1 / 18

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]. Kailash Bhoopalam Java and XML. Contents. Introduction to Access Control Introduction to XACML The XACML schema. Access Control Examples and Experiments with XACML. The XACML framework.

tilden
Download Presentation

e X tensible A ccess C ontrol M arkup L anguage [OASIS Standard]

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eXtensible Access Control Markup Language[OASIS Standard] Kailash Bhoopalam Java and XML Old Dominion University

  2. Contents • Introduction to Access Control • Introduction to XACML • The XACML schema. • Access Control Examples and Experiments with XACML. • The XACML framework. • Installing and using the XACML package. • Beyond Vanilla XACML • User Extensions to XACML Implementation • XACML in Secure Distributed Digital Libraries Old Dominion University

  3. <John, “PatientRecord1.doc”, R> <Bob, “PatientRecord2.doc”, R> <Bill, “PatientRecord1.doc”, W> • Is John a Valid User • Is the password accurate • Is John allowed access to to • “PatientRecord1.doc” <John(X#$@>), “PatientRecord1.doc”, R> I am John, My pasword is X#$@! I want “PatientRecord1.doc” Introduction to Access Control John wants access to protected file “PatientRecord1.doc” File Server Authentication Authorization (Access Control) “PatientRecord1.doc” “PatientRecord2.doc” … Old Dominion University

  4. <John, “PatientRecord1.doc”, R> <Bob, “PatientRecord2.doc”, R> <Bill, “PatientRecord1.doc”, W> {Policy or Access Control List (ACL)} Permit {Response} <John “PatientRecord.doc”, R> {Request} VS <D>* {Response} <S, O, A> {Request} VS <S, O, A>* {Access Control List (ACL)} S – Subject, O – Object, A – Action, D - Decision Access Control, contd. Old Dominion University

  5. Introduction to XACML John wants access to protected file “PatientRecord1.doc” XACML Policy Request Context Response Context <rule effect=“permit”> <target> <subject> <value>John</value> </subject> <resource> <value>PatientRecord1.doc</value> </resource> <action> <value>R</value> </action> </target> </rule> <response> <decision> <value>Permit</value> </decision> </response> <request> <subject> <value>John</value> </subject> <resource> <value>PatientRecord1.doc</value> </resource> <action> <value>R</value> </action> </request> Old Dominion University

  6. PEP – Policy Enforcement Point PDP – Policy Decision Point Authorization 2. Request XACML Compliant File Server 1. Authenticated Request P E P PDP 3. Response 4. Decision Enforcement 0. XACML Policy Repository Introduction to XACML contd. How does XACML Work? Old Dominion University

  7. XACML Schemas Request Schema Policy Schema Response Schema Response Decision Obligation* Request Subject Resource Action PolicySet (Combining Alg) Policy* (Combining Alg) Rule* (Effect) Subject* Resource* Action Condition* Obgligation* Old Dominion University

  8. Some Experiments • Ex1 • Ex2 • Ex3 Old Dominion University

  9. XACML Framework (Data flow model) Old Dominion University

  10. XACML Framework (Policy Language Model) Old Dominion University

  11. Installing and using the XACML Implementation • Available Implementations • Sun Microsystems (here) (download) • You may also optionally copy from ~kbhoopal/public_html/xacml/sunxacml.jar • Jiffy Software (here) More on Sun’s XACML implementation Available as zip file. unzip and build with “ant” (download ant) include the sunxacml.jar in the class path. Old Dominion University

  12. Using the XACML Implementation(A Programmers Guide) • Using Sun’s XACML Implementation • Overview of APIs • Building a basic PDP • Building the basic PEP • Validating Policies and Requests • Some Experiments Old Dominion University

  13. Beyond Vanilla Access Control • Policy & Rule Combining algorithms Permit Overrides: If a single rule permits a request, irrespective of the other rules, the result of the PDP is Permit Deny Overrides: If a single rule denies a request, irrespective of the other rules, the result of the PDP is deny. First Applicable: The first applicable rule that satisfies the request is the result of the PDP Only-one-applicable: If there are two rules with different effects for the same request, the result is indeterminate Old Dominion University

  14. Beyond Vanilla, contd. • Conditions • Declarative use of boolean expressions • Using Environment variables like time, etc. • E.g., John can access patientrecord1.doc only between 9am and 4pm. • Obligations • An operation performed in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision. Old Dominion University

  15. Beyond Vanilla, contd. • XACML Functions • Equality Predicates • Arithmetic & Arithmetic comparison • String Conversion • Numeric Data Type Conversion • Logical • Date and Time • Set • And Many more. Old Dominion University

  16. User Extensions to XACML Implementation • Extend • Attributes • Functions • Combining algorithms • Finder modules. Old Dominion University

  17. XACML in SDDL • Implementation PAP, PIP using a Policy Editor (here) • Implementation of SunXACML’s PDP with a custom PEP and integration with Shibboleth and Archon. (here) Old Dominion University

  18. References • XACML Specification • Sun’s XACML Implementation Old Dominion University

More Related