100 likes | 235 Views
GT XACML Authorization. Rachana Ananthakrishnan ranantha@mcs.anl.gov Argonne National Laboratory. Java Authorization Framework. PDP1. PDP2. PDPn. PIP1. PIP2. PIPn. Authorization Engine (Deny-override). GT 4.0 Authorization Framework. Web Services Message Context (store attributes).
E N D
GT XACML Authorization Rachana Ananthakrishnan ranantha@mcs.anl.gov Argonne National Laboratory
PDP1 PDP2 PDPn PIP1 PIP2 PIPn Authorization Engine (Deny-override) GT 4.0 Authorization Framework Web Services Message Context (store attributes) … … Permit Permit Deny Permit Deny Permit Policy Enforcement Point
AuthZ Framework Enhancements • Modular code base • Independent module • Removed web services dependency • separated from Java WS Core • Java interfaces • Improved attribute processing • Normalized attribute representation • Comparison of attributes across sources • Merging of attributes of same entities
AuthZ Framework Enhancements • Separate interface for request attributes • Bootstrap PIP interface • Improved authorization engine • Pluggable engine algorithm • Decision issuer part of decision making process • Administration and Access privileges • Default Algorithm: Permit-override combining algorithm • Construct decision Chain from Requestor to Owner
bPIP1 [owner1] PDP1 [owner1] bPIPn [ownerN] PIP1 [owner1] PDPn [ownerN] PIPn [ownerN] canAccess canAdmin GT 4.2 Authorization Framework … … … Attributes Request Attributes Authorization Engine PIP Attribute Processing PDP Combining Algorithm Decision Policy Enforcement Point
Java XACML Library • Java beans generated from specification schema using Axis tools • Helper classes to construct higher level data types (E.g SubjectHelper, RequestHelper) • Obligation Handler Interface • Pluggable implementation at application level • No signature support • Supported with TLS
Using Java XACML Library • PDP to integrate with GT Authorization engine • Configured with authorization service endpoint • Obligation Handler for local user name • Sample authz service with XACML interface • XACML interface for CAS
C XACML Library • Automatically generated bindings directly from wsdl/xml schema • Current implementation uses gSOAP schema parser • Clients construct / send authorization queries programmatically • Client response handling triggered by obligation ID in response • Server code registers for authorization query events • Application-specific decision making logic implemented in a callback when a query arrives • Initial code to work with gSOAP SSL/socket code • Current plans are to replace this with something more flexible