WS-REST 2011.
Second International Workshop on RESTful Design.
Chairs: Cesare Pautasso, Erik Wilde, Rosa Alarcon.
<br>
Security Session. Sebastian Graf, Vyacheslav Zholudev, Lukas Lewandowski and Marcel Waldvogel.
1. Hecate,
Managing Authorization with
RESTful XML
Sebastian Graf, Vyacheslav Zhouldev,
Lukas Lewandowski, and Marcel Waldvogel
Distributed Systems Group
University of Konstanz
&
School of Engineering and Science
Jacobs University
1
Sunday, March 27, 2011
2. Problem Statement
How can authorization on RESTful
resources can be performed under
the following constraints?
1. Variability of resources must be kept!
2. Different permissions must be offered for the same
resource!
3. The extensibility of the framework must be ensured!
2
Sunday, March 27, 2011
4. • rule-nodes:
Each rule-node represents one specific permission. This
permission is bound to one specific resource over the
uri-attribute. Even if this attribute is mandatory, it
User Model
should not be used for unique identification since mul-
tiple rules can map on the same URI allowing different
operations. For unique identification of rules, an id -
attribute is included within each rule linking the user
‣ Simple mapping of concrete to rules on the
model to the PXD. The
users permission
‣ Represented as a simple table
Table 1: User Permissions
user-id rule-ids
john.doe 13
jane.doe 12 13
... ...
4
Sunday, March 27, 2011
5. Permission XML Model (PXD)
‣ XML-based definition of operations
mapped to resources
‣ Representing rules and their mapping to
✴HTTP-functionalities
✴Resources
✴(Optional resource aware filters)
5
Sunday, March 27, 2011
6. 4 Properties of PXD
1. One URI can be guarded by multiple rules
2. Each rule maps to one HTTP-Verb
3. Resource-awareness is possible
4. The representation of the resource is
independent of the PXD
6
Sunday, March 27, 2011
7. </ floor > part of Hecate. Even if our Authorization Fr
21 </ house > are also represents rulesets for filtering incoming re
only parametrizable, that is it may con
ables (like optional ability resourcesresponsespro
also the URIs of the to overlay to be fo
Listing 1 shows an example representing a house. The defined either in VDoc operation is represented b
representations. This Spec itself or passed
arrow from the Resources back to the Authoriz
structure is partitioned into multiple floors including rooms, a VDoc obtaining. Parametersbetween URIs,
work . All of the correlations
may dramat
doors and lamps. Such an example could represent an ab- content of VDoc whereas there only one V
resources, response filters and users are well-d
stract resource related to the Web of Things paradigm where As we will see in Section 3.2 the identifiers.
PXD and referenced within unique single VD
useddesignated ids modifying REST identifiers.
to manage reflect these unique requests
PXD Example
different “things” are simply encapsulated into XML.
Listing 2: XML Fragment denoting read access only
fine-granular manner.detail in section 3.3.
XML is described in
Additionally,Management advanced fe
3.2 User one of the most
< resources > ity to edit VDocs and process the modified
1 The Authorization Framework consists of
< rule id ="12" perm_id ="22" changed parts of a PXD representing the rules
components: The VDoc that came from fil
3 uri =" http :// house / floor /4"/ > will mapping and a storepropagated user-related
be transparently handling all back to t
< rule id ="13" perm_id ="23" ing static parts stores VDoc is not allowed;
that the PXD of a no user-related data after
5 uri =" http :// house / floor /4"/ > processor should complain andunique identifi
rules are identifiable within an disallow fu
... store references these unique identifiers. Figur
7 < data uri =" http :// house / floor /4"" >
Naturally, VDoc XQuery results that are no
example of the user model.
< content > documents in a visible, the designbe edited ass
As clearly storage cannot of the user
9 / house / floor [ @id =4] advantage of editing VDocs is is mapped to ca
only out of the user-id which that users t
</ content > from the to match e.g. ”john doe” is allowed to a
rules physical documents in the reposito
11 </ data > 13 while ”jane doe” is able to access ruleset 12
semantically consistent objects (like theore
... focusingone ruleset mapswith differentone unique
that
only accessed always only rulesetsagg
URI can be
on relevant information as
13 < filter id ="43" >
< link >
logical unit.
Section 3.3.
/ house / floor [ @id =4]// lamps The adaption of user permissions is decoup
3.2 Virtual Documents in Hecate
15
</ link > storage of the rules. If a new user is inserted,
data filter
checked if there is an existing rule matching th
17 </ filter > Given that our resources are in XML, the
@urithe designated users permissions. If@id a new u
< perm id ="22" filter_id ="43" so,
verbs (like PUT oruser store with the suitable
inserted into the POST) naturally may
verb =" get "/ >
Update statements@filter_id
19
< perm id ="23" verb =" get "/ > in the body to modify
perm
21 </ resources > source. However, taking into account the
@id Table 1: User Permissions
grained filtering rules expressed via XPath
Based on this example, List. 2 shows the PXD mapping @uri @perm_id
Update modifications might be forbidden f
user-id rule-ids
rule
the data of List. 1. As clearly visible, two different rules are @idTo overcome this problem we are prop
john doe 13
mapping the denoted resource. While rule “13” allows the VDocs concept together with its 13
jane doe 12 editing ab
... ...
retrieval of all data from the 4th floor, rule “12” filters the
7 losing a generality, we will assume that the
same resource by only returning lamps-nodes. This addi-
Sunday, March 27, 2011
statements are sent using the POST reque
8. Workflow of Authorization
Get IDs of user
IDs found? Returning 403 Returning 403
model related to No
(forbidden) (forbidden)
credentials
Yes No
Get rules matching Checking optional
Nodes
Receiving Request the URI, the REST Yes filter for matching
found?
verb and the IDs permission
Yes
Applying filter on either Forwarding
Filter
request or result and returning request and No
available
result returning result
8
Sunday, March 27, 2011
9. Resource-aware filtering
‣ Optional
‣ Bound to the the requesting resource
✓ Kind
✓ Content
✓ Filter possibilities
‣ Flexible mapping to HTTP-Verbs
9
Sunday, March 27, 2011
10. </ house > </ house >
3. XML-BASED RESOURCES
21 21
HTTP -operation. Related to
Since XML offers flexible adaption 1 shows as enriched representing of the dataThe hous
Listing as well an example an filtering representingseems n
Listing 1 shows example a house. a
structure is partitionedis partitionedbasedmultiple concept of VDo
structure into multiple into on the floors including
toolsets, multiple non-REST -aware resources are encapsu- floors including rooms,
doors and an exampleeffective mechanism applicabl
lated in XML for convenience reasons[16]. Therefore we Such could represent an represent
doors and lamps. Such lamps. an example could ab-
chose XML as the base for astractworld exampleresource related to the Web of Things paradigm
real resource related to the Web of Things paradigm where
stract including
resource-aware filtering. different “things” are simply TheXML.
3.1 into Virtual Docum
different “things” are simply encapsulated encapsulated into XML
Example
Listing 2: XML
Virtual Documents (VDocs)
Listing 1: A resource before modifying Fragment denoting integrating XQueries intoo
Listing 2: XML Fragment denotingonly access
for read access read
1 < house > 1 < resources >< resources >
1 tional devices and processing
< floor id ="1" > < rule id ="12" perm_id ="22" As a rough approximation,
< rule id ="12" perm_id ="22"
3 < room > 3 uri =" http :// house / floorhouse> floor /4"/ > to views in r
3 uri =" http :// /4"/ /views” analogous
... < rule id ="13" perm_id ="23"
< rule id ="13" perm_id ="23" virtual tables in the sense tha
5 < lamps > 5 uri =" http :// house / floorhouse> floor /4"/ >
5 uri =" http :// /4"/ /
queries computed on demand
< lamp status =" OFF " id ="1.1"/ > ...
...
7 < data uri http uri =" http :// house / tables. Similarly, VDo
database
< lamp status =" OFF7" id ="1.2"/ > ="< data:// house / floor /4"" > floor /4"" >
7
</ lamps > < content > < content > computed on demand from t
9 </ room > 9 9 / [ @id / floor [ @id =4] in some storage (like
/ house / floorhouse=4] sented
</ floor > </ content > </ content > ply, in a file system), present
11 ... 11 </ data >11 </ data > Furthermore they can be pres
< floor id ="4" > ... ...
< filter id ="43" >
database or physical files writt
13 < room > 13 < filter id ="43" >
13
... < link > < link > in relational databases, VDocs
15 < lamps > 15 15 tions in the interaction with c
/ house / floorhouse=4]// lamps =4]// lamps
/ [ @id / floor [ @id
< lamp status =" OFF " id ="4.1"/ >
</ link > </ link > VDocs are defined by a VD
17 < lamp status =" OFF " id ="4.2"/ > </ filter >
17 </ filter >
17 tially is a mixture of static X
</ lamps > < perm id ="22" filter_id ="43" and rules ho
< perm id ="22" filter_id ="43" XQuery queries
19 </ room > 19 verb =" get "/verb =" get "/ >
19 > should be injected into the r
</ floor > < perm id ="23" verb =" get "/verb =" get "/ >
< perm id ="23" >
21 </ house > 21 </ resources</ resources >
21 > are also parametrizable, that
ables (like URIs of the resour
Listing 1 shows an example Based on thisa example,this example, List. PXD in VDoc PXD m
representing Based on The 2 shows theeither mapping
10 house. List. defined 2 shows the Spec it
structure is partitioned into multiple floors the 1. As of List. 1. As a VDocdifferent twoParameters
Sunday, March 27, 2011
the data of List. data clearly visible, two obtaining. different ru
including rooms, clearly visible, rules are
11. </ house21
> </ house >
3. XML-BASED RESOURCES
21
HTTP -operation. Related to
Since XML offers flexible adaption as shows an 1 shows an filtering ofathe data Thehous
Listing 1 well as enriched representingrepresentingseems n
Listing example example house. a
structure is partitionedbasedmultiple concept of
into on the floors including
structure is partitioned into multiple floors including rooms, VDo
toolsets, multiple non-REST -aware resources are encapsu-
doors Such an example could represent anapplicabl
effective mechanism ab-
lated in XML for convenience reasons[16]. Therefore we Such an example could represent
doors and lamps. and lamps.
real world exampleresource related to the Web of Things paradigm
stract including
chose XML as the base for a stract resource related to the Web of Things paradigm where
resource-aware filtering. different simply encapsulatedThe Virtual Docum
3.1 into XML.
different “things” are “things” are simply encapsulated into XML
ExampleListing 2: XML
Virtual Documents (VDocs)
Listing 1: A resource before modifying Fragment denoting read access only access o
Listing 2: XML Fragment denoting read
for integrating XQueries into
1 < house > 1 < resources < resources >
1 > tional devices and processing
< floor id ="1" > < rule id ="12" perm_id ="22" As a rough approximation,
< rule id ="12" perm_id ="22"
3 < room > 3 uri =" http :// house / floor /4"// floor /4"/ > to views in r
3 uri =" http :// house >
views” analogous
... < rule id ="13" perm_id ="23"
< rule id ="13" perm_id ="23" virtual tables in the sense tha
5 < lamps > 5 uri =" http :// house / floor /4"// floor /4"/ >
5 uri =" http :// house >
queries computed on demand
< lamp status =" OFF " id ="1.1"/ > ...
...
7 7 ="1.2"/ > < http uri =" http :// house >tables. Similarly, VDo
7
database
< lamp status =" OFF " id < data uri =" data :// house / floor /4""/ floor /4"" >
</ lamps > < content > < content > computed on demand from t
9 </ room > 9 / house / floor [ @id/ floor [ @id =4] in some storage (like
9 / house =4] sented
</ floor > </ content > </ content > ply, in a file system), present
11 ... 11 </ data11 > </ data > Furthermore they can be pres
< floor id ="4" > ... ...
database or physical files writt
13 < room > 13 < filter id < filter id ="43" >
13 ="43" >
... < link > < link > in relational databases, VDocs
15 < lamps > 15 15 tions in the interaction with c
/ house / floor [ @id/ floor [ @id =4]// lamps
/ house =4]// lamps
< lamp status =" OFF " id ="4.1"/ >
</ link </ link > VDocs are defined by a VD
17 < lamp status =" OFF " id </ filter > </ filter >
17 ="4.2"/ >17 tially is a mixture of static X
</ lamps > < perm id ="22" filter_id ="43" and rules ho
< perm id ="22" filter_id ="43" XQuery queries
19 </ room > 19 verb =" get "/ > =" get "/ >
19 verb
should be injected into the r
</ floor > < perm id ="23" verb="23" "/ > =" get "/ >
< perm id =" get verb
21 </ house > 21 </ resources > resources >
21 </ are also parametrizable, that
ables (like URIs of the resour
Based on this example, List. 2 shows the showsVDoc PXD it
defined either in the Spec
Listing 1 shows an example representing Based on this example, List. 2PXD mapping m
11 a house. The
structure is partitioned into multiple floors the data ofclearly1. As a VDoc obtaining. Parameters
Sunday, March 27, 2011
the data of List. 1. As rooms, visible, two different rules are ru
including List. clearly visible, two different
12. Read Requests
GET john.doe:secretpass@http://house/floor4
HTTP-REQUEST
house DATA
lamps floor
lamp lamp @id=4 room
PERMITTED lamps
room
DATA lamp lamp
http://house/ /house[./floor/@id=4]//lamps/*
RESOURCE XPath RESPONSE
12
Sunday, March 27, 2011
13. Write Requests
Concerns about authorized writes:
‣ Atomicity of modifications
‣ Visibility of data
‣…
Clear definition of constraints going along with
modification requests:
‣ Weakening Authorization?
‣ Persistent Views?
13
Sunday, March 27, 2011
14. Write Requests
Concerns about authorized writes:
‣ Atomicity of modifications
‣ Visibility of data
‣…
Clear definition of constraints going along with
modification requests:
‣ Weakening Authorization?
‣ Persistent Views? (e.g. VDocs in XML)
14
Sunday, March 27, 2011
15. VDocs
‣ (Persistent / In-Memory) views on XML
‣ Wrapping XQueries
‣ On-the-fly annotating of elements
‣ Consists out of
‣ VDoc processor
‣ VDoc specification
In our context:
On-the-fly annotating of permissions to verify valid
permissions on intermediate result
15
Sunday, March 27, 2011
16. XQuery function requested resource together with a filtering XPath expres-
e. So we consider sion to an authorization VDoc Spec (see Section 3.2). A result
sion. VDoc will have elements amenable to modifications marked
with special VDoc attributes 3 . After the content of VDoc is
ied with a POST retrieved, a supplied XQuery Update expression is applied
content. to it (see List. 3).
fied and the origi-
VDoc-Example
Listing 3: A marked and modified resource
< house >
that were marked 2 < floor id ="1" >
a VDoc processor < room >
ot changeable are 4 ...
an error code to < lamps >
6 < lamp status =" ON " id ="1323412"/ >
bidden response < lamp status =" ON " id ="5456"/ >
two options how 8 </ lamps >
</ room >
10 </ floor >
...
g markers filtered 12 < floor id ="4" >
< room >
14 ...
ment to the un- < lamps >
16 < lamp vdoc : uri ="..."
arantee that this vdoc : xpath ="/ house [1]/ floor [4]/ room [1]/ lamp [1]"
allowed nodes in 18 status =" ON " id ="3443"/ >
< lamp vdoc : uri ="..."
20 vdoc : xpath ="/ house [1]/ floor [4]/ room [1]/ lamp [2]"
status =" ON " id ="5456"/ >
he underlying sys- 22 </ lamps >
nse for the client. </ room >
24 </ floor >
ides fine-granular </ house >
several disadvan-
for the flexibility Note that the status of 16 marked lamps (for the floor
not
Sunday, March 27, 2011 1) have also been modified. A VDoc processor will compare
17. Write Requests
Yes Apply Changes HTTP-REQUEST
Returning 403 POST john.doe:secretpass@http://house/floor4
(forbidden)
for $status in /house//lamp/@status return
only marked No
Body replace value of node $status with "ON"
Nodes modified
mod.VDoc house VDoc
te
da
house VDoc
Up
floor floor
ery
Marking Nodes
Spec
u
XQ
room @id=4 room @id=4
room room
lamps lamps
/house[./floor/@id=4]//lamps
lamp lamp lamp lamp Permission-XPath
17
Sunday, March 27, 2011
18. Summary
‣ Flexible authorization framework fitting the
extensibility of HTTP and REST
‣ Independence from resources
‣ Optional extension of authorization workflow
with the help of in-depth knowledge
‣ Implementation in JAX-RX (Treetank) and
TntBase
18
Sunday, March 27, 2011
19. Thanks for your
attention
Any Questions now?
(or later: sebastian.graf@uni-konstanz.de)
19
Sunday, March 27, 2011