I have a knotty problem (at least for me) to solve
In a nutshell:
A web server exposing a single URL (static page)
the URL should only be accessible between 9 am and 5 pm
(everyday)
the whole thing should be implemented through XACML
Questions
What actually do I need in order to accomplish my objective?
Is there any Oracle implementation of XACML which I should install? Is it by any chance free?
Could other XACML implementation be suitable? I'm refering to WSO2 Balana
Which tools should I use?
How should I start with?
Thanks a lot
You'll need:
a PEP (policy enforcement point) to intercept the request to the server. In your case you are controlling access to a web server. If you're using a Java web server e.g. Tomcat, you can implement a Servlet Filter PEP.
a PDP (policy decision point) to receive the request from the PEP and return a decision (either Permit or Deny). Oracle used to have a PDP solution called Oracle Entitlements Server (OES) but it was discontinued. Nowadays you have several options
Balana, an open-source XACML engine
AuthZForce, the latest and possibly most complete open-source XACML 3.0 PDP
Axiomatics, a commercial solution that provides you with turnkey PDP, PEP, and policy authoring (aka PAP)
a PAP (policy administration / authoring point): you need to write your policy. I typically use alfa which is easy-to-read shorthand notation for XACML.
In your case, the policy would look like the following:
policy allowOfficeHours{
apply firstApplicable
rule allowOfficeHours{
target clause current_time>"09:00:00":time and current_time<"17:00:00":time
permit
}
}
Plan of action
Start
Start with downloading the PDP of your choice. If you need free, then go to AuthZForce. You can ask and tag questions with authzforce here. Their main architect / dev is active here.
Then download the ALFA plugin for Eclipse to start writing some policies.
Finally, use AuthZForce's PEP SDK to write your own PEP. Look at Java servlet filters as an easy means to write a PEP. Check out this post and that one for tips.
Related
I have installed Balana correctly and run mvn clean install with no error,
How can I get benefit from Jar file?
How can I test the policy that I have written in XACML?
Balana is just the engine. Once you Balana compiled (and presumably jarred), you need to start it and pass it the XACML policies you wrote. Now, at start-up, Balana should validate that the files are valid XACML 2.0 or XACML 3.0 files.
What you want to do next is send an authorization request using a tool e.g. SoapUI or Postman to the endpoint Balana exposes (if any that is). That will help you validate the endpoint.
PS: I have limited experience with Balana. I work mostly with Axiomatics Policy Server (disclaimer: it's where I work).
PS2: if you want to stay down the path of open source, check out AuthZForce. It's much more active.
When WSO2 Implements open standard protocols like XACML, SCIM they do not tightly coupled implementation with WSO2 platform components. For EX: Balana for XACML [2], Charon for SCIM [1]. Inside WSO2 Identity Server [3] you will find two artifacts org.wso2.balana_1.1.5.jar, org.wso2.balana.utils_1.1.5.jar which are relevant to WSO2 XACML implementation. If you want to make use of Balana artifacts pls refer [4].
[1] https://github.com/wso2/charon
[2] https://github.com/wso2/balana
[3] https://docs.wso2.com/display/IS570/
[4] https://docs.wso2.com/display/IS570/Working+with+XACML
I just started learning xacml with wso2 and I went through this example post, which is working fine. My question is instead of wso2as if I use tomcat to deploy my war file then how I can protect my protected pages.
Thank You
You need to start with the basics. Do you know the XACML architecture? There is a component called PEP (policy enforcement point) which is responsible for protecting your resources.
The PEP can be of different form factors. It could be an API gateway or in your case, it would likely be a servlet filter. You can write your Servlet Filter. Follow these instructions.
To learn more about XACML, check out the Wikipedia site for it. I keep adding information on a regular basis. Also check out the ABAC and ALFA pages.
There are multiple ways to do this, I will explain you one such method
If you are deploying you web app on tomcat, you can write a tomcat filter[1] or tomcat valve to act as the PEP (Policy Enforcement Point).
You can configure the WSO2 Identity Server with XACML policies. Thereafter you can call the Entitlement service from within the tomcat filter/valve you implemented using the SOAP/thrift entitlement client
(Refer [2])
You can implement a filter similar to [3]. You need to configure the filter in the web.xml of your web app. Make use of [4] to configure the filter. WSO2 Application uses tomcat internally to host web apps so it is not much different than deploying on tomcat
[1] https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/Filter.html
[2] Xacml integration with saml in wso2
[3] https://github.com/wso2-extensions/identity-agent-entitlement-filter/blob/master/components/org.wso2.carbon.identity.entitlement.filter/src/main/java/org/wso2/carbon/identity/entitlement/filter/EntitlementFilter.java
[4] https://docs.wso2.com/display/AS530/Enable+XACML+Fine+Grained+Authorization+for+Web+Apps
I am working on a ABAC project and am using ALFA plug-in in eclipse to to write the policies and am enforcing the same through a java program. Instead of that I want to make use of the open source XACML implementations available to simulate a PDP,PAP and PEP. How to solve the issue ?
Open source XACML 3.0 implementations:
AuthzForce
WSO2 Balana
(EDIT based on David's comment:) AT&T XACML.
More info on the XACML wikipedia page.
(Heras-AF and SunXACML are XACML 2.0 only.)
Correct me if I am wrong , I done bit of search on both centralize authentication and authorization , it is easy to find quite a few centralize authentication solution (SSO?) ,but as for authorization seems not much .
Is that means authorization is easy to implemented as extend/plugin of central authenticate or it is not a good idea to be centralize ? like oAuth is decentralized.
They exist. You want to look at externalized authorization management. The standard behind is XACML, the eXtensible Access Control Markup Language.
The solutions in this space are:
Open-source
JBoss PicketBox
SunXACML
WSO2
HerasAF
Vendor
Axiomatics
IBM Tivoli
Oracle
In addition you may want to consider frameworks e.g. Spring Security, Ruby's CanCan, PHP's Yii...
I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization.
What comes to my mind is to either:
Implement my own authorization mechanism and sql tables for my .net application
Use/implement a standard mechanism, like a software that has implemented XACML (for instance Axiomatics)
The problem with the first method is that it is not centralized nor standard so other systems cannot use it for authorization.
The problem with the second approach is that it is potentially slower (due to extra calls needed for each resource). Also I am not sure how widely a standard authorization like XACML is supported by applications in the market to make future integrations easier.
So, in general what are the good practices for fine-grained authorization for web applications that are supposed to serve both internal users and external customers?
I would definitely go for externalized authorization. It doesn't mean it will be slower. It means you have cleanly separated access control from the business logic.
Overview
XACML is a good way to go. The TC is very active and companies such as Boeing, EMC, the Veterans Administration, Oracle, and Axiomatics are all active members.
The XACML architecture guarantees you can get the performance you want. Since the enforcement (PEP) and the decision engine (PDP) are loosely coupled you can choose how they communicate, what protocol they use, whether to use multiple decisions, etc... This means you have the choice to go for the integration which fits your performance needs.
There is also a standard PDP interface defined in the SAML profile for XACML. That guarantees you 'future-proof' access control where you are not locked into any particular vendor solution.
Access control for webapps
You can simply drop in a PEP for .Net webapps by using HTTP Filters in ISAPI and ASP.NET. Axiomatics has got one off-the-shelf for that.
Current implementations
If you check Axiomatics's customers page, you'll see they have Paypal, Bell Helicopter, and more. So XACML is indeed a reality and it can tackle very large deployments (hundreds of millions of users).
Also, Datev eG, a leading financial services provider is using Axiomatics's .Net PDP implementation for its services / apps. Since the .Net PDP is embedded in that case, performance is optimal.
Otherwise, you can always choose from off-the-shelf PEPs for .Net that integration with any PDP - for instance a SOAP-based XACML authorization service.
High levels of performance with XACML
Last July at the Gartner "Catalyst" conference, Axiomatics announced the release of their latest product, the Axiomatics Reverse Query which helps you tackle the 'billion record challenge'. It targets access control for data sources as well as RIA. It uses a pure XACML solution so that it remains interoperable with other solutions.
As a matter of fact, Kuppinger Cole will host a webinar on the topic very soon: http://www.kuppingercole.com/events/n10058
Check out the Axiomatics ARQ press release too here: http://www.axiomatics.com/latest-news/216-axiomatics-releases-new-reverse-query-authorization-product-a-breakthrough-innovation-for-authorization-services.html
Definitely look for a drop-in authorization module for your ASP.NET application. I'm not just saying that because I implement drop-in auth systems at BiTKOO, but because I have had to work with home-grown auth implementations in the past. Building your own authorization system for a single application really is not a good use of your time or resources unless you intend to make a career out of implementing security systems.
Externalizing the authorization decision from your app is a good idea from an architectural standpoint. Externalizing the authz decision gives you an enormous amount of flexibility to change your access criteria on the fly without having to shut down your web service or reconfigure the web server itself. Decoupling the web front-end from the authz engine allows you to scale each independently according to the load and traffic patterns of your application, and allows you to share the authz engine across multiple apps.
Yes, adding a network call to your web app will add some overhead to your web response compared to having no authorization at all or using a local database on the web server. That shouldn't be a reason not to consider external authorization. Any serious authorization product you consider will provide some sort of caching capability to minimize the number of network calls required per web request or even per user session across multiple web requests.
In BiTKOO's Keystone system, for example, the user attributes can be cached on the web server per user-session, so there's really only one back-end network request involved on the first page request as part of establishing a user login. Subsequent page requests (within the lifetime of the cached credentials, usually 5 minutes or so) can be handled by the web server without needing to hit the authz service again. This scales well in cloud web farms, and is built on XACML standards.
I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization.
Check out this: https://zanzibar.academy/. Zanzibar is a project made at Google to solve fine-grained authorization at scale.
Use/implement a standard mechanism, like a software that has implemented XACML (for instance Axiomatics). The problem with the second approach is that it is potentially slower (due to extra calls needed for each resource).
Auth0 is working on a solution called FGA (https://fga.dev) that will be optimized for low latency. It's built upon the Zanzibar paper.
Disclaimer: I am employed at Auth0.