e x tensible a ccess c ontrol m arkup l anguage oasis standard
Download
Skip this Video
Download Presentation
e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]

Loading in 2 Seconds...

play fullscreen
1 / 18

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard] - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]. Kailash Bhoopalam Java and XML. Contents. Introduction to Access Control Introduction to XACML The XACML schema. Access Control Examples and Experiments with XACML. The XACML framework.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]' - tilden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
e x tensible a ccess c ontrol m arkup l anguage oasis standard

eXtensible Access Control Markup Language[OASIS Standard]

Kailash Bhoopalam

Java and XML

Old Dominion University

contents
Contents
  • Introduction to Access Control
  • Introduction to XACML
  • The XACML schema.
  • Access Control Examples and Experiments with XACML.
  • The XACML framework.
  • Installing and using the XACML package.
  • Beyond Vanilla XACML
  • User Extensions to XACML Implementation
  • XACML in Secure Distributed Digital Libraries

Old Dominion University

introduction to access control

  • Is John a Valid User
  • Is the password accurate
  • Is John allowed access to to
  • “PatientRecord1.doc”

), “PatientRecord1.doc”, R>

I am John,

My pasword is X#[email protected]!

I want “PatientRecord1.doc”

Introduction to Access Control

John wants access to protected file “PatientRecord1.doc”

File Server

Authentication

Authorization

(Access Control)

“PatientRecord1.doc”

“PatientRecord2.doc”

Old Dominion University

access control contd

{Policy or Access Control List (ACL)}

Permit

{Response}

{Request}

VS

*

{Response}

{Request}

VS

*

{Access Control List (ACL)}

S – Subject, O – Object, A – Action, D - Decision

Access Control, contd.

Old Dominion University

introduction to xacml
Introduction to XACML

John wants access to protected file “PatientRecord1.doc”

XACML Policy

Request Context

Response Context

John

PatientRecord1.doc

R

Permit

John

PatientRecord1.doc

R

Old Dominion University

introduction to xacml contd
PEP – Policy Enforcement Point

PDP – Policy Decision Point

Authorization

2. Request

XACML Compliant

File

Server

1. Authenticated Request

P

E

P

PDP

3. Response

4. Decision Enforcement

0. XACML Policy Repository

Introduction to XACML contd.

How does XACML Work?

Old Dominion University

xacml schemas
XACML Schemas

Request Schema

Policy Schema

Response Schema

Response

Decision

Obligation*

Request

Subject

Resource

Action

PolicySet (Combining Alg)

Policy* (Combining Alg)

Rule* (Effect)

Subject*

Resource*

Action

Condition*

Obgligation*

Old Dominion University

some experiments
Some Experiments
  • Ex1
  • Ex2
  • Ex3

Old Dominion University

xacml framework data flow model
XACML Framework (Data flow model)

Old Dominion University

installing and using the xacml implementation
Installing and using the XACML Implementation
  • Available Implementations
    • Sun Microsystems (here) (download)
      • You may also optionally copy from ~kbhoopal/public_html/xacml/sunxacml.jar
    • Jiffy Software (here)

More on Sun’s XACML implementation

Available as zip file.

unzip and build with “ant” (download ant)

include the sunxacml.jar in the class path.

Old Dominion University

using the xacml implementation a programmers guide
Using the XACML Implementation(A Programmers Guide)
  • Using Sun’s XACML Implementation
    • Overview of APIs
    • Building a basic PDP
    • Building the basic PEP
    • Validating Policies and Requests
  • Some Experiments

Old Dominion University

beyond vanilla access control
Beyond Vanilla Access Control
  • Policy & Rule Combining algorithms

Permit Overrides:

If a single rule permits a request, irrespective of the other rules, the result of the PDP is Permit

Deny Overrides:

If a single rule denies a request, irrespective of the other rules, the result of the PDP is deny.

First Applicable:

The first applicable rule that satisfies the request is the result of the PDP

Only-one-applicable:

If there are two rules with different effects for the same request, the result is indeterminate

Old Dominion University

beyond vanilla contd
Beyond Vanilla, contd.
  • Conditions
    • Declarative use of boolean expressions
    • Using Environment variables like time, etc.
      • E.g., John can access patientrecord1.doc only between 9am and 4pm.
  • Obligations
    • An operation performed in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision.

Old Dominion University

beyond vanilla contd1
Beyond Vanilla, contd.
  • XACML Functions
    • Equality Predicates
    • Arithmetic & Arithmetic comparison
    • String Conversion
    • Numeric Data Type Conversion
    • Logical
    • Date and Time
    • Set
    • And Many more.

Old Dominion University

user extensions to xacml implementation
User Extensions to XACML Implementation
  • Extend
    • Attributes
    • Functions
    • Combining algorithms
    • Finder modules.

Old Dominion University

xacml in sddl
XACML in SDDL
  • Implementation PAP, PIP using a Policy Editor (here)
  • Implementation of SunXACML’s PDP with a custom PEP and integration with Shibboleth and Archon. (here)

Old Dominion University

references
References
  • XACML Specification
  • Sun’s XACML Implementation

Old Dominion University

ad