apply fine-grained authorization to java mvc applications
DESCRIPTION
N-tier applications can be challenging from a security perspective. Security policies impact the user interface as well as the business layer and even the data layer. Users should only be presented with relevant UIs and widgets based on their permissions. At the same time, the underlying business objects should also be protected. Externalizing authorization lets architects and developers move security policies out of the code into a common layer or authorization service. With the rise of the eXtensible Access Control Markup Language (XACML), a policy-based, multi-factor authorization language, it has become easy to define and apply rich authorization policies. Still, how do you efficiently ensure that one single policy can be applied across all your M-V-C layers? In this webinar we will discuss: - An end-end scenario - Policies and enforcement strategies for UIs - Business objects - The data tier. We will also explain how you apply XACML-driven authorization via: - Java annotations and aspect-oriented programming - SQL filtering - Checks on the presentation tier.TRANSCRIPT
Webinar:
Apply fine-grained authorization to Java MVC apps
Webinar:
Apply fine-grained authorization to Java MVC apps
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWthis webinar will start in:
3
Guidelines
You are muted centrally The webinar is recorded Slides available for download Q&A at the end
@axiomatics
#XACML
4
#MVC
#Java
© 2013 Axiomatics AB 5
Speakers & Agenda
Today’s speakers
What’s fine-grained authorization? A note on XACML Apply fine-grained authorization to an MVC app
Presentation tier
Business tier
Data tier
Today’s use case: Acme, a car retailer
Andreas SjöholmSaravana KumarSankaramoorthy
David Brossard
© 2013 Axiomatics AB 6
What is fine-grained authorization?Fine-grained & Externalized Authorization
© 2013 Axiomatics AB 7
Today’s business challenge
Businesses are more dynamic The will/need to share is more important
Provide better service / care
The amount of data is increasing Everything is electronic from health records to book reviews
Consuming patterns are evolving Consumers are going mobile
Introducing eXternalized authorization
Gartner: “Externalized Authorization Management” Centralized Decoupled from your applications’ business logic Policy-based Multi-factor & fine-grained Standardized: XACML
When?What? How?Where?Who? Why?
© 2013 Axiomatics AB 8
© 2013 Axiomatics AB 9
Any-Depth Authorization
10© 2013 Axiomatics AB
Behold XACML!
eXtensible Access Control Markup Language
An OASIS standard The de facto standard for fine-grained access control
Current version: 3.0 XACML defines
A policy language A request / response scheme An architecture
© 2013 Axiomatics AB 11
Three key points of XACML
Policy-based Attribute-based
Technology-neutral
Apply XACML to Java, .NET, and
more
Use policies to describe and implement complex
AuthZ
An attribute consists of an identifier,
datatype, and value
© 2013 Axiomatics AB 12
More on eXternalized Authorization
Check out the Axiomatics webinar Speaker: Srijith Nair (@srijith)
YouTube: http://www.youtube.com/watch?v=kH0ewXlIFHY
SlideShare: http://www.slideshare.net/Axiomatics/protect-your-applications-and-apis-with-externalized-authorization
© 2013 Axiomatics AB 13
Fine-grained authorization in the presentation tier
© 2013 Axiomatics AB 14
Challenge
Users should only be presented with the relevant UI For instance controls should be enabled/disabled
depending on user permissions Use fine-grained authorization to deliver the best UX
possible
© 2013 Axiomatics AB 15
Approach
Use widget properties Use JSP tags Use templates Use obligations and advice to help the user
Example: tell the user why they cannot approve a PO
Example: implement 2-factor authentication flow
Use the Axiomatics Policy Server Enterprise authorization server
© 2013 Axiomatics AB 16
Fine-grained authorization in the business tierUsing Annotations and Aspect Orientation
© 2013 Axiomatics AB 17
Challenge
Security seen as a hindrance Authorization code is often mixed with application code Authorization is often poorly implemented if at all
© 2013 Axiomatics AB 18
Approach
Use filters and interceptors on APIs Use aspect-oriented programming (AOP) to inject
authorization behavior in the business logic Use the Axiomatics Policy Server
Enterprise authorization server
Introducing Aspects
First there was Object Orientation (OO)
Static models
Aspect Oriented Programming
Makes OO dynamic
Cross-cutting concerns
Provides Advice at certain Points
Non-intrusive to boilerplate code
XACML and AOP fit nicely together
Let a PDP provide decisions to handle authorization concerns
AOP implementations
AspectJ (the one used here)
Spring AOP
Axiomatics XACML AOP
Axiomatics XACML AOP Adds fine-grained authorization to Java code
Supports legacy applications with minimal intrusion
Using it we can Invoke PDP at various well-defined places
Avoid touching source code
Filter returned objects via obligations
Let UI adopt to security context
Attach to other frameworks to collect attributes (Spring...)
Auto-generate specific application documentation to be used by policy authors (attribute ontologies) based on src code
© 2013 Axiomatics AB 21
Fine-grained authorization in the data tier
© 2013 Axiomatics AB 22
Challenge
Control access to data stored in databases The data is not known a priori Traditional XACML does not scale to millions of records
© 2013 Axiomatics AB 23
Approach
Integrate with the database Parse the SQL statement Augment the SQL statement with a filter (WHERE
clause) Use the Axiomatics Data Access Filter
New in October 2013
Delivers row-level data filtering for Oracle databases
© 2013 Axiomatics AB 24
A Java MVC DemoThe “Car demo”
© 2013 Axiomatics AB 25
The use case
Acme Inc. is a used-car retailer Acme Inc. buys and sells vehicles Acme Inc. is a highly-distributed company with stores
across the 50 states Acme Inc. wants to make sure only the right employees
buy and sell vehicles at the right price Acme Inc. wants a smooth experience for employees
and customers alike Acme Inc. also wants to go mobile
Offer mobile applications for its employees
Deliver better value to their customers
© 2013 Axiomatics AB 26
The architecture
Apache Tomcat
Java Web-App
Retrieve data via JPA
User Directory
Authenticate (JAAS)
Presentation tier
Business tier
27© 2013 Axiomatics AB
Apply authorization to the Java architecture
Apache Tomcat
Java Web-App
Retrieve data via JPA
User Directory
Authenticate (JAAS)
Presentation tier
Business tier
VPD
© 2013 Axiomatics AB 28
Sample authorization logic
Authorization requirements Users in purchasing can view the purchasing menu
Users in purchasing can create purchase orders in their region
Managers in purchasing can approve purchase orders up to their approval limit
Policies about functions, data, and widgets… Attributes
User: role, department, approval limit, location
Resource: type, location, amount
Action: action-id (view, create, edit)
Context: time of the day…
Multi-factor authorization
© 2013 Axiomatics AB 29
Structure your authorization
Purchasing
Create View
Same region
Approve
Same region & Approval
Limit
© 2013 Axiomatics AB 30
Code Deep-dive: the presentation tier
In this demo, we control the menu The menu is written in Java and Javascript using
Jquery Let’s write some JSP if/else to control which parts of the
menu are rendered Note: consider using JSF or a presentation framework
You can then use widget properties to enable/disable show/hide the widgets
© 2013 Axiomatics AB 31
Code deep-dive: use AOP & annotations
Apply the @XacmlEnforcementPoint annotation
Annotate the POJOs with @XacmlAttribute
public interface VehicleService { @XacmlEnforcementPoint Order createPurchaseOrder();}
class PurchaseOrder{@XacmlAttributeString identifier;@XacmlAttributeDouble amount;
}
© 2013 Axiomatics AB 32
2. SELECT * FROM purchaseOrders
Oracle VPD
Code Deep-dive: Oracle VPD Integration
Configure the Java web app to pass down the client information
Configure VPD to reach out to the Data Access Filter VPD appends the produced WHERE clause to the
original SQL statement
Java Web-App
1. View purchase orders
3. WHERElocation=‘AZ’
© 2013 Axiomatics AB 33
Other areas
Spring Security JAAS integration JSP taglibs JMS Can you name any?
Goal
Provide a unified, standardized way of applying fine-grained authorization across multiple applications
© 2013 Axiomatics AB 34
eXternalized Authorization Simpler management
The authorization logic is externalized into XACML policies
You no longer need to write Java code If the authorization logic changes, update the policies Strive for configuration-based authorization
E.g. via interceptors (servlet filters, JAX-WS handlers)
Configure the handlers using the target framework’s config files (e.g. web.xml)
© 2013 Axiomatics AB 35
eXternalized Authorization saves time
80%
20%
Before
Business logicSecurity
95%
5%
After
Business logicSecurity
And it’s repeatable
it scales across
hundreds of apps
© 2013 Axiomatics AB 36
Beyond Java
Apply the same architectural approach and XACML policies to .NET
Perl
Python
Ruby
Business apps
And more!
© 2013 Axiomatics AB 37
The Axiomatics XACML Developers Website
Community for XACML developers Technical blog Download code samples Understand policy modeling XACML Reference Library
Functions
Data types…
Download the ALFA plugin for Eclipse
Launched October
2013
38© 2013 Axiomatics AB
Upcoming events
Gartner IAM Summit Los Angeles
Nov. 18th – 20th
InfoSec Financial London
Nov 19th and 20th
