eXtensible Access Control Markup Language [OASIS Standard] - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

eXtensible Access Control Markup Language [OASIS Standard]

Description:

eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML Contents Introduction to Access Control Introduction to XACML The XACML schema. – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 19
Provided by: Kail151
Learn more at: https://www.cs.odu.edu
Category:

less

Transcript and Presenter's Notes

Title: eXtensible Access Control Markup Language [OASIS Standard]


1
eXtensible Access Control Markup LanguageOASIS
Standard
  • Kailash Bhoopalam
  • Java and XML

2
Contents
  • Introduction to Access Control
  • Introduction to XACML
  • The XACML schema.
  • Access Control Examples and Experiments with
    XACML.
  • The XACML framework.
  • Installing and using the XACML package.
  • Beyond Vanilla XACML
  • User Extensions to XACML Implementation
  • XACML in Secure Distributed Digital Libraries

3
Introduction to Access Control
John wants access to protected file
PatientRecord1.doc
File Server
Authentication
Authorization (Access Control)
PatientRecord1.doc PatientRecord2.doc
4
Access Control, contd.
5
Introduction to XACML
John wants access to protected file
PatientRecord1.doc
XACML Policy
Request Context
Response Context
ltrule effectpermitgt lttargetgt
ltsubjectgt ltvaluegtJohnlt/valuegt
lt/subjectgt ltresourcegt
ltvaluegtPatientRecord1.doclt/valuegt
lt/resourcegt ltactiongt
ltvaluegtRlt/valuegt
lt/actiongt lt/targetgt lt/rulegt
ltresponsegt ltdecisiongt
ltvaluegtPermitlt/valuegt lt/decisiongt lt/responsegt
ltrequestgt ltsubjectgt
ltvaluegtJohnlt/valuegt lt/subjectgt
ltresourcegt
ltvaluegtPatientRecord1.doclt/valuegt
lt/resourcegt ltactiongt
ltvaluegtRlt/valuegt
lt/actiongt lt/requestgt
6
Introduction to XACML contd.
How does XACML Work?
7
XACML Schemas
Policy Schema
Request Schema
Response Schema
Response Decision Obligation
PolicySet (Combining Alg) Policy (Combining
Alg) Rule (Effect) Subject
Resource Action
Condition Obgligation
Request Subject Resource
Action
8
Some Experiments
  • Ex1
  • Ex2
  • Ex3

9
XACML Framework (Data flow model)
10
XACML Framework (Policy Language Model)
11
Installing and using the XACML Implementation
  • Available Implementations
  • Sun Microsystems (here) (download)
  • You may also optionally copy from
    kbhoopal/public_html/xacml/sunxacml.jar
  • Jiffy Software (here)
  • More on Suns XACML implementation
  • Available as zip file.
  • unzip and build with ant (download ant)
  • include the sunxacml.jar in the class path.

12
Using the XACML Implementation(A Programmers
Guide)
  • Using Suns XACML Implementation
  • Overview of APIs
  • Building a basic PDP
  • Building the basic PEP
  • Validating Policies and Requests
  • Some Experiments

13
Beyond Vanilla Access Control
  • Policy Rule Combining algorithms
  • Permit Overrides
  • If a single rule permits a request,
    irrespective of the other rules, the result of
    the PDP is Permit
  • Deny Overrides
  • If a single rule denies a request,
    irrespective of the other rules, the result of
    the PDP is deny.
  • First Applicable
  • The first applicable rule that satisfies the
    request is the result of the PDP
  • Only-one-applicable
  • If there are two rules with different effects
    for the same request, the result is indeterminate

14
Beyond Vanilla, contd.
  • Conditions
  • Declarative use of boolean expressions
  • Using Environment variables like time, etc.
  • E.g., John can access patientrecord1.doc only
    between 9am and 4pm.
  • Obligations
  • An operation performed in a policy or policy set
    that should be performed in conjunction with the
    enforcement of an authorization decision.

15
Beyond Vanilla, contd.
  • XACML Functions
  • Equality Predicates
  • Arithmetic Arithmetic comparison
  • String Conversion
  • Numeric Data Type Conversion
  • Logical
  • Date and Time
  • Set
  • And Many more.

16
User Extensions to XACML Implementation
  • Extend
  • Attributes
  • Functions
  • Combining algorithms
  • Finder modules.

17
XACML in SDDL
  • Implementation PAP, PIP using a Policy Editor
    (here)
  • Implementation of SunXACMLs PDP with a custom
    PEP and integration with Shibboleth and Archon.
    (here)

18
References
  • XACML Specification
  • Suns XACML Implementation
Write a Comment
User Comments (0)
About PowerShow.com