1 / 26

Access Control Patterns & Practices with WSO2 Middleware

Access Control Patterns & Practices with WSO2 Middleware. Prabath Siriwardena. About Me. Director of Security Architecture at WSO2 Leads WSO2 Identity Server – an open source identity and entitlement management product. Apache Axis2/Rampart committer / PMC

arnav
Télécharger la présentation

Access Control Patterns & Practices with WSO2 Middleware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Patterns & Practiceswith WSO2 Middleware Prabath Siriwardena

  2. About Me • Director of Security Architecture at WSO2 • Leads WSO2 Identity Server – an open source identity and entitlement management product. • Apache Axis2/Rampart committer / PMC • A member of OASIS Identity Metasystem Interoperability (IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC. • Twitter : @prabath • Email : prabath@apache.org • Blog : http://blog.facilelogin.com • LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

  3. Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)

  4. With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the rights to another user.

  5. With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them.

  6. All WSO2 Carbon based products are based on Mandatory Access Control.

  7. Group is a collection of Users - while a Role is a collection of permissions.

  8. Authorization Table vs. Access Control Lists vs. Capabilities

  9. Authorization Table is a three column table with subject, action and resource.

  10. With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can exercise on the resource.

  11. With Capabilities, each subject has an associated list, called capability list, indicating, for each resource, the accesses that the user is allowed to exercise on the resource.

  12. Access Control List is resource driven while capabilities are subject driven.

  13. With policy based access control we can have authorization policies with a fine granularity.

  14. Capabilities and Access Control Lists can be dynamically derived from policies.

  15. XACML is the de facto standard for policy based access control.

  16. XACML provides a reference architecture, a request response protocol and a policy language.

  17. XACML Reference Architecture Policy Administration Point (PAP) Policy Decision Point (PDP) Policy Store Policy Enforcement Point (PEP) Policy Information Point (PIP)

  18. WSO2 Identity Server (XACML PDP) XACML with Capabilities (WS-Trust) Hierarchical Resource Profile WSO2 Application Server (SOAP Service) XACML Request XACML Response WSO2 Identity Server (STS) SAML token with Authentication and Authorization Assertions (Capabilities) SAML token with Authentication and Authorization Assertion + Service Request SAML token request Client Application

  19. WSO2 Identity Server (XACML PDP) XACML with Capabilities (WS-Trust) Hierarchical Resource Profile XACML Request XACML Response WSO2 Identity Server (SAML2 IdP) WSO2 Application Server (Web Application) SAML token with Authentication and Authorization Assertion (Capabilities) Browser Redirect with SAML Request Unauthenticated Request

  20. Role Based Access Control WSO2 Application Server (SOAP Service) Client Application WSO2 ESB (Policy Enforcement Point) Service Request + Credentials RBAC

  21. WSO2 ESB as the XACML PEP (SOAP and REST) WSO2 Identity Server (XACML PDP) WSO2 Application Server (SOAP Service) XACML Response XACML Request Client Application WSO2 ESB (Policy Enforcement Point) Service Request + Credentials

  22. XACML PEP as a Servlet Filter WSO2 Identity Server (XACML PDP) XACML Response XACML Request Client Application WSO2 Application Server XACML Servlet Filter Service Request + Credentials

  23. OAuth + XACML WSO2 Identity Server (OAuth Authorization Server) API Gateway Validate() XACML Request Access Token XACML Response WSO2 Identity Server (XACML PDP) Client Application

  24. Authorization with External IdPs (Role Mapping) WSO2 Identity Server IdP Groups Web App roles External SAML2 IdP (Salesforce) WSO2 Application Server (Web Application) SAML token with Authentication and Attribute Assertions with IdP groups Browser Redirect with SAML Request Unauthenticated Request

  25. Liferay Portal XACML Multiple Decisions and Application Specific Roles WSO2 Identity Server (XAML PDP) XACML Request XACML Response Login

  26. lean . enterprise . middleware

More Related