E x tensible a ccess c ontrol m arkup l anguage oasis standard
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard] PowerPoint PPT Presentation


  • 48 Views
  • Uploaded on
  • Presentation posted in: General

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]. Kailash Bhoopalam Java and XML. Contents. Introduction to Access Control Introduction to XACML The XACML schema. Access Control Examples and Experiments with XACML. The XACML framework.

Download Presentation

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


E x tensible a ccess c ontrol m arkup l anguage oasis standard

eXtensible Access Control Markup Language[OASIS Standard]

Kailash Bhoopalam

Java and XML

Old Dominion University


Contents

Contents

  • Introduction to Access Control

  • Introduction to XACML

  • The XACML schema.

  • Access Control Examples and Experiments with XACML.

  • The XACML framework.

  • Installing and using the XACML package.

  • Beyond Vanilla XACML

  • User Extensions to XACML Implementation

  • XACML in Secure Distributed Digital Libraries

Old Dominion University


Introduction to access control

<John, “PatientRecord1.doc”, R>

<Bob, “PatientRecord2.doc”, R>

<Bill, “PatientRecord1.doc”, W>

  • Is John a Valid User

  • Is the password accurate

  • Is John allowed access to to

  • “PatientRecord1.doc”

<John(X#$@>), “PatientRecord1.doc”, R>

I am John,

My pasword is X#$@!

I want “PatientRecord1.doc”

Introduction to Access Control

John wants access to protected file “PatientRecord1.doc”

File Server

Authentication

Authorization

(Access Control)

“PatientRecord1.doc”

“PatientRecord2.doc”

Old Dominion University


Access control contd

<John, “PatientRecord1.doc”, R>

<Bob, “PatientRecord2.doc”, R>

<Bill, “PatientRecord1.doc”, W>

{Policy or Access Control List (ACL)}

Permit

{Response}

<John “PatientRecord.doc”, R>

{Request}

VS

<D>*

{Response}

<S, O, A>

{Request}

VS

<S, O, A>*

{Access Control List (ACL)}

S – Subject, O – Object, A – Action, D - Decision

Access Control, contd.

Old Dominion University


Introduction to xacml

Introduction to XACML

John wants access to protected file “PatientRecord1.doc”

XACML Policy

Request Context

Response Context

<rule effect=“permit”>

<target>

<subject>

<value>John</value>

</subject>

<resource> <value>PatientRecord1.doc</value>

</resource>

<action>

<value>R</value>

</action>

</target>

</rule>

<response>

<decision>

<value>Permit</value>

</decision>

</response>

<request>

<subject>

<value>John</value>

</subject>

<resource> <value>PatientRecord1.doc</value>

</resource>

<action>

<value>R</value>

</action>

</request>

Old Dominion University


Introduction to xacml contd

PEP – Policy Enforcement Point

PDP – Policy Decision Point

Authorization

2. Request

XACML Compliant

File

Server

1. Authenticated Request

P

E

P

PDP

3. Response

4. Decision Enforcement

0. XACML Policy Repository

Introduction to XACML contd.

How does XACML Work?

Old Dominion University


Xacml schemas

XACML Schemas

Request Schema

Policy Schema

Response Schema

Response

Decision

Obligation*

Request

Subject

Resource

Action

PolicySet (Combining Alg)

Policy* (Combining Alg)

Rule* (Effect)

Subject*

Resource*

Action

Condition*

Obgligation*

Old Dominion University


Some experiments

Some Experiments

  • Ex1

  • Ex2

  • Ex3

Old Dominion University


Xacml framework data flow model

XACML Framework (Data flow model)

Old Dominion University


Xacml framework policy language model

XACML Framework (Policy Language Model)

Old Dominion University


Installing and using the xacml implementation

Installing and using the XACML Implementation

  • Available Implementations

    • Sun Microsystems (here) (download)

      • You may also optionally copy from ~kbhoopal/public_html/xacml/sunxacml.jar

    • Jiffy Software (here)

      More on Sun’s XACML implementation

      Available as zip file.

      unzip and build with “ant” (download ant)

      include the sunxacml.jar in the class path.

Old Dominion University


Using the xacml implementation a programmers guide

Using the XACML Implementation(A Programmers Guide)

  • Using Sun’s XACML Implementation

    • Overview of APIs

    • Building a basic PDP

    • Building the basic PEP

    • Validating Policies and Requests

  • Some Experiments

Old Dominion University


Beyond vanilla access control

Beyond Vanilla Access Control

  • Policy & Rule Combining algorithms

    Permit Overrides:

    If a single rule permits a request, irrespective of the other rules, the result of the PDP is Permit

    Deny Overrides:

    If a single rule denies a request, irrespectiveof the other rules, the result of the PDP is deny.

    First Applicable:

    The first applicable rule that satisfies the request is the result of the PDP

    Only-one-applicable:

    If there are two rules with different effects for the same request, the result is indeterminate

Old Dominion University


Beyond vanilla contd

Beyond Vanilla, contd.

  • Conditions

    • Declarative use of boolean expressions

    • Using Environment variables like time, etc.

      • E.g., John can access patientrecord1.doc only between 9am and 4pm.

  • Obligations

    • An operation performed in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision.

Old Dominion University


Beyond vanilla contd1

Beyond Vanilla, contd.

  • XACML Functions

    • Equality Predicates

    • Arithmetic & Arithmetic comparison

    • String Conversion

    • Numeric Data Type Conversion

    • Logical

    • Date and Time

    • Set

    • And Many more.

Old Dominion University


User extensions to xacml implementation

User Extensions to XACML Implementation

  • Extend

    • Attributes

    • Functions

    • Combining algorithms

    • Finder modules.

Old Dominion University


Xacml in sddl

XACML in SDDL

  • Implementation PAP, PIP using a Policy Editor (here)

  • Implementation of SunXACML’s PDP with a custom PEP and integration with Shibboleth and Archon. (here)

Old Dominion University


References

References

  • XACML Specification

  • Sun’s XACML Implementation

Old Dominion University


  • Login