1 / 11

XACML Contributions Hal Lockhart, Oracle Corp

XACML Contributions Hal Lockhart, Oracle Corp. Topics. Authorization API Finding Input Attributes. Authorization API. XACML Specifies Policy language evaluation semantics XML format for policy interchange Abstract format for inputs and outputs, expressed in XML

aya
Télécharger la présentation

XACML Contributions Hal Lockhart, Oracle Corp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XACML ContributionsHal Lockhart, Oracle Corp

  2. Topics • Authorization API • Finding Input Attributes 2

  3. Authorization API • XACML Specifies • Policy language evaluation semantics • XML format for policy interchange • Abstract format for inputs and outputs, expressed in XML • Protocol for remote requests using XML input & output format • XACML does not specify • API for requesting policy decision 3

  4. Authorization API Benefits • Needed for call to local PDP • Local PDP required for low latentency calls • Inefficient to serialize data to and from XML • XML form not required by the standard • Also useful to have standard API for remote requests • Common code to build message 4

  5. API General Characteristics • Java initially, C++ and perhaps others to follow • Modeled on XACML Request/Response Contexts • Use XACML datatypes – in format natural to language • Mostly to be used by infrastructure components • Occasionally application may need to provide data • Infrastructure could be Container, Aspects, tool-generated code, etc. 5

  6. Why not Java Authorization/JSR 115? • Java Authorization (with or w/o JSR 115) based on Permissions • Passive enforcement by container is a good idea • Limitations to use of XACML features • No convenient, standard way to provide XACML inputs • No method to return outputs, e.g. Obligations, missing Attributes • New Resource type requires definition of new permissions class (recompile) 6

  7. Draft API Overview • Methods to build (and access) Request Context • Methods to process Response Context • “decide” method to invoke PDP • Single or bulk decisions • “whatIsAllowed” method to obtain allowed alternatives • Operates in the context of some scope • Creates invokes a series of decisions • Returns allowed alternatives within scope • Other convenience methods 7

  8. The Input Attributes Problem • XACML Policies operate on data provided • Only PDP sees/evaluates policies • What attributes should be provided? • Where can attributes be obtained from? • How can the proper instance value be obtained? 8

  9. Attribute Manifest File • File in XML format identifies attributes to be added to Request Context • Name of Attribute, Issuer, datatype, location, access method, other attribute to use as key • Not all fields may be present • Two usecases: • PDP advertizes required attributes • PIPs are configured to add attributes to Request Context 9

  10. AMF AMF AMF ReqCtx P I P Application LDAP ReqCtx OVD P I P PEP DB ReqCtx SAML P I P PDP Multiple PIP’s – Enhancing Request Context 10

  11. AMF AMF AMF Multiple PIP’s – Reacting to Missing Attributes RespCtx Miss Atr P I P Application LDAP RespCtx Miss Atr OVD P I P PEP DB RespCtx Miss Atr SAML P I P PDP 11

More Related