SlideShare une entreprise Scribd logo

Fine-grained authorization with XACML

Prabath Siriwardena
Prabath Siriwardena

Fine-grained authorization with XACML http://blog.facilelogin.com/

Technologie
1  sur  64
Télécharger pour lire hors ligne
Prabath Siriwardena – Software Architect, WSO2
drdan nlaJoo ichae l M Ro
eXtensible Access Control Markup Language
First Meeting – 21 May 2001
Requirements from Healthcare, DRM, Registry, Financial, Online Web
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 1.1 – Committee Specification – 7th August 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 10th Aug 2010
Defines Policy Administration Point Administrator
Access Policy Evaluation Point Policy Decision Point
<inSequence> <entitlementService remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath"/> UT </inSequence> UT
<inSequence> <entitlementService callbackClass=“org.wso2.carbon.identity.entitlement.mediator. KerberosEntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" Kerberos remoteServiceUserName="prabath” /> Kerberos </inSequence>
<inSequence> <property  name="xacml_use_rest"  value=”true"  scope=”axis2"  type="STRING"/> <entitlementService remoteServicePassword=“********" BasicAuth/ remoteServiceUrl="https://identity-server:9443/services" RESTful remoteServiceUserName="prabath” /> </inSequence> BasicAuth/ RESTful
<inSequence> <entitlementService callbackClass=“org.wso2.carbon.identity.entitlement.mediator. X509EntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" Sign remoteServiceUserName="prabath” /> Sign </inSequence>
<inSequence> <entitlementService callbackClass=“my.own.CustomEmtitlementCallbackhandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” Custom /> </inSequence> Custom package my.own; import org.wso2.carbon.identity.entitlement.mediator.EntitlementCallbackHandler; public class CustomEntitlementCallbackHandler extends EntitlementCallbackHandler { }
My PEP XACML http://blog.facilelogin.com/2010/11/net-client-web-app-authorization-with.html
Policy Policy Decision Information Point Point
Policy Policy Evaluation Decision Point Point PIP Extension (s)
package  org.wso2.carbon.identity.entitlement.pip;     import  com.sun.xacml.ctx.RequestCtx;     /**    *  PIPExtensions  will  be  fired  for  each  and  every  XACML  request  -­‐  which  will  give  a  handle  to  the    *  incoming  request.    *      */   public  interface  PIPExtension  {            /**            *  Gives  a  handle  to  the  XACML  request  built.  Can  be  used  to  carry  out  custom  checks  or  updates            *  before  sending  to  the  PDP.            *              *  @param  request            *                        Incoming  XACML  request.            */          public  void  update(RequestCtx  request);     }  
Policy Policy Information Decision Point Point PIP Designator (s)
package  org.wso2.carbon.identity.entitlement.pip;     import  java.util.Set;     /**    *  To  register  a  PIP  attribute  handler  with  the  PDP  against  their  supported  attributes  -­‐  you  need  to    *  implement  this  interface  and  add  an  entry  to  pip-­‐config.xml  file  -­‐  which  should  be  inside    *  [CARBON_HOME]repositoryconf        */   public  interface  PIPAttributeFinder  {            /**            *  Will  be  fired  by  CarbonAttributeFinder  whenever  it  finds  an  attribute  supported  by  this            *  module.            *              *  @param  subjectId  Name  of  the  subject  the  returned  attributes  should  apply  to.            *  @param  resourceId  The  name  of  the  resource  the  subject  is  trying  to  access.            *  @param  attributeId  The  unique  id  of  the  required  attribute.            *  @return  Returns  a  <code>Set</code>  of  <code>String</code>s  that  represent  the  attribute  values.            *  @throws  Exception            */          public  Set<String>  getAttributeValues(String  subjectId,  String  resourceId,  String  attributeId)                          throws  Exception;            /**            *  Returns  a  <code>Set</code>  of  <code>String</code>s  that  represent  the  attributeIds  handled  by            *  this  module,  or  null  if  this  module  doesn't  handle  any  specific  attributeIds.  A  return  value            *  of  null  means  that  this  module  will  not  handle  any  attributes.            */          public  Set<String>  getSupportedAttributes();   }  
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> Allows PolicySet(s) or Policy(s) to be combined <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
PolicyCombiningAlgorithm <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
PolicyCombiningAlgorithm <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
Policy Administration Point <PolicySet/> <PolicySet/>     Policy Store <PolicySet/> <PolicySet/>    
<PolicySet/> <Policy/> <Rule/> Acts as an index to find out matching PolicySets <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> Allows Rule(s) be combined <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> RuleCombiningAlgorithm <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
<Policy PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Policy for Conformance Test IIA003.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:rule" Effect="Permit"> <Description> A subject with a "bogus" attribute with a value of "Physician" can read or write Bart Simpson's medical record. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Physician </AttributeValue> <SubjectAttributeDesignator AttributeId=“urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> </Policy>
Data Types / Functions / Identifiers Document  Identifier:  oasis-­‐access_control-­‐xacml-­‐2.0-­‐core-­‐spec-­‐os   Section  :  10  
<Request/> <Subject/> <Resource/> <Attribute/> <Environment/> <Action/>
<Response/> <Result/> <Decision/>
Conveying XACML Attributes in a SOAP Message xacml-samlp:XACMLAuthzDecisionQuery  saml:Attribute
XACML Assertions XACMLAuthzAssertion  XACMLPrivacyAssertion
Defines how to use SAML 2.0 to protect, store, transport, request, and respond with XACML schema instances and other information needed by an XACML implementation.
<saml:Assertion Version="2.0" ID="9812368” IssueInstant="2006-05-31T13:20:00.000"> <saml:Issuer>https://XACMLPDP.example.com</saml:Issuer> <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType"> <xacml-context:Response> <xacml-context:Result> <xacml-context:Decision> NotApplicable </xacml-context:Decision> </xacml-context:Result> </xacml-context:Response> <xacml-context:Request> .... </xacml-context:Request> </saml:Statement> </saml:Assertion>
Optimizations in XPATH User-defined attribute categories New TARGET matching criteria : <AnyOf> <AllOf> Multiple Decision Profile New Obligation Expressions Advice Delegation Enhancements to Policy Combining Algorithms
Fine-grained authorization with XACML

Recommandé

Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
AWS WAF OWASP
AWS WAF OWASPAWS WAF OWASP
AWS WAF OWASPChris Buenaventura
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
Layer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCapsLayer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCapsCA API Management
 
XACML - XML Amsterdam2011
XACML - XML Amsterdam2011XACML - XML Amsterdam2011
XACML - XML Amsterdam2011Ray Sinnema
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 

Recommandé

Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
AWS WAF OWASP
AWS WAF OWASPAWS WAF OWASP
AWS WAF OWASPChris Buenaventura
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
Layer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCapsLayer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCapsCA API Management
 
XACML - XML Amsterdam2011
XACML - XML Amsterdam2011XACML - XML Amsterdam2011
XACML - XML Amsterdam2011Ray Sinnema
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 
Android 101 workshop
Android 101 workshopAndroid 101 workshop
Android 101 workshopBenjamin Weiss
 
Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/ServletSunil OS
 
Symfony2 from the Trenches
Symfony2 from the TrenchesSymfony2 from the Trenches
Symfony2 from the TrenchesJonathan Wage
 
Pom configuration java xml
Pom configuration java xmlPom configuration java xml
Pom configuration java xmlakmini
 
Pom
PomPom
Pomakmini
 
JAX-RS 2.0 and OData
JAX-RS 2.0 and ODataJAX-RS 2.0 and OData
JAX-RS 2.0 and ODataAnil Allewar
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Kual Coeus KEW Technical Training
Kual Coeus KEW Technical TrainingKual Coeus KEW Technical Training
Kual Coeus KEW Technical TrainingrSmart
 
ASP.NET Routing & MVC
ASP.NET Routing & MVCASP.NET Routing & MVC
ASP.NET Routing & MVCEmad Alashi
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenchesLukas Smith
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101Munish Gupta
 
F# in the enterprise
F# in the enterpriseF# in the enterprise
F# in the enterprise7sharp9
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Arun Gupta
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)Robert Lemke
 
The state of hooking into Drupal - DrupalCon Dublin
The state of hooking into Drupal - DrupalCon DublinThe state of hooking into Drupal - DrupalCon Dublin
The state of hooking into Drupal - DrupalCon DublinNida Ismail Shah
 
Resource Routing in ExpressionEngine
Resource Routing in ExpressionEngineResource Routing in ExpressionEngine
Resource Routing in ExpressionEngineMichaelRog
 
AngularJs-training
AngularJs-trainingAngularJs-training
AngularJs-trainingPratchaya Suputsopon
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesEyal Vardi
 
JavaOne India 2011 - Servlets 3.0
JavaOne India 2011 - Servlets 3.0JavaOne India 2011 - Servlets 3.0
JavaOne India 2011 - Servlets 3.0Arun Gupta
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 

Contenu connexe

Similaire à Fine-grained authorization with XACML

Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/ServletSunil OS
 
Symfony2 from the Trenches
Symfony2 from the TrenchesSymfony2 from the Trenches
Symfony2 from the TrenchesJonathan Wage
 
Pom configuration java xml
Pom configuration java xmlPom configuration java xml
Pom configuration java xmlakmini
 
JAX-RS 2.0 and OData
JAX-RS 2.0 and ODataJAX-RS 2.0 and OData
JAX-RS 2.0 and ODataAnil Allewar
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Kual Coeus KEW Technical Training
Kual Coeus KEW Technical TrainingKual Coeus KEW Technical Training
Kual Coeus KEW Technical TrainingrSmart
 
ASP.NET Routing & MVC
ASP.NET Routing & MVCASP.NET Routing & MVC
ASP.NET Routing & MVCEmad Alashi
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenchesLukas Smith
 
F# in the enterprise
F# in the enterpriseF# in the enterprise
F# in the enterprise7sharp9
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Arun Gupta
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)Robert Lemke
 
The state of hooking into Drupal - DrupalCon Dublin
The state of hooking into Drupal - DrupalCon DublinThe state of hooking into Drupal - DrupalCon Dublin
The state of hooking into Drupal - DrupalCon DublinNida Ismail Shah
 
Resource Routing in ExpressionEngine
Resource Routing in ExpressionEngineResource Routing in ExpressionEngine
Resource Routing in ExpressionEngineMichaelRog
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesEyal Vardi
 
JavaOne India 2011 - Servlets 3.0
JavaOne India 2011 - Servlets 3.0JavaOne India 2011 - Servlets 3.0
JavaOne India 2011 - Servlets 3.0Arun Gupta
 

Similaire à Fine-grained authorization with XACML (20)

Android 101 workshop
Android 101 workshopAndroid 101 workshop
Android 101 workshop
 
Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/Servlet
 
Symfony2 from the Trenches
Symfony2 from the TrenchesSymfony2 from the Trenches
Symfony2 from the Trenches
 
Pom configuration java xml
Pom configuration java xmlPom configuration java xml
Pom configuration java xml
 
Pom
PomPom
Pom
 
JAX-RS 2.0 and OData
JAX-RS 2.0 and ODataJAX-RS 2.0 and OData
JAX-RS 2.0 and OData
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
 
Kual Coeus KEW Technical Training
Kual Coeus KEW Technical TrainingKual Coeus KEW Technical Training
Kual Coeus KEW Technical Training
 
ASP.NET Routing & MVC
ASP.NET Routing & MVCASP.NET Routing & MVC
ASP.NET Routing & MVC
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenches
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101
 
F# in the enterprise
F# in the enterpriseF# in the enterprise
F# in the enterprise
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernate
 
TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)
 
The state of hooking into Drupal - DrupalCon Dublin
The state of hooking into Drupal - DrupalCon DublinThe state of hooking into Drupal - DrupalCon Dublin
The state of hooking into Drupal - DrupalCon Dublin
 
Resource Routing in ExpressionEngine
Resource Routing in ExpressionEngineResource Routing in ExpressionEngine
Resource Routing in ExpressionEngine
 
AngularJs-training
AngularJs-trainingAngularJs-training
AngularJs-training
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource Services
 
JavaOne India 2011 - Servlets 3.0
JavaOne India 2011 - Servlets 3.0JavaOne India 2011 - Servlets 3.0
JavaOne India 2011 - Servlets 3.0
 

Plus de Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

Plus de Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 

Dernier

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 

Dernier (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Fine-grained authorization with XACML

  • 1. Prabath Siriwardena – Software Architect, WSO2
  • 2. drdan nlaJoo ichae l M Ro
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9. eXtensible Access Control Markup Language
  • 10. First Meeting – 21 May 2001
  • 11. Requirements from Healthcare, DRM, Registry, Financial, Online Web
  • 12. XACML 1.0 - OASIS Standard – 6 February 2003
  • 13. XACML 1.1 – Committee Specification – 7th August 2003
  • 14. XACML 2.0 – OASIS Standard – 1 February 2005
  • 15. XACML 3.0 – OASIS Standard – 10th Aug 2010
  • 16. Defines Policy Administration Point Administrator
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23. Access Policy Evaluation Point Policy Decision Point
  • 24.
  • 25. <inSequence> <entitlementService remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath"/> UT </inSequence> UT
  • 26. <inSequence> <entitlementService callbackClass=“org.wso2.carbon.identity.entitlement.mediator. KerberosEntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" Kerberos remoteServiceUserName="prabath” /> Kerberos </inSequence>
  • 27. <inSequence> <property  name="xacml_use_rest"  value=”true"  scope=”axis2"  type="STRING"/> <entitlementService remoteServicePassword=“********" BasicAuth/ remoteServiceUrl="https://identity-server:9443/services" RESTful remoteServiceUserName="prabath” /> </inSequence> BasicAuth/ RESTful
  • 28. <inSequence> <entitlementService callbackClass=“org.wso2.carbon.identity.entitlement.mediator. X509EntitlementCallbackHandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" Sign remoteServiceUserName="prabath” /> Sign </inSequence>
  • 29. <inSequence> <entitlementService callbackClass=“my.own.CustomEmtitlementCallbackhandler” remoteServicePassword=“********" remoteServiceUrl="https://identity-server:9443/services" remoteServiceUserName="prabath” Custom /> </inSequence> Custom package my.own; import org.wso2.carbon.identity.entitlement.mediator.EntitlementCallbackHandler; public class CustomEntitlementCallbackHandler extends EntitlementCallbackHandler { }
  • 30. My PEP XACML http://blog.facilelogin.com/2010/11/net-client-web-app-authorization-with.html
  • 31.
  • 32. Policy Policy Decision Information Point Point
  • 33. Policy Policy Evaluation Decision Point Point PIP Extension (s)
  • 34. package  org.wso2.carbon.identity.entitlement.pip;     import  com.sun.xacml.ctx.RequestCtx;     /**    *  PIPExtensions  will  be  fired  for  each  and  every  XACML  request  -­‐  which  will  give  a  handle  to  the    *  incoming  request.    *      */   public  interface  PIPExtension  {            /**            *  Gives  a  handle  to  the  XACML  request  built.  Can  be  used  to  carry  out  custom  checks  or  updates            *  before  sending  to  the  PDP.            *              *  @param  request            *                        Incoming  XACML  request.            */          public  void  update(RequestCtx  request);     }  
  • 35. Policy Policy Information Decision Point Point PIP Designator (s)
  • 36. package  org.wso2.carbon.identity.entitlement.pip;     import  java.util.Set;     /**    *  To  register  a  PIP  attribute  handler  with  the  PDP  against  their  supported  attributes  -­‐  you  need  to    *  implement  this  interface  and  add  an  entry  to  pip-­‐config.xml  file  -­‐  which  should  be  inside    *  [CARBON_HOME]repositoryconf        */   public  interface  PIPAttributeFinder  {            /**            *  Will  be  fired  by  CarbonAttributeFinder  whenever  it  finds  an  attribute  supported  by  this            *  module.            *              *  @param  subjectId  Name  of  the  subject  the  returned  attributes  should  apply  to.            *  @param  resourceId  The  name  of  the  resource  the  subject  is  trying  to  access.            *  @param  attributeId  The  unique  id  of  the  required  attribute.            *  @return  Returns  a  <code>Set</code>  of  <code>String</code>s  that  represent  the  attribute  values.            *  @throws  Exception            */          public  Set<String>  getAttributeValues(String  subjectId,  String  resourceId,  String  attributeId)                          throws  Exception;            /**            *  Returns  a  <code>Set</code>  of  <code>String</code>s  that  represent  the  attributeIds  handled  by            *  this  module,  or  null  if  this  module  doesn't  handle  any  specific  attributeIds.  A  return  value            *  of  null  means  that  this  module  will  not  handle  any  attributes.            */          public  Set<String>  getSupportedAttributes();   }  
  • 37. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 38. <PolicySet/> <Policy/> Allows PolicySet(s) or Policy(s) to be combined <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 39. PolicyCombiningAlgorithm <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 40. PolicyCombiningAlgorithm <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 41. Policy Administration Point <PolicySet/> <PolicySet/>     Policy Store <PolicySet/> <PolicySet/>    
  • 42. <PolicySet/> <Policy/> <Rule/> Acts as an index to find out matching PolicySets <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 43. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 44. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 45. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 46. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 47. <PolicySet/> <Policy/> <Rule/> <Subject/> Allows Rule(s) be combined <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 48. <PolicySet/> RuleCombiningAlgorithm <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 49. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 50. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 51. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 52. <PolicySet/> <Policy/> <Rule/> <Subject/> <Resource/> <Target/> <Action/> <Environment/> <Condition/>
  • 53. <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Policy for Conformance Test IIA003.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA003:rule" Effect="Permit"> <Description> A subject with a "bogus" attribute with a value of "Physician" can read or write Bart Simpson's medical record. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Physician </AttributeValue> <SubjectAttributeDesignator AttributeId=“urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> </Policy>
  • 54.
  • 55. Data Types / Functions / Identifiers Document  Identifier:  oasis-­‐access_control-­‐xacml-­‐2.0-­‐core-­‐spec-­‐os   Section  :  10  
  • 56. <Request/> <Subject/> <Resource/> <Attribute/> <Environment/> <Action/>
  • 57. <Response/> <Result/> <Decision/>
  • 58. Conveying XACML Attributes in a SOAP Message xacml-samlp:XACMLAuthzDecisionQuery  saml:Attribute
  • 59. XACML Assertions XACMLAuthzAssertion  XACMLPrivacyAssertion
  • 60. Defines how to use SAML 2.0 to protect, store, transport, request, and respond with XACML schema instances and other information needed by an XACML implementation.
  • 61.
  • 62. <saml:Assertion Version="2.0" ID="9812368” IssueInstant="2006-05-31T13:20:00.000"> <saml:Issuer>https://XACMLPDP.example.com</saml:Issuer> <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType"> <xacml-context:Response> <xacml-context:Result> <xacml-context:Decision> NotApplicable </xacml-context:Decision> </xacml-context:Result> </xacml-context:Response> <xacml-context:Request> .... </xacml-context:Request> </saml:Statement> </saml:Assertion>
  • 63. Optimizations in XPATH User-defined attribute categories New TARGET matching criteria : <AnyOf> <AllOf> Multiple Decision Profile New Obligation Expressions Advice Delegation Enhancements to Policy Combining Algorithms