Upload
irene-franklin
View
212
Download
0
Embed Size (px)
Citation preview
2
Java Authorization Framework
4
GT 4.0 Authorization Framework
Authorization Engine
(Deny-override)
PIP1 PIP2 PIPn PDP1 PDP2 PDPn… …
Web Services Message Context (store attributes)
Permit
Deny
Deny
Permit
Permit
Permit
Policy Enforcement
Point
5
AuthZ Framework Enhancements
Modular code base– Independent module
> Removed web services dependency
> separated from Java WS Core
– Java interfaces Improved attribute processing
– Normalized attribute representation
– Comparison of attributes across sources
– Merging of attributes of same entities
6
AuthZ Framework Enhancements
Separate interface for request attributes– Bootstrap PIP interface
Improved authorization engine– Pluggable engine algorithm
– Decision issuer part of decision making process
– Administration and Access privileges
– Default Algorithm: Permit-override combining algorithm
> Construct decision Chain from Requestor to Owner
7
GT 4.2 Authorization Framework
Authorization Engine
Policy Enforcement
Point
bPIP1 [owner1]
… bPIPn
[ownerN]
PIP1 [owner1]
… PIPn
[ownerN]…
Request Attributes
PIP Attribute Processing
PDP Combining Algorithm
Attributes
PDP1 [owner1]
canAdmin canAccess
PDPn
[ownerN]
Decision
9
GT XACML Support
10
Java XACML Library
Java beans generated from specification schema using Axis tools
Helper classes to construct higher level data types (E.g SubjectHelper, RequestHelper)
Obligation Handler Interface– Pluggable implementation at application
level No signature support Supported with TLS
11
Using Java XACML Library
PDP to integrate with GT Authorization engine– Configured with authorization service
endpoint
– Obligation Handler for local user name Sample authz service with XACML interface XACML interface for CAS
12
C XACML Library Automatically generated bindings directly from wsdl/xml
schema– Current implementation uses gSOAP schema parser
Clients construct / send authorization queries programmatically
Client response handling triggered by obligation ID in response
Server code registers for authorization query events– Application-specific decision making logic
implemented in a callback when a query arrives Initial code to work with gSOAP SSL/socket code
– Current plans are to replace this with something more flexible