Access Control Pa.erns & Prac0ces with
WSO2 Middleware
Prabath Siriwardena
About Me • Director of Security Architecture at WSO2 • Leads WSO2 Iden8ty Server – an open source iden8ty and
en8tlement management product. • Apache Axis2/Rampart commiCer / PMC • A member of OASIS Iden8ty Metasystem Interoperability
(IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC.
• TwiCer : @prabath • Email : [email protected] • Blog : hCp://blog.facilelogin.com • LinkedIn : hCp://www.linkedin.com/in/prabathsiriwardena
Discretionary Access Control (DAC) vs.
Mandatory Access Control (MAC)
With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the
rights to another user.
With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them.
All WSO2 Carbon based products are based on Mandatory Access Control.
Group is a collection of Users - while a Role is a collection of permissions.
Authorization Table vs.
Access Control Lists vs.
Capabilities
Authorization Table is a three column table with subject, action and resource.
With Access Control Lists, each resource is associated with a list, indicating, for each
subject, the actions that the subject can exercise on the resource.
With Capabilities, each subject has an associated list, called capability list, indicating, for each resource, the accesses that the user is
allowed to exercise on the resource.
Access Control List is resource driven while capabilities are subject driven.
With policy based access control we can have authorization policies with a
fine granularity.
Capabilities and Access Control Lists can be dynamically derived from
policies.
XACML is the de facto standard for policy based access control.
XACML provides a reference architecture, a request response protocol and a policy language.
Policy Enforcement Point (PEP)
Policy Informa0on Point (PIP)
Policy Administra0on Point (PAP)
Policy Decision Point (PDP)
Policy Store
XACML Reference Architecture
WSO2 Applica0on Server (SOAP Service)
WSO2 Iden0ty Server (STS)
Client Applica0on
SAML token request
SAML token with Authen0ca0on and
Authoriza0on Asser0ons (Capabili0es) SAML token with Authen0ca0on
and Authoriza0on Asser0on
+ Service Request
WSO2 Iden0ty Server (XACML PDP)
XACML Response XACML Request
XACML with Capabili0es (WS-‐Trust) Hierarchical Resource Profile
WSO2 Applica0on Server (Web Applica0on)
WSO2 Iden0ty Server (SAML2 IdP)
Browser Redirect with SAML Request
WSO2 Iden0ty Server (XACML PDP)
Unauthen0cated Request
SAML token with Authen0ca0on and
Authoriza0on Asser0on (Capabili0es)
XACML Response XACML Request
XACML with Capabili0es (WS-‐Trust) Hierarchical Resource Profile
WSO2 ESB (Policy Enforcement
Point) Client Applica0on
Service Request + Creden0als
WSO2 Applica0on Server (SOAP Service)
RBAC
Role Based Access Control
WSO2 ESB (Policy Enforcement
Point) Client Applica0on
Service Request + Creden0als
WSO2 Iden0ty Server (XACML PDP)
WSO2 Applica0on Server (SOAP Service) XACML Response
XACML Request
WSO2 ESB as the XACML PEP (SOAP and REST)
WSO2 Applica0on Server Client Applica0on
Service Request + Creden0als
WSO2 Iden0ty Server (XACML PDP) XACML Response
XACML Request
XACML Servlet Filter
XACML PEP as a Servlet Filter
WSO2 Iden0ty Server (XACML PDP)
XACML Response XACML Request
WSO2 Iden0ty Server (OAuth
Authoriza0on Server) API Gateway
Access Token
Client Applica0on
Validate()
OAuth + XACML
WSO2 Applica0on Server (Web Applica0on)
External SAML2 IdP (Salesforce)
Browser Redirect with SAML Request Unauthen0cated Request
SAML token with Authen0ca0on and A.ribute Asser0ons with IdP groups
WSO2 Iden0ty Server
Web App roles
IdP Groups
Authoriza0on with External IdPs (Role Mapping)
Login
WSO2 Iden0ty Server (XAML PDP)
XACML Request
XACML Response
Liferay Portal
XACML Mul0ple Decisions and Applica0on Specific Roles
lean . enterprise . middleware