SlideShare une entreprise Scribd logo

Hecate, Managing Authorization with RESTful XML

R
ruyalarcon

WS-REST 2011. Second International Workshop on RESTful Design. Chairs: Cesare Pautasso, Erik Wilde, Rosa Alarcon. <br> Security Session. Sebastian Graf, Vyacheslav Zholudev, Lukas Lewandowski and Marcel Waldvogel.

1  sur  19
Télécharger pour lire hors ligne
Hecate, Managing Authorization with RESTful XML Sebastian Graf, Vyacheslav Zhouldev, Lukas Lewandowski, and Marcel Waldvogel Distributed Systems Group University of Konstanz & School of Engineering and Science Jacobs University 1 Sunday, March 27, 2011
Problem Statement How can authorization on RESTful resources can be performed under the following constraints? 1. Variability of resources must be kept! 2. Different permissions must be offered for the same resource! 3. The extensibility of the framework must be ensured! 2 Sunday, March 27, 2011
Schema of Architecture Hecate Authorization Framework Resources "lecture": { firstname : "Peter" "start": "April 4th", lastname : "Paul" "end": "June, 31st, "topic" "Web Apps" Requests & } user Responses <house> model <floor> … floor 4 PXD </floor> floor 3 </house> floor 2 floor 1 3 Sunday, March 27, 2011
• rule-nodes: Each rule-node represents one specific permission. This permission is bound to one specific resource over the uri-attribute. Even if this attribute is mandatory, it User Model should not be used for unique identification since mul- tiple rules can map on the same URI allowing different operations. For unique identification of rules, an id - attribute is included within each rule linking the user ‣ Simple mapping of concrete to rules on the model to the PXD. The users permission ‣ Represented as a simple table Table 1: User Permissions user-id rule-ids john.doe 13 jane.doe 12 13 ... ... 4 Sunday, March 27, 2011
Permission XML Model (PXD) ‣ XML-based definition of operations mapped to resources ‣ Representing rules and their mapping to ✴HTTP-functionalities ✴Resources ✴(Optional resource aware filters) 5 Sunday, March 27, 2011
4 Properties of PXD 1. One URI can be guarded by multiple rules 2. Each rule maps to one HTTP-Verb 3. Resource-awareness is possible 4. The representation of the resource is independent of the PXD 6 Sunday, March 27, 2011
</ floor > part of Hecate. Even if our Authorization Fr 21 </ house > are also represents rulesets for filtering incoming re only parametrizable, that is it may con ables (like optional ability resourcesresponsespro also the URIs of the to overlay to be fo Listing 1 shows an example representing a house. The defined either in VDoc operation is represented b representations. This Spec itself or passed arrow from the Resources back to the Authoriz structure is partitioned into multiple floors including rooms, a VDoc obtaining. Parametersbetween URIs, work . All of the correlations may dramat doors and lamps. Such an example could represent an ab- content of VDoc whereas there only one V resources, response filters and users are well-d stract resource related to the Web of Things paradigm where As we will see in Section 3.2 the identifiers. PXD and referenced within unique single VD useddesignated ids modifying REST identifiers. to manage reflect these unique requests PXD Example different “things” are simply encapsulated into XML. Listing 2: XML Fragment denoting read access only fine-granular manner.detail in section 3.3. XML is described in Additionally,Management advanced fe 3.2 User one of the most < resources > ity to edit VDocs and process the modified 1 The Authorization Framework consists of < rule id ="12" perm_id ="22" changed parts of a PXD representing the rules components: The VDoc that came from fil 3 uri =" http :// house / floor /4"/ > will mapping and a storepropagated user-related be transparently handling all back to t < rule id ="13" perm_id ="23" ing static parts stores VDoc is not allowed; that the PXD of a no user-related data after 5 uri =" http :// house / floor /4"/ > processor should complain andunique identifi rules are identifiable within an disallow fu ... store references these unique identifiers. Figur 7 < data uri =" http :// house / floor /4"" > Naturally, VDoc XQuery results that are no example of the user model. < content > documents in a visible, the designbe edited ass As clearly storage cannot of the user 9 / house / floor [ @id =4] advantage of editing VDocs is is mapped to ca only out of the user-id which that users t </ content > from the to match e.g. ”john doe” is allowed to a rules physical documents in the reposito 11 </ data > 13 while ”jane doe” is able to access ruleset 12 semantically consistent objects (like theore ... focusingone ruleset mapswith differentone unique that only accessed always only rulesetsagg URI can be on relevant information as 13 < filter id ="43" > < link > logical unit. Section 3.3. / house / floor [ @id =4]// lamps The adaption of user permissions is decoup 3.2 Virtual Documents in Hecate 15 </ link > storage of the rules. If a new user is inserted, data filter checked if there is an existing rule matching th 17 </ filter > Given that our resources are in XML, the @urithe designated users permissions. If@id a new u < perm id ="22" filter_id ="43" so, verbs (like PUT oruser store with the suitable inserted into the POST) naturally may verb =" get "/ > Update statements@filter_id 19 < perm id ="23" verb =" get "/ > in the body to modify perm 21 </ resources > source. However, taking into account the @id Table 1: User Permissions grained filtering rules expressed via XPath Based on this example, List. 2 shows the PXD mapping @uri @perm_id Update modifications might be forbidden f user-id rule-ids rule the data of List. 1. As clearly visible, two different rules are @idTo overcome this problem we are prop john doe 13 mapping the denoted resource. While rule “13” allows the VDocs concept together with its 13 jane doe 12 editing ab ... ... retrieval of all data from the 4th floor, rule “12” filters the 7 losing a generality, we will assume that the same resource by only returning lamps-nodes. This addi- Sunday, March 27, 2011 statements are sent using the POST reque
Workflow of Authorization Get IDs of user IDs found? Returning 403 Returning 403 model related to No (forbidden) (forbidden) credentials Yes No Get rules matching Checking optional Nodes Receiving Request the URI, the REST Yes filter for matching found? verb and the IDs permission Yes Applying filter on either Forwarding Filter request or result and returning request and No available result returning result 8 Sunday, March 27, 2011
Resource-aware filtering ‣ Optional ‣ Bound to the the requesting resource ✓ Kind ✓ Content ✓ Filter possibilities ‣ Flexible mapping to HTTP-Verbs 9 Sunday, March 27, 2011
</ house > </ house > 3. XML-BASED RESOURCES 21 21 HTTP -operation. Related to Since XML offers flexible adaption 1 shows as enriched representing of the dataThe hous Listing as well an example an filtering representingseems n Listing 1 shows example a house. a structure is partitionedis partitionedbasedmultiple concept of VDo structure into multiple into on the floors including toolsets, multiple non-REST -aware resources are encapsu- floors including rooms, doors and an exampleeffective mechanism applicabl lated in XML for convenience reasons[16]. Therefore we Such could represent an represent doors and lamps. Such lamps. an example could ab- chose XML as the base for astractworld exampleresource related to the Web of Things paradigm real resource related to the Web of Things paradigm where stract including resource-aware filtering. different “things” are simply TheXML. 3.1 into Virtual Docum different “things” are simply encapsulated encapsulated into XML Example Listing 2: XML Virtual Documents (VDocs) Listing 1: A resource before modifying Fragment denoting integrating XQueries intoo Listing 2: XML Fragment denotingonly access for read access read 1 < house > 1 < resources >< resources > 1 tional devices and processing < floor id ="1" > < rule id ="12" perm_id ="22" As a rough approximation, < rule id ="12" perm_id ="22" 3 < room > 3 uri =" http :// house / floorhouse> floor /4"/ > to views in r 3 uri =" http :// /4"/ /views” analogous ... < rule id ="13" perm_id ="23" < rule id ="13" perm_id ="23" virtual tables in the sense tha 5 < lamps > 5 uri =" http :// house / floorhouse> floor /4"/ > 5 uri =" http :// /4"/ / queries computed on demand < lamp status =" OFF " id ="1.1"/ > ... ... 7 < data uri http uri =" http :// house / tables. Similarly, VDo database < lamp status =" OFF7" id ="1.2"/ > ="< data:// house / floor /4"" > floor /4"" > 7 </ lamps > < content > < content > computed on demand from t 9 </ room > 9 9 / [ @id / floor [ @id =4] in some storage (like / house / floorhouse=4] sented </ floor > </ content > </ content > ply, in a file system), present 11 ... 11 </ data >11 </ data > Furthermore they can be pres < floor id ="4" > ... ... < filter id ="43" > database or physical files writt 13 < room > 13 < filter id ="43" > 13 ... < link > < link > in relational databases, VDocs 15 < lamps > 15 15 tions in the interaction with c / house / floorhouse=4]// lamps =4]// lamps / [ @id / floor [ @id < lamp status =" OFF " id ="4.1"/ > </ link > </ link > VDocs are defined by a VD 17 < lamp status =" OFF " id ="4.2"/ > </ filter > 17 </ filter > 17 tially is a mixture of static X </ lamps > < perm id ="22" filter_id ="43" and rules ho < perm id ="22" filter_id ="43" XQuery queries 19 </ room > 19 verb =" get "/verb =" get "/ > 19 > should be injected into the r </ floor > < perm id ="23" verb =" get "/verb =" get "/ > < perm id ="23" > 21 </ house > 21 </ resources</ resources > 21 > are also parametrizable, that ables (like URIs of the resour Listing 1 shows an example Based on thisa example,this example, List. PXD in VDoc PXD m representing Based on The 2 shows theeither mapping 10 house. List. defined 2 shows the Spec it structure is partitioned into multiple floors the 1. As of List. 1. As a VDocdifferent twoParameters Sunday, March 27, 2011 the data of List. data clearly visible, two obtaining. different ru including rooms, clearly visible, rules are
</ house21 > </ house > 3. XML-BASED RESOURCES 21 HTTP -operation. Related to Since XML offers flexible adaption as shows an 1 shows an filtering ofathe data Thehous Listing 1 well as enriched representingrepresentingseems n Listing example example house. a structure is partitionedbasedmultiple concept of into on the floors including structure is partitioned into multiple floors including rooms, VDo toolsets, multiple non-REST -aware resources are encapsu- doors Such an example could represent anapplicabl effective mechanism ab- lated in XML for convenience reasons[16]. Therefore we Such an example could represent doors and lamps. and lamps. real world exampleresource related to the Web of Things paradigm stract including chose XML as the base for a stract resource related to the Web of Things paradigm where resource-aware filtering. different simply encapsulatedThe Virtual Docum 3.1 into XML. different “things” are “things” are simply encapsulated into XML ExampleListing 2: XML Virtual Documents (VDocs) Listing 1: A resource before modifying Fragment denoting read access only access o Listing 2: XML Fragment denoting read for integrating XQueries into 1 < house > 1 < resources < resources > 1 > tional devices and processing < floor id ="1" > < rule id ="12" perm_id ="22" As a rough approximation, < rule id ="12" perm_id ="22" 3 < room > 3 uri =" http :// house / floor /4"// floor /4"/ > to views in r 3 uri =" http :// house > views” analogous ... < rule id ="13" perm_id ="23" < rule id ="13" perm_id ="23" virtual tables in the sense tha 5 < lamps > 5 uri =" http :// house / floor /4"// floor /4"/ > 5 uri =" http :// house > queries computed on demand < lamp status =" OFF " id ="1.1"/ > ... ... 7 7 ="1.2"/ > < http uri =" http :// house >tables. Similarly, VDo 7 database < lamp status =" OFF " id < data uri =" data :// house / floor /4""/ floor /4"" > </ lamps > < content > < content > computed on demand from t 9 </ room > 9 / house / floor [ @id/ floor [ @id =4] in some storage (like 9 / house =4] sented </ floor > </ content > </ content > ply, in a file system), present 11 ... 11 </ data11 > </ data > Furthermore they can be pres < floor id ="4" > ... ... database or physical files writt 13 < room > 13 < filter id < filter id ="43" > 13 ="43" > ... < link > < link > in relational databases, VDocs 15 < lamps > 15 15 tions in the interaction with c / house / floor [ @id/ floor [ @id =4]// lamps / house =4]// lamps < lamp status =" OFF " id ="4.1"/ > </ link </ link > VDocs are defined by a VD 17 < lamp status =" OFF " id </ filter > </ filter > 17 ="4.2"/ >17 tially is a mixture of static X </ lamps > < perm id ="22" filter_id ="43" and rules ho < perm id ="22" filter_id ="43" XQuery queries 19 </ room > 19 verb =" get "/ > =" get "/ > 19 verb should be injected into the r </ floor > < perm id ="23" verb="23" "/ > =" get "/ > < perm id =" get verb 21 </ house > 21 </ resources > resources > 21 </ are also parametrizable, that ables (like URIs of the resour Based on this example, List. 2 shows the showsVDoc PXD it defined either in the Spec Listing 1 shows an example representing Based on this example, List. 2PXD mapping m 11 a house. The structure is partitioned into multiple floors the data ofclearly1. As a VDoc obtaining. Parameters Sunday, March 27, 2011 the data of List. 1. As rooms, visible, two different rules are ru including List. clearly visible, two different
Read Requests GET john.doe:secretpass@http://house/floor4 HTTP-REQUEST house DATA lamps floor lamp lamp @id=4 room PERMITTED lamps room DATA lamp lamp http://house/ /house[./floor/@id=4]//lamps/* RESOURCE XPath RESPONSE 12 Sunday, March 27, 2011
Write Requests Concerns about authorized writes: ‣ Atomicity of modifications ‣ Visibility of data ‣… Clear definition of constraints going along with modification requests: ‣ Weakening Authorization? ‣ Persistent Views? 13 Sunday, March 27, 2011
Write Requests Concerns about authorized writes: ‣ Atomicity of modifications ‣ Visibility of data ‣… Clear definition of constraints going along with modification requests: ‣ Weakening Authorization? ‣ Persistent Views? (e.g. VDocs in XML) 14 Sunday, March 27, 2011
VDocs ‣ (Persistent / In-Memory) views on XML ‣ Wrapping XQueries ‣ On-the-fly annotating of elements ‣ Consists out of ‣ VDoc processor ‣ VDoc specification In our context: On-the-fly annotating of permissions to verify valid permissions on intermediate result 15 Sunday, March 27, 2011
XQuery function requested resource together with a filtering XPath expres- e. So we consider sion to an authorization VDoc Spec (see Section 3.2). A result sion. VDoc will have elements amenable to modifications marked with special VDoc attributes 3 . After the content of VDoc is ied with a POST retrieved, a supplied XQuery Update expression is applied content. to it (see List. 3). fied and the origi- VDoc-Example Listing 3: A marked and modified resource < house > that were marked 2 < floor id ="1" > a VDoc processor < room > ot changeable are 4 ... an error code to < lamps > 6 < lamp status =" ON " id ="1323412"/ > bidden response < lamp status =" ON " id ="5456"/ > two options how 8 </ lamps > </ room > 10 </ floor > ... g markers filtered 12 < floor id ="4" > < room > 14 ... ment to the un- < lamps > 16 < lamp vdoc : uri ="..." arantee that this vdoc : xpath ="/ house [1]/ floor [4]/ room [1]/ lamp [1]" allowed nodes in 18 status =" ON " id ="3443"/ > < lamp vdoc : uri ="..." 20 vdoc : xpath ="/ house [1]/ floor [4]/ room [1]/ lamp [2]" status =" ON " id ="5456"/ > he underlying sys- 22 </ lamps > nse for the client. </ room > 24 </ floor > ides fine-granular </ house > several disadvan- for the flexibility Note that the status of 16 marked lamps (for the floor not Sunday, March 27, 2011 1) have also been modified. A VDoc processor will compare
Write Requests Yes Apply Changes HTTP-REQUEST Returning 403 POST john.doe:secretpass@http://house/floor4 (forbidden) for $status in /house//lamp/@status return only marked No Body replace value of node $status with "ON" Nodes modified mod.VDoc house VDoc te da house VDoc Up floor floor ery Marking Nodes Spec u XQ room @id=4 room @id=4 room room lamps lamps /house[./floor/@id=4]//lamps lamp lamp lamp lamp Permission-XPath 17 Sunday, March 27, 2011
Summary ‣ Flexible authorization framework fitting the extensibility of HTTP and REST ‣ Independence from resources ‣ Optional extension of authorization workflow with the help of in-depth knowledge ‣ Implementation in JAX-RX (Treetank) and TntBase 18 Sunday, March 27, 2011
Thanks for your attention Any Questions now? (or later: sebastian.graf@uni-konstanz.de) 19 Sunday, March 27, 2011

Recommandé

Summer Training In Dotnet
Summer Training In DotnetSummer Training In Dotnet
Summer Training In DotnetDUCC Systems
 
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Adil Khan
 
02 hibernateintroduction
02 hibernateintroduction02 hibernateintroduction
02 hibernateintroductionthirumuru2012
 
Cspd san fran2011
Cspd san fran2011Cspd san fran2011
Cspd san fran2011tbg-designs
 
XML Technologies for RESTful Services Development
XML Technologies for RESTful Services DevelopmentXML Technologies for RESTful Services Development
XML Technologies for RESTful Services Developmentruyalarcon
 
Sustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardSustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardChristian Frahm
 
IT復興円卓会議資料
IT復興円卓会議資料IT復興円卓会議資料
IT復興円卓会議資料Ishii Miho
 
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...ruyalarcon
 

Recommandé

Summer Training In Dotnet
Summer Training In DotnetSummer Training In Dotnet
Summer Training In DotnetDUCC Systems
 
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2
Recipe to build open splice dds 6.3.xxx Hello World example over Qt 5.2 Adil Khan
 
02 hibernateintroduction
02 hibernateintroduction02 hibernateintroduction
02 hibernateintroductionthirumuru2012
 
Cspd san fran2011
Cspd san fran2011Cspd san fran2011
Cspd san fran2011tbg-designs
 
XML Technologies for RESTful Services Development
XML Technologies for RESTful Services DevelopmentXML Technologies for RESTful Services Development
XML Technologies for RESTful Services Developmentruyalarcon
 
Sustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardSustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardChristian Frahm
 
IT復興円卓会議資料
IT復興円卓会議資料IT復興円卓会議資料
IT復興円卓会議資料Ishii Miho
 
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...ruyalarcon
 
RestFS: Resources and Services are Filesystems, Too
RestFS: Resources and Services are Filesystems, TooRestFS: Resources and Services are Filesystems, Too
RestFS: Resources and Services are Filesystems, Tooruyalarcon
 
Propuesta grupal
Propuesta grupal Propuesta grupal
Propuesta grupal Jessica Trujillo Villa
 
Xtremekeratincare
XtremekeratincareXtremekeratincare
Xtremekeratincarextremekeratin
 
Wsrest13 gilherme keynote
Wsrest13 gilherme keynoteWsrest13 gilherme keynote
Wsrest13 gilherme keynoteruyalarcon
 
2015 State of the Industry - LOGA Don Briggs
2015 State of the Industry - LOGA Don Briggs2015 State of the Industry - LOGA Don Briggs
2015 State of the Industry - LOGA Don BriggsLouisiana Oil & Gas Association
 
The Red Sea Crossing
The Red Sea CrossingThe Red Sea Crossing
The Red Sea CrossingAndrew Rodrigues
 
IT復興円卓会議資料
IT復興円卓会議資料IT復興円卓会議資料
IT復興円卓会議資料Ishii Miho
 
A Resource Oriented Framework for Context-Aware Enterprise Applications
A Resource Oriented Framework for Context-Aware Enterprise ApplicationsA Resource Oriented Framework for Context-Aware Enterprise Applications
A Resource Oriented Framework for Context-Aware Enterprise Applicationsruyalarcon
 
S1 intro
S1 introS1 intro
S1 introruyalarcon
 
Meetup intro presentation
Meetup intro presentationMeetup intro presentation
Meetup intro presentationBrisbaneAgileMeetup
 
Life Support
Life SupportLife Support
Life Supportpeterjulianlee
 
Xtremekeratincare.com
Xtremekeratincare.comXtremekeratincare.com
Xtremekeratincare.comxtremekeratin
 
Presentación ingles evet2edu
Presentación ingles evet2eduPresentación ingles evet2edu
Presentación ingles evet2eduMaría-del-Mar Sanchez-Vera
 
ISPPについて
ISPPについてISPPについて
ISPPについてIshii Miho
 
English class 4
English class 4English class 4
English class 4Uranchimeg Sunduijav
 
REST and Linked Data: a match made for domain driven development?
REST and Linked Data: a match made for domain driven development?REST and Linked Data: a match made for domain driven development?
REST and Linked Data: a match made for domain driven development?ruyalarcon
 
Teaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
Teaching Old Services New Tricks: Adding HATEOAS Support as an AfterthoughtTeaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
Teaching Old Services New Tricks: Adding HATEOAS Support as an Afterthoughtruyalarcon
 
Trabajo de excel
Trabajo de excelTrabajo de excel
Trabajo de exceldianasandovalmalagon
 
Jackson m ci583_the artist teacher identity in the classroom
Jackson m ci583_the artist teacher identity in the classroomJackson m ci583_the artist teacher identity in the classroom
Jackson m ci583_the artist teacher identity in the classroommkjackson
 
A Framework for Self-descriptive RESTful Services
A Framework for Self-descriptive RESTful ServicesA Framework for Self-descriptive RESTful Services
A Framework for Self-descriptive RESTful Servicesruyalarcon
 
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 20133 Round Stones
 
Futex ppt
Futex pptFutex ppt
Futex pptOECLIB Odisha Electronics Control Library
 

Contenu connexe

En vedette

RestFS: Resources and Services are Filesystems, Too
RestFS: Resources and Services are Filesystems, TooRestFS: Resources and Services are Filesystems, Too
RestFS: Resources and Services are Filesystems, Tooruyalarcon
 
Wsrest13 gilherme keynote
Wsrest13 gilherme keynoteWsrest13 gilherme keynote
Wsrest13 gilherme keynoteruyalarcon
 
IT復興円卓会議資料
IT復興円卓会議資料IT復興円卓会議資料
IT復興円卓会議資料Ishii Miho
 
A Resource Oriented Framework for Context-Aware Enterprise Applications
A Resource Oriented Framework for Context-Aware Enterprise ApplicationsA Resource Oriented Framework for Context-Aware Enterprise Applications
A Resource Oriented Framework for Context-Aware Enterprise Applicationsruyalarcon
 
Xtremekeratincare.com
Xtremekeratincare.comXtremekeratincare.com
Xtremekeratincare.comxtremekeratin
 
ISPPについて
ISPPについてISPPについて
ISPPについてIshii Miho
 
REST and Linked Data: a match made for domain driven development?
REST and Linked Data: a match made for domain driven development?REST and Linked Data: a match made for domain driven development?
REST and Linked Data: a match made for domain driven development?ruyalarcon
 
Teaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
Teaching Old Services New Tricks: Adding HATEOAS Support as an AfterthoughtTeaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
Teaching Old Services New Tricks: Adding HATEOAS Support as an Afterthoughtruyalarcon
 
Jackson m ci583_the artist teacher identity in the classroom
Jackson m ci583_the artist teacher identity in the classroomJackson m ci583_the artist teacher identity in the classroom
Jackson m ci583_the artist teacher identity in the classroommkjackson
 
A Framework for Self-descriptive RESTful Services
A Framework for Self-descriptive RESTful ServicesA Framework for Self-descriptive RESTful Services
A Framework for Self-descriptive RESTful Servicesruyalarcon
 

En vedette (20)

RestFS: Resources and Services are Filesystems, Too
RestFS: Resources and Services are Filesystems, TooRestFS: Resources and Services are Filesystems, Too
RestFS: Resources and Services are Filesystems, Too
 
Propuesta grupal
Propuesta grupal Propuesta grupal
Propuesta grupal
 
Xtremekeratincare
XtremekeratincareXtremekeratincare
Xtremekeratincare
 
Wsrest13 gilherme keynote
Wsrest13 gilherme keynoteWsrest13 gilherme keynote
Wsrest13 gilherme keynote
 
2015 State of the Industry - LOGA Don Briggs
2015 State of the Industry - LOGA Don Briggs2015 State of the Industry - LOGA Don Briggs
2015 State of the Industry - LOGA Don Briggs
 
The Red Sea Crossing
The Red Sea CrossingThe Red Sea Crossing
The Red Sea Crossing
 
IT復興円卓会議資料
IT復興円卓会議資料IT復興円卓会議資料
IT復興円卓会議資料
 
A Resource Oriented Framework for Context-Aware Enterprise Applications
A Resource Oriented Framework for Context-Aware Enterprise ApplicationsA Resource Oriented Framework for Context-Aware Enterprise Applications
A Resource Oriented Framework for Context-Aware Enterprise Applications
 
S1 intro
S1 introS1 intro
S1 intro
 
Meetup intro presentation
Meetup intro presentationMeetup intro presentation
Meetup intro presentation
 
Life Support
Life SupportLife Support
Life Support
 
Xtremekeratincare.com
Xtremekeratincare.comXtremekeratincare.com
Xtremekeratincare.com
 
Presentación ingles evet2edu
Presentación ingles evet2eduPresentación ingles evet2edu
Presentación ingles evet2edu
 
ISPPについて
ISPPについてISPPについて
ISPPについて
 
English class 4
English class 4English class 4
English class 4
 
REST and Linked Data: a match made for domain driven development?
REST and Linked Data: a match made for domain driven development?REST and Linked Data: a match made for domain driven development?
REST and Linked Data: a match made for domain driven development?
 
Teaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
Teaching Old Services New Tricks: Adding HATEOAS Support as an AfterthoughtTeaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
Teaching Old Services New Tricks: Adding HATEOAS Support as an Afterthought
 
Trabajo de excel
Trabajo de excelTrabajo de excel
Trabajo de excel
 
Jackson m ci583_the artist teacher identity in the classroom
Jackson m ci583_the artist teacher identity in the classroomJackson m ci583_the artist teacher identity in the classroom
Jackson m ci583_the artist teacher identity in the classroom
 
A Framework for Self-descriptive RESTful Services
A Framework for Self-descriptive RESTful ServicesA Framework for Self-descriptive RESTful Services
A Framework for Self-descriptive RESTful Services
 

Similaire à Hecate, Managing Authorization with RESTful XML

MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 20133 Round Stones
 
Semantic IoT Semantic Inter-Operability Practices - Part 1
Semantic IoT Semantic Inter-Operability Practices - Part 1Semantic IoT Semantic Inter-Operability Practices - Part 1
Semantic IoT Semantic Inter-Operability Practices - Part 1iotest
 
SELFLESS INHERITANCE
SELFLESS INHERITANCESELFLESS INHERITANCE
SELFLESS INHERITANCEijpla
 
Pal gov.tutorial3.session4.rest
Pal gov.tutorial3.session4.restPal gov.tutorial3.session4.rest
Pal gov.tutorial3.session4.restMustafa Jarrar
 
Pal gov.tutorial2.session5 1.rdf_jarrar
Pal gov.tutorial2.session5 1.rdf_jarrarPal gov.tutorial2.session5 1.rdf_jarrar
Pal gov.tutorial2.session5 1.rdf_jarrarMustafa Jarrar
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directoryMuuluu
 
Lessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure codeLessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure codeYevgeniy Brikman
 
Fairport domain specific metadata using w3 c dcat & skos w ontology views
Fairport domain specific metadata using w3 c dcat & skos w ontology viewsFairport domain specific metadata using w3 c dcat & skos w ontology views
Fairport domain specific metadata using w3 c dcat & skos w ontology viewsTim Clark
 
Pal gov.tutorial2.session2.xml dtd's
Pal gov.tutorial2.session2.xml dtd'sPal gov.tutorial2.session2.xml dtd's
Pal gov.tutorial2.session2.xml dtd'sMustafa Jarrar
 
Docker: Testing to Production
Docker: Testing to ProductionDocker: Testing to Production
Docker: Testing to ProductionEdwin Fuquen
 
Pal gov.tutorial2.session5 2.rdfs_jarrar
Pal gov.tutorial2.session5 2.rdfs_jarrarPal gov.tutorial2.session5 2.rdfs_jarrar
Pal gov.tutorial2.session5 2.rdfs_jarrarMustafa Jarrar
 
DC/OS: The definitive platform for modern apps
DC/OS: The definitive platform for modern appsDC/OS: The definitive platform for modern apps
DC/OS: The definitive platform for modern appsDatio Big Data
 

Similaire à Hecate, Managing Authorization with RESTful XML (20)

MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
MIT CSAIL Linked Data Ventures Class: Linked Open Data for Entrepreneurs 2013
 
Futex ppt
Futex pptFutex ppt
Futex ppt
 
Semantic IoT Semantic Inter-Operability Practices - Part 1
Semantic IoT Semantic Inter-Operability Practices - Part 1Semantic IoT Semantic Inter-Operability Practices - Part 1
Semantic IoT Semantic Inter-Operability Practices - Part 1
 
SELFLESS INHERITANCE
SELFLESS INHERITANCESELFLESS INHERITANCE
SELFLESS INHERITANCE
 
Pal gov.tutorial3.session4.rest
Pal gov.tutorial3.session4.restPal gov.tutorial3.session4.rest
Pal gov.tutorial3.session4.rest
 
Pal gov.tutorial2.session5 1.rdf_jarrar
Pal gov.tutorial2.session5 1.rdf_jarrarPal gov.tutorial2.session5 1.rdf_jarrar
Pal gov.tutorial2.session5 1.rdf_jarrar
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
 
Introduction to odbms
Introduction to odbmsIntroduction to odbms
Introduction to odbms
 
2013-01-17 Research Object
2013-01-17 Research Object2013-01-17 Research Object
2013-01-17 Research Object
 
Lessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure codeLessons learned from writing over 300,000 lines of infrastructure code
Lessons learned from writing over 300,000 lines of infrastructure code
 
Fairport domain specific metadata using w3 c dcat & skos w ontology views
Fairport domain specific metadata using w3 c dcat & skos w ontology viewsFairport domain specific metadata using w3 c dcat & skos w ontology views
Fairport domain specific metadata using w3 c dcat & skos w ontology views
 
RESTful Triple Spaces of Things
RESTful Triple Spaces of ThingsRESTful Triple Spaces of Things
RESTful Triple Spaces of Things
 
Pal gov.tutorial2.session2.xml dtd's
Pal gov.tutorial2.session2.xml dtd'sPal gov.tutorial2.session2.xml dtd's
Pal gov.tutorial2.session2.xml dtd's
 
LOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack ArchitectureLOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack Architecture
 
Docker: Testing to Production
Docker: Testing to ProductionDocker: Testing to Production
Docker: Testing to Production
 
Pal gov.tutorial2.session5 2.rdfs_jarrar
Pal gov.tutorial2.session5 2.rdfs_jarrarPal gov.tutorial2.session5 2.rdfs_jarrar
Pal gov.tutorial2.session5 2.rdfs_jarrar
 
Nov 2011 HUG: Blur - Lucene on Hadoop
Nov 2011 HUG: Blur - Lucene on HadoopNov 2011 HUG: Blur - Lucene on Hadoop
Nov 2011 HUG: Blur - Lucene on Hadoop
 
115 sem 3_o-pesch
115 sem 3_o-pesch115 sem 3_o-pesch
115 sem 3_o-pesch
 
DC/OS: The definitive platform for modern apps
DC/OS: The definitive platform for modern appsDC/OS: The definitive platform for modern apps
DC/OS: The definitive platform for modern apps
 
Project Voldemort
Project VoldemortProject Voldemort
Project Voldemort
 

Hecate, Managing Authorization with RESTful XML

  • 1. Hecate, Managing Authorization with RESTful XML Sebastian Graf, Vyacheslav Zhouldev, Lukas Lewandowski, and Marcel Waldvogel Distributed Systems Group University of Konstanz & School of Engineering and Science Jacobs University 1 Sunday, March 27, 2011
  • 2. Problem Statement How can authorization on RESTful resources can be performed under the following constraints? 1. Variability of resources must be kept! 2. Different permissions must be offered for the same resource! 3. The extensibility of the framework must be ensured! 2 Sunday, March 27, 2011
  • 3. Schema of Architecture Hecate Authorization Framework Resources "lecture": { firstname : "Peter" "start": "April 4th", lastname : "Paul" "end": "June, 31st, "topic" "Web Apps" Requests & } user Responses <house> model <floor> … floor 4 PXD </floor> floor 3 </house> floor 2 floor 1 3 Sunday, March 27, 2011
  • 4. • rule-nodes: Each rule-node represents one specific permission. This permission is bound to one specific resource over the uri-attribute. Even if this attribute is mandatory, it User Model should not be used for unique identification since mul- tiple rules can map on the same URI allowing different operations. For unique identification of rules, an id - attribute is included within each rule linking the user ‣ Simple mapping of concrete to rules on the model to the PXD. The users permission ‣ Represented as a simple table Table 1: User Permissions user-id rule-ids john.doe 13 jane.doe 12 13 ... ... 4 Sunday, March 27, 2011
  • 5. Permission XML Model (PXD) ‣ XML-based definition of operations mapped to resources ‣ Representing rules and their mapping to ✴HTTP-functionalities ✴Resources ✴(Optional resource aware filters) 5 Sunday, March 27, 2011
  • 6. 4 Properties of PXD 1. One URI can be guarded by multiple rules 2. Each rule maps to one HTTP-Verb 3. Resource-awareness is possible 4. The representation of the resource is independent of the PXD 6 Sunday, March 27, 2011
  • 7. </ floor > part of Hecate. Even if our Authorization Fr 21 </ house > are also represents rulesets for filtering incoming re only parametrizable, that is it may con ables (like optional ability resourcesresponsespro also the URIs of the to overlay to be fo Listing 1 shows an example representing a house. The defined either in VDoc operation is represented b representations. This Spec itself or passed arrow from the Resources back to the Authoriz structure is partitioned into multiple floors including rooms, a VDoc obtaining. Parametersbetween URIs, work . All of the correlations may dramat doors and lamps. Such an example could represent an ab- content of VDoc whereas there only one V resources, response filters and users are well-d stract resource related to the Web of Things paradigm where As we will see in Section 3.2 the identifiers. PXD and referenced within unique single VD useddesignated ids modifying REST identifiers. to manage reflect these unique requests PXD Example different “things” are simply encapsulated into XML. Listing 2: XML Fragment denoting read access only fine-granular manner.detail in section 3.3. XML is described in Additionally,Management advanced fe 3.2 User one of the most < resources > ity to edit VDocs and process the modified 1 The Authorization Framework consists of < rule id ="12" perm_id ="22" changed parts of a PXD representing the rules components: The VDoc that came from fil 3 uri =" http :// house / floor /4"/ > will mapping and a storepropagated user-related be transparently handling all back to t < rule id ="13" perm_id ="23" ing static parts stores VDoc is not allowed; that the PXD of a no user-related data after 5 uri =" http :// house / floor /4"/ > processor should complain andunique identifi rules are identifiable within an disallow fu ... store references these unique identifiers. Figur 7 < data uri =" http :// house / floor /4"" > Naturally, VDoc XQuery results that are no example of the user model. < content > documents in a visible, the designbe edited ass As clearly storage cannot of the user 9 / house / floor [ @id =4] advantage of editing VDocs is is mapped to ca only out of the user-id which that users t </ content > from the to match e.g. ”john doe” is allowed to a rules physical documents in the reposito 11 </ data > 13 while ”jane doe” is able to access ruleset 12 semantically consistent objects (like theore ... focusingone ruleset mapswith differentone unique that only accessed always only rulesetsagg URI can be on relevant information as 13 < filter id ="43" > < link > logical unit. Section 3.3. / house / floor [ @id =4]// lamps The adaption of user permissions is decoup 3.2 Virtual Documents in Hecate 15 </ link > storage of the rules. If a new user is inserted, data filter checked if there is an existing rule matching th 17 </ filter > Given that our resources are in XML, the @urithe designated users permissions. If@id a new u < perm id ="22" filter_id ="43" so, verbs (like PUT oruser store with the suitable inserted into the POST) naturally may verb =" get "/ > Update statements@filter_id 19 < perm id ="23" verb =" get "/ > in the body to modify perm 21 </ resources > source. However, taking into account the @id Table 1: User Permissions grained filtering rules expressed via XPath Based on this example, List. 2 shows the PXD mapping @uri @perm_id Update modifications might be forbidden f user-id rule-ids rule the data of List. 1. As clearly visible, two different rules are @idTo overcome this problem we are prop john doe 13 mapping the denoted resource. While rule “13” allows the VDocs concept together with its 13 jane doe 12 editing ab ... ... retrieval of all data from the 4th floor, rule “12” filters the 7 losing a generality, we will assume that the same resource by only returning lamps-nodes. This addi- Sunday, March 27, 2011 statements are sent using the POST reque
  • 8. Workflow of Authorization Get IDs of user IDs found? Returning 403 Returning 403 model related to No (forbidden) (forbidden) credentials Yes No Get rules matching Checking optional Nodes Receiving Request the URI, the REST Yes filter for matching found? verb and the IDs permission Yes Applying filter on either Forwarding Filter request or result and returning request and No available result returning result 8 Sunday, March 27, 2011
  • 9. Resource-aware filtering ‣ Optional ‣ Bound to the the requesting resource ✓ Kind ✓ Content ✓ Filter possibilities ‣ Flexible mapping to HTTP-Verbs 9 Sunday, March 27, 2011
  • 10. </ house > </ house > 3. XML-BASED RESOURCES 21 21 HTTP -operation. Related to Since XML offers flexible adaption 1 shows as enriched representing of the dataThe hous Listing as well an example an filtering representingseems n Listing 1 shows example a house. a structure is partitionedis partitionedbasedmultiple concept of VDo structure into multiple into on the floors including toolsets, multiple non-REST -aware resources are encapsu- floors including rooms, doors and an exampleeffective mechanism applicabl lated in XML for convenience reasons[16]. Therefore we Such could represent an represent doors and lamps. Such lamps. an example could ab- chose XML as the base for astractworld exampleresource related to the Web of Things paradigm real resource related to the Web of Things paradigm where stract including resource-aware filtering. different “things” are simply TheXML. 3.1 into Virtual Docum different “things” are simply encapsulated encapsulated into XML Example Listing 2: XML Virtual Documents (VDocs) Listing 1: A resource before modifying Fragment denoting integrating XQueries intoo Listing 2: XML Fragment denotingonly access for read access read 1 < house > 1 < resources >< resources > 1 tional devices and processing < floor id ="1" > < rule id ="12" perm_id ="22" As a rough approximation, < rule id ="12" perm_id ="22" 3 < room > 3 uri =" http :// house / floorhouse> floor /4"/ > to views in r 3 uri =" http :// /4"/ /views” analogous ... < rule id ="13" perm_id ="23" < rule id ="13" perm_id ="23" virtual tables in the sense tha 5 < lamps > 5 uri =" http :// house / floorhouse> floor /4"/ > 5 uri =" http :// /4"/ / queries computed on demand < lamp status =" OFF " id ="1.1"/ > ... ... 7 < data uri http uri =" http :// house / tables. Similarly, VDo database < lamp status =" OFF7" id ="1.2"/ > ="< data:// house / floor /4"" > floor /4"" > 7 </ lamps > < content > < content > computed on demand from t 9 </ room > 9 9 / [ @id / floor [ @id =4] in some storage (like / house / floorhouse=4] sented </ floor > </ content > </ content > ply, in a file system), present 11 ... 11 </ data >11 </ data > Furthermore they can be pres < floor id ="4" > ... ... < filter id ="43" > database or physical files writt 13 < room > 13 < filter id ="43" > 13 ... < link > < link > in relational databases, VDocs 15 < lamps > 15 15 tions in the interaction with c / house / floorhouse=4]// lamps =4]// lamps / [ @id / floor [ @id < lamp status =" OFF " id ="4.1"/ > </ link > </ link > VDocs are defined by a VD 17 < lamp status =" OFF " id ="4.2"/ > </ filter > 17 </ filter > 17 tially is a mixture of static X </ lamps > < perm id ="22" filter_id ="43" and rules ho < perm id ="22" filter_id ="43" XQuery queries 19 </ room > 19 verb =" get "/verb =" get "/ > 19 > should be injected into the r </ floor > < perm id ="23" verb =" get "/verb =" get "/ > < perm id ="23" > 21 </ house > 21 </ resources</ resources > 21 > are also parametrizable, that ables (like URIs of the resour Listing 1 shows an example Based on thisa example,this example, List. PXD in VDoc PXD m representing Based on The 2 shows theeither mapping 10 house. List. defined 2 shows the Spec it structure is partitioned into multiple floors the 1. As of List. 1. As a VDocdifferent twoParameters Sunday, March 27, 2011 the data of List. data clearly visible, two obtaining. different ru including rooms, clearly visible, rules are
  • 11. </ house21 > </ house > 3. XML-BASED RESOURCES 21 HTTP -operation. Related to Since XML offers flexible adaption as shows an 1 shows an filtering ofathe data Thehous Listing 1 well as enriched representingrepresentingseems n Listing example example house. a structure is partitionedbasedmultiple concept of into on the floors including structure is partitioned into multiple floors including rooms, VDo toolsets, multiple non-REST -aware resources are encapsu- doors Such an example could represent anapplicabl effective mechanism ab- lated in XML for convenience reasons[16]. Therefore we Such an example could represent doors and lamps. and lamps. real world exampleresource related to the Web of Things paradigm stract including chose XML as the base for a stract resource related to the Web of Things paradigm where resource-aware filtering. different simply encapsulatedThe Virtual Docum 3.1 into XML. different “things” are “things” are simply encapsulated into XML ExampleListing 2: XML Virtual Documents (VDocs) Listing 1: A resource before modifying Fragment denoting read access only access o Listing 2: XML Fragment denoting read for integrating XQueries into 1 < house > 1 < resources < resources > 1 > tional devices and processing < floor id ="1" > < rule id ="12" perm_id ="22" As a rough approximation, < rule id ="12" perm_id ="22" 3 < room > 3 uri =" http :// house / floor /4"// floor /4"/ > to views in r 3 uri =" http :// house > views” analogous ... < rule id ="13" perm_id ="23" < rule id ="13" perm_id ="23" virtual tables in the sense tha 5 < lamps > 5 uri =" http :// house / floor /4"// floor /4"/ > 5 uri =" http :// house > queries computed on demand < lamp status =" OFF " id ="1.1"/ > ... ... 7 7 ="1.2"/ > < http uri =" http :// house >tables. Similarly, VDo 7 database < lamp status =" OFF " id < data uri =" data :// house / floor /4""/ floor /4"" > </ lamps > < content > < content > computed on demand from t 9 </ room > 9 / house / floor [ @id/ floor [ @id =4] in some storage (like 9 / house =4] sented </ floor > </ content > </ content > ply, in a file system), present 11 ... 11 </ data11 > </ data > Furthermore they can be pres < floor id ="4" > ... ... database or physical files writt 13 < room > 13 < filter id < filter id ="43" > 13 ="43" > ... < link > < link > in relational databases, VDocs 15 < lamps > 15 15 tions in the interaction with c / house / floor [ @id/ floor [ @id =4]// lamps / house =4]// lamps < lamp status =" OFF " id ="4.1"/ > </ link </ link > VDocs are defined by a VD 17 < lamp status =" OFF " id </ filter > </ filter > 17 ="4.2"/ >17 tially is a mixture of static X </ lamps > < perm id ="22" filter_id ="43" and rules ho < perm id ="22" filter_id ="43" XQuery queries 19 </ room > 19 verb =" get "/ > =" get "/ > 19 verb should be injected into the r </ floor > < perm id ="23" verb="23" "/ > =" get "/ > < perm id =" get verb 21 </ house > 21 </ resources > resources > 21 </ are also parametrizable, that ables (like URIs of the resour Based on this example, List. 2 shows the showsVDoc PXD it defined either in the Spec Listing 1 shows an example representing Based on this example, List. 2PXD mapping m 11 a house. The structure is partitioned into multiple floors the data ofclearly1. As a VDoc obtaining. Parameters Sunday, March 27, 2011 the data of List. 1. As rooms, visible, two different rules are ru including List. clearly visible, two different
  • 12. Read Requests GET john.doe:secretpass@http://house/floor4 HTTP-REQUEST house DATA lamps floor lamp lamp @id=4 room PERMITTED lamps room DATA lamp lamp http://house/ /house[./floor/@id=4]//lamps/* RESOURCE XPath RESPONSE 12 Sunday, March 27, 2011
  • 13. Write Requests Concerns about authorized writes: ‣ Atomicity of modifications ‣ Visibility of data ‣… Clear definition of constraints going along with modification requests: ‣ Weakening Authorization? ‣ Persistent Views? 13 Sunday, March 27, 2011
  • 14. Write Requests Concerns about authorized writes: ‣ Atomicity of modifications ‣ Visibility of data ‣… Clear definition of constraints going along with modification requests: ‣ Weakening Authorization? ‣ Persistent Views? (e.g. VDocs in XML) 14 Sunday, March 27, 2011
  • 15. VDocs ‣ (Persistent / In-Memory) views on XML ‣ Wrapping XQueries ‣ On-the-fly annotating of elements ‣ Consists out of ‣ VDoc processor ‣ VDoc specification In our context: On-the-fly annotating of permissions to verify valid permissions on intermediate result 15 Sunday, March 27, 2011
  • 16. XQuery function requested resource together with a filtering XPath expres- e. So we consider sion to an authorization VDoc Spec (see Section 3.2). A result sion. VDoc will have elements amenable to modifications marked with special VDoc attributes 3 . After the content of VDoc is ied with a POST retrieved, a supplied XQuery Update expression is applied content. to it (see List. 3). fied and the origi- VDoc-Example Listing 3: A marked and modified resource < house > that were marked 2 < floor id ="1" > a VDoc processor < room > ot changeable are 4 ... an error code to < lamps > 6 < lamp status =" ON " id ="1323412"/ > bidden response < lamp status =" ON " id ="5456"/ > two options how 8 </ lamps > </ room > 10 </ floor > ... g markers filtered 12 < floor id ="4" > < room > 14 ... ment to the un- < lamps > 16 < lamp vdoc : uri ="..." arantee that this vdoc : xpath ="/ house [1]/ floor [4]/ room [1]/ lamp [1]" allowed nodes in 18 status =" ON " id ="3443"/ > < lamp vdoc : uri ="..." 20 vdoc : xpath ="/ house [1]/ floor [4]/ room [1]/ lamp [2]" status =" ON " id ="5456"/ > he underlying sys- 22 </ lamps > nse for the client. </ room > 24 </ floor > ides fine-granular </ house > several disadvan- for the flexibility Note that the status of 16 marked lamps (for the floor not Sunday, March 27, 2011 1) have also been modified. A VDoc processor will compare
  • 17. Write Requests Yes Apply Changes HTTP-REQUEST Returning 403 POST john.doe:secretpass@http://house/floor4 (forbidden) for $status in /house//lamp/@status return only marked No Body replace value of node $status with "ON" Nodes modified mod.VDoc house VDoc te da house VDoc Up floor floor ery Marking Nodes Spec u XQ room @id=4 room @id=4 room room lamps lamps /house[./floor/@id=4]//lamps lamp lamp lamp lamp Permission-XPath 17 Sunday, March 27, 2011
  • 18. Summary ‣ Flexible authorization framework fitting the extensibility of HTTP and REST ‣ Independence from resources ‣ Optional extension of authorization workflow with the help of in-depth knowledge ‣ Implementation in JAX-RX (Treetank) and TntBase 18 Sunday, March 27, 2011
  • 19. Thanks for your attention Any Questions now? (or later: sebastian.graf@uni-konstanz.de) 19 Sunday, March 27, 2011