Access Control Patterns & Practices
with
WSO2 Middleware
Prabath Siriwardena
About Me
• Director of Security Architecture at WSO2
• Leads WSO2 Identity Server – an open source identity and
entitlement management product.
• Apache Axis2/Rampart committer / PMC
• A member of OASIS Identity Metasystem Interoperability (IMI)
TC, OASIS eXtensible Access Control Markup Language
(XACML) TC and OASIS Security Services (SAML) TC.
• Twitter : @prabath
• Email : prabath@apache.org
• Blog : http://blog.facilelogin.com
• LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
Discretionary Access Control (DAC)
vs.
Mandatory Access Control (MAC)
With the Discretionary Access Control,
the user can be the owner of the data
and at his discretion can transfer the
rights to another user.
With Mandatory Access Control, only
designated users are allowed to grant
rights and, users cannot transfer them.
All WSO2 Carbon based products are
based on Mandatory Access Control.
Group is a collection of Users - while a
Role is a collection of permissions.
Authorization Table
vs.
Access Control Lists
vs.
Capabilities
Authorization Table is a three column
table with subject, action and resource.
With Access Control Lists, each resource is
associated with a list, indicating, for each
subject, the actions that the subject can exercise
on the resource.
With Capabilities, each subject has an
associated list, called capability list, indicating,
for each resource, the accesses that the user is
allowed to exercise on the resource.
Access Control List is resource driven
while capabilities are subject driven.
With policy based access control we
can have authorization policies with a
fine granularity.
Capabilities and Access Control Lists
can be dynamically derived from
policies.
XACML is the de facto standard for
policy based access control.
XACML provides a reference
architecture, a request response
protocol and a policy language.
XACML Reference Architecture
Policy Administration
Point (PAP)
Policy Decision Point
(PDP)
Policy Store
Policy Enforcement Point
(PEP)
Policy Information Point
(PIP)
XACML with Capabilities (WS-Trust)
Hierarchical Resource Profile
WSO2 Identity Server
(XACML PDP)
XACML
Request
XACML Response
WSO2 Identity Server
(STS)
WSO2 Application Server
(SOAP Service)
SAML token with Authentication
and
Authorization Assertions (Capabilities)
SAML token with
Authentication
and
Authorization Assertion
+
Service Request
SAML token request
Client Application
WSO2 Identity Server
(XACML PDP)
XACML
Request
XACML with Capabilities (WS-Trust)
Hierarchical Resource Profile
XACML Response
WSO2 Identity Server
(SAML2 IdP)
WSO2 Application Server
(Web Application)
SAML token with Authentication
and
Authorization Assertion (Capabilities)
Browser Redirect with SAML Request
Unauthenticated Request
Role Based Access Control
WSO2 Application Server
(SOAP Service)
Client Application
Service Request + Credentials
WSO2 ESB
(Policy Enforcement
Point)
RBAC
WSO2 ESB as the XACML PEP (SOAP and REST)
WSO2 Identity Server
(XACML PDP)
XACML Response
WSO2 Application Server
(SOAP Service)
XACML Request
WSO2 ESB
(Policy Enforcement
Point)
Client Application
Service Request + Credentials
XACML PEP as a Servlet Filter
WSO2 Identity Server
(XACML PDP)
XACML Response
XACML Request
XACML
Servlet Filter
Client Application
WSO2 Application Server
Service Request + Credentials
OAuth + XACML
WSO2 Identity Server
(OAuth Authorization
Server)
XACML
Request
API Gateway
Validate()
XACML Response
WSO2 Identity Server
(XACML PDP)
Access
Token
Client Application
Authorization with External IdPs (Role Mapping)
WSO2 Identity Server
IdP
Groups
External SAML2 IdP
(Salesforce)
SAML token with Authentication
and Attribute Assertions with IdP groups
Web App
roles
WSO2 Application Server
(Web Application)
Browser Redirect with SAML Request
Unauthenticated Request
XACML Multiple Decisions and
Application Specific Roles
Liferay Portal
XACML Request
WSO2 Identity Server
(XAML PDP)
XACML Response
Login
lean . enterprise . middleware