1 / 10

GT XACML Authorization

GT XACML Authorization. Rachana Ananthakrishnan ranantha@mcs.anl.gov Argonne National Laboratory. Java Authorization Framework. PDP1. PDP2. PDPn. PIP1. PIP2. PIPn. Authorization Engine (Deny-override). GT 4.0 Authorization Framework. Web Services Message Context (store attributes).

tien
Download Presentation

GT XACML Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GT XACML Authorization Rachana Ananthakrishnan ranantha@mcs.anl.gov Argonne National Laboratory

  2. Java Authorization Framework

  3. PDP1 PDP2 PDPn PIP1 PIP2 PIPn Authorization Engine (Deny-override) GT 4.0 Authorization Framework Web Services Message Context (store attributes) … … Permit Permit Deny Permit Deny Permit Policy Enforcement Point

  4. AuthZ Framework Enhancements • Modular code base • Independent module • Removed web services dependency • separated from Java WS Core • Java interfaces • Improved attribute processing • Normalized attribute representation • Comparison of attributes across sources • Merging of attributes of same entities

  5. AuthZ Framework Enhancements • Separate interface for request attributes • Bootstrap PIP interface • Improved authorization engine • Pluggable engine algorithm • Decision issuer part of decision making process • Administration and Access privileges • Default Algorithm: Permit-override combining algorithm • Construct decision Chain from Requestor to Owner

  6. bPIP1 [owner1] PDP1 [owner1] bPIPn [ownerN] PIP1 [owner1] PDPn [ownerN] PIPn [ownerN] canAccess canAdmin GT 4.2 Authorization Framework … … … Attributes Request Attributes Authorization Engine PIP Attribute Processing PDP Combining Algorithm Decision Policy Enforcement Point

  7. GT XACML Support

  8. Java XACML Library • Java beans generated from specification schema using Axis tools • Helper classes to construct higher level data types (E.g SubjectHelper, RequestHelper) • Obligation Handler Interface • Pluggable implementation at application level • No signature support • Supported with TLS

  9. Using Java XACML Library • PDP to integrate with GT Authorization engine • Configured with authorization service endpoint • Obligation Handler for local user name • Sample authz service with XACML interface • XACML interface for CAS

  10. C XACML Library • Automatically generated bindings directly from wsdl/xml schema • Current implementation uses gSOAP schema parser • Clients construct / send authorization queries programmatically • Client response handling triggered by obligation ID in response • Server code registers for authorization query events • Application-specific decision making logic implemented in a callback when a query arrives • Initial code to work with gSOAP SSL/socket code • Current plans are to replace this with something more flexible

More Related