

on the resource

in

some environment?

Keywords:

Subject – The one who wants to interact

Action

– Kind of interaction

Resource

– Interaction’s destiny

Environment – Anything that cannot be included in

the last three categories

(6)

XACML – Request

Can a subject

make an

action

on the resource

in

some environment?

<Request>

<Subject>

<Attribute AttributeId=“user" DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>Anonymous</AttributeValue>

</Attribute>

</Subject>

<Action>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>Read</AttributeValue>

</Attribute>

</Action>

<Resource>

<Attribute AttributeId=“type" DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>Topic</AttributeValue>

</Attribute>

</Resource>

Subject

Action

XACMLv2 example

(7)

XACML – Request

Can a subject

make an

action

on the resource

in

some environment?

<xacml:Attributes Category="

urn:oasis:names:tc:xacml:1.0:subject-category:access-subject

">

<xacml:Attribute AttributeId=“

user

“ IncludeInResult="false">

<xacml:AttributeValue

DataType="http://www.w3.org/2001/XMLSchema#string"

>

Anonymous

</xacml:AttributeValue>

<

Subject

>

<Attribute AttributeId=“

user"

DataType="http://www.w3.org/2001/XMLSchema#string"

>

<AttributeValue>

Anonymous

</AttributeValue>

</Attribute>

(8)

XACML – Response

Response types:

Access granted (Permit)

Access denied (Deny)

Indeterminate decision (Indeterminate)

No policies applicable (Not applicable)

Together with:

(9)

XACML – Response

* In the 2

nd

version of XACML, there is an

element

Obligation

Policy Enforcement Point must do all the

requested tasks described in

Obligations

So, what happens when a task is not relevant for the decision

but Policy Enforcement Point cannot do it?

(10)

XACML – Response

* In the 3

rd

version of XACML, there are

Obligation

and

Advice

elements

Policy Enforcement Point:

Must

run all the tasks described in

Obligations

Should

run all the tasks described in

Advices

If PEP fails to do a task from Advice elements,

(11)

XACML – Evaluation

How are policies structured?

There are 3 main elements

Permit

Deny

(12)

XACML – Evaluation

How are elements evaluated?

Each element has a “

Target

Evaluation is made from the top

PolicySet

Policy

Rule

Rule

PolicySet

Policy

Rule

Policy

Rule

Rule

Is applicable?

Yes! Evaluate next level

Is applicable?

No. Stop!

Is applicable?

Yes! Evaluate next level

No.

Stop!

Is applicable?

Yes! Evaluate next level

Applicable

Not applicable

Result: Access denied!!! Why?

Permit

Deny

(13)

XACML – Evaluation

What if more than one rule or policy is

applicable?

Answer: Combining algorithms

Permit-overrides

Deny-overrides

Only-one-applicable

First-applicable

(14)

XACML – Evaluation

How is a

Target

element made?

XACMLv2

XACMLv3

Target Subjects Subject Subject Match … Actions Action Action Match … Resources Resource Resource Match … Environments Environment Environment Match …

Target

AnyOf

AllOf

Match

Match

AllOf

Match

AnyOf

AllOf

Match

(15)

XACML – Evaluation

How is a

Target

element made?

XACMLv3

Target

AnyOf

AllOf

Match

Match

AllOf

Match

AllOf

Match

Uniform model for all the categories

Allows to define intersections and

unions of Matches

But…

AnyOf and AllOf elements are not

identified. Managing policies with such

elements turns out to be a problem that

can be solved by:

Analysing deeply element values to

know where to modify

(16)

PAP

Policy Administration Point

XACMLv3

Universidade de Aveiro

Author

Francisco Alexandre de Gouveia

Coordinator

Doutor Diogo Gomes

Collaborator

(17)

Policy Administration Point

Project objectives

Extensible information system (able to import

modules without recompilation)

User interface that abstracts the complexity of

XACMLv3

(18)

Policy Administration Point

Extensibility

Allows importation of classes implementing the

defined interfaces for:

Retrieving information from Policy Information Point

Persistence and retrieving policies

Used solution:

URLClassLoader - loads classes from

*.jar

files in

run-time

(19)

Policy Administration Point

(20)

Policy Administration Point

(21)

Policy Administration Point

(22)

Policy Administration Point

Extensibility

(Implemented modules)

Policy Retriever

Native XML database

ORACLE Berkeley’s DB XML

Problems occurred:

Doesn’t respect the standards

Doesn’t support connections

(e.g.: JDBC)

Doesn’t support 64bit

(23)

Policy Administration Point

Extensibility

(Implemented modules)

Info Retriever

Reads xml file

Returns:

Data types

Functions

Combining algorithms

(24)

Policy Administration Point

XACML complexity abstraction on the user

interface

Used solution:

Web interface with:

Policy representation in nodes with connections between

them

Complex name abstractions with images and simplified

names

XACML standard abstraction, showing only the possible

(25)

Policy Administration Point

Policy representation with nodes connected

between each others:

XHTML web page

Nodes: floating DIV elements

Framework created in javascript to create and manage

windows/nodes

Connections: HTML5 canvas used to draw lines between

nodes

(26)

Complex names abstraction with images and

simplified names

Functions:

string-equal

instead of

urn:oasis:names:tc:xacml:1.0:function:string-equal

Data types:

string

instead of

http://www.w3.org/2001/XMLSchema#string

(27)

Policy Administration Point

Creation of policies that obey to standard rules

Behind all abstraction, there is an effort to save the

policies in respect to the standard

Options change in relation to the element selected,

accordingly to the possibilities of this element

E.g.: There is a toolbox whose buttons are displayed

(28)

Policy Administration Point

Implementation: J2EE (problems occurred)

ClassLoader didn’t work as expected when hosted in

an application server

(29)

Policy Administration Point

Java Class Loader

(30)

Policy Administration Point

Web server instances

Application is stored in more than one container

For performance purposes, load is balanced between

containers

For single instance classes, a Session Bean

(31)

Policy Administration Point

Conclusions

XACML allows you to make fine-grained and generic

access control

3

rd

version brought improvements in relation to the 2

nd

version

Added advice element

Unions and intersections of targets

Multi-request

But it’s still a draft...

There are not many implementations

(32)

Policy Administration Point

References

Download now ( PDF - 32 Page - 1.42 MB )

Related documents

XML. Dott. Nicole NOVIELLI XML: extensible Markup Language

  Simple content: can contain attributes and must restrict some other existing type.   Complex content: can contain attributes and

Risk-Aware Access Control And XACML

This is also consistent with the way of defining risk mitigation strategies in the abstract RAAC model, where each resource is associated with a risk mitigation strategy, and

Extensible Markup Language: An Enterprise Integration Web Delivery System

The survey instrument was designed using questionnaires that covered the following variables: XML development, realm of XML standardization, adoption decision criteria

Extensible Markup Language (XML): Essentials for Climatologists

XML is a text based markup language and XML files can be created and edited using a simple text editor like Notepad. However, when you start working with XML, you will soon find

extensible Markup Language (XML): The Basics KUDA DUBE

• Processing instructions can be used to pass additional information to applications.. • The start with “&lt;?” and end

CSE 3241: XML Extensible Markup Language (Ch. 12)

&lt;!ELEMENT Project (Name, Location, Dept_no?, Workers)&gt;. &lt;!ATTLIST Project

CSE 3241: XML Extensible Markup Language (Ch. 12) 1

◦ Data can be stored in an XML document either as the contents of an element OR as an attribute of an element.. ◦ Why pick one over

Enterprise Extension through Extensible Markup Language 1

For instance, to collaborate in production and delivery, EE constituents may need to not only synchronize business processes, but also integrate back-office applications such