Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Published byMelina Porter Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena."— Presentation transcript:

1 Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena

2 About Me Director of Security Architecture at WSO2 Leads WSO2 Identity Server – an open source identity and entitlement management product. Apache Axis2/Rampart committer / PMC A member of OASIS Identity Metasystem Interoperability (IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC. Twitter : @prabath Email : prabath@apache.org Blog : http://blog.facilelogin.comhttp://blog.facilelogin.com LinkedIn : http://www.linkedin.com/in/prabathsiriwardenahttp://www.linkedin.com/in/prabathsiriwardena

3 Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)

4 With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the rights to another user.

5 With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them.

6 All WSO2 Carbon based products are based on Mandatory Access Control.

7 Group is a collection of Users - while a Role is a collection of permissions.

8 Authorization Table vs. Access Control Lists vs. Capabilities

9 Authorization Table is a three column table with subject, action and resource.

10 With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can exercise on the resource.

11 With Capabilities, each subject has an associated list, called capability list, indicating, for each resource, the accesses that the user is allowed to exercise on the resource.

12 Access Control List is resource driven while capabilities are subject driven.

13 With policy based access control we can have authorization policies with a fine granularity.

14 Capabilities and Access Control Lists can be dynamically derived from policies.

15 XACML is the de facto standard for policy based access control.

16 XACML provides a reference architecture, a request response protocol and a policy language.

17 Policy Enforcement Point (PEP) Policy Information Point (PIP) Policy Administration Point (PAP) Policy Decision Point (PDP) Policy Store XACML Reference Architecture

18 WSO2 Application Server (SOAP Service) WSO2 Identity Server (STS) Client Application SAML token request SAML token with Authentication and Authorization Assertions (Capabilities) SAML token with Authentication and Authorization Assertion + Service Request WSO2 Identity Server (XACML PDP) XACML Response XACML Request XACML with Capabilities (WS-Trust) Hierarchical Resource Profile

19 WSO2 Application Server (Web Application) WSO2 Identity Server (SAML2 IdP) Browser Redirect with SAML Request WSO2 Identity Server (XACML PDP) Unauthenticated Request SAML token with Authentication and Authorization Assertion (Capabilities) XACML Response XACML Request XACML with Capabilities (WS-Trust) Hierarchical Resource Profile

20 WSO2 ESB (Policy Enforcement Point) Client Application Service Request + Credentials WSO2 Application Server (SOAP Service) RBAC Role Based Access Control

21 WSO2 ESB (Policy Enforcement Point) Client Application Service Request + Credentials WSO2 Identity Server (XACML PDP) WSO2 Application Server (SOAP Service) XACML Response XACML Request WSO2 ESB as the XACML PEP (SOAP and REST)

22 WSO2 Application Server Client Application Service Request + Credentials WSO2 Identity Server (XACML PDP) XACML Response XACML Request XACML Servlet Filter XACML PEP as a Servlet Filter

23 WSO2 Identity Server (XACML PDP) XACML Response XACML Request WSO2 Identity Server (OAuth Authorization Server) API Gateway Access Token Client Application Validate() OAuth + XACML

24 WSO2 Application Server (Web Application) External SAML2 IdP (Salesforce) Browser Redirect with SAML Request Unauthenticated Request SAML token with Authentication and Attribute Assertions with IdP groups WSO2 Identity Server Web App roles IdP Groups Authorization with External IdPs (Role Mapping)

25 Login WSO2 Identity Server (XAML PDP) XACML Request XACML Response Liferay Portal XACML Multiple Decisions and Application Specific Roles

26 lean. enterprise. middleware

Download ppt "Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena."

Similar presentations

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

Similar presentations

Ads by Google