News »Browse Articles »
Fine grained web authorization in java using XACML
+1
Fine grained web authorization in java using XACML
2009/02/12:Servlet Containers such as Tomcat are required to support container security that includes coarse grained authorization based on roles. The servlet specification defines web resources in the form of URL patterns and can provide access control to these resources using roles. This in itself can either be a boon or a bane to web developers depending on their use cases. The positive aspect is that developers can isolate security code from their business logic and delegate security to the web containers. The limiting aspect is that web container authorization does not scale well to fine grained access control needs of business/enterprise applications. Oasis XACML v2.0 is a specification that exclusively caters to access control and is an excellent specification to incorporate fine grained access control into your enterprise web applications. In this article, we will look at incorporating fine grained authorization into your web application.
Fine Grained Access Control
Unlike coarse grained access control, fine grained access control is complex with changing requirements and multiple variables involved in the decision making process. Access control decisions such as the following:
* Allow employees access to a section of the portal on normal business days from 9am to 5pm and not on weekends.
* Disallow requests from a particular subnet.
* Junior traders need approval from managers for trades above $1 million in value.
* Employees should not modify their own salary information. Only managers can change salary information of their subordinates.
cannot be mapped to the access control rules specified in the servlet specification. These advanced access control questions are based on context and business needs. While it makes sense to utilize web container security for authentication and coarse grained authorixation, it is certainly unfortunate that container security falls short for fine grained authorization. One possible solution is to externalize the access control policy such that the policy engine that does the evaluation remains the same and the external policies can change as per the business requirements. Given this, it is customary for web developers to develop security as part of their application. It does make sense for them to utilize servlet filters to introduce security to their applications such that the application does business code and the filter takes care of security.
Access Control Lists
ACLs have historically allowed developers and administrators to incorporate fine grained authorization into their business applications. A disadvantage of this approach is that it is non-portable and propreitory with no standards involved. XACML provides a standards based solution to this problem.
XACML
XACML defines a policy language and an architecture for decision making. The following diagram shows a basic XACML architecture that includes a Policy Enforcement Point (PEP) which intercepts any requests in a normal program flow, then asks a Policy Decision Point (PDP) to make an access decision based on the policies associated with the PDP. The PDP evaluates the XACML request created by the PEP and runs through the policies to make one of the 4 access decisions, namely
* PERMIT - approve,
* DENY - access denied,
* INDETERMINATE - error at the PDP,
* NOTAPPLICABLE - some attribute missing in the request or no policy match.
Java based XACML Implementations
In this article, we will use JBossXACML, a LGPL licensed library for developing the PEP and PDP for our fine grained authorization. JBossXACML is a standalone open source library that has dependence on a JAXB2 implementation alone (either you can use the Sun JAXB2 RI for JDK5 or it is provided by JDK6 onwards).
XACML Policy
Let us take a look at the XACML policy that will drive the a simple use case in this article. The use case is to control access to a web resource denoted by an URL "http://test/developer-guide.html" to a subject with a role of a "developer"...
Source:
http://java.dzone.com/articles/fine-grained-web-authorization
Fine Grained Access Control
Unlike coarse grained access control, fine grained access control is complex with changing requirements and multiple variables involved in the decision making process. Access control decisions such as the following:
* Allow employees access to a section of the portal on normal business days from 9am to 5pm and not on weekends.
* Disallow requests from a particular subnet.
* Junior traders need approval from managers for trades above $1 million in value.
* Employees should not modify their own salary information. Only managers can change salary information of their subordinates.
cannot be mapped to the access control rules specified in the servlet specification. These advanced access control questions are based on context and business needs. While it makes sense to utilize web container security for authentication and coarse grained authorixation, it is certainly unfortunate that container security falls short for fine grained authorization. One possible solution is to externalize the access control policy such that the policy engine that does the evaluation remains the same and the external policies can change as per the business requirements. Given this, it is customary for web developers to develop security as part of their application. It does make sense for them to utilize servlet filters to introduce security to their applications such that the application does business code and the filter takes care of security.
Access Control Lists
ACLs have historically allowed developers and administrators to incorporate fine grained authorization into their business applications. A disadvantage of this approach is that it is non-portable and propreitory with no standards involved. XACML provides a standards based solution to this problem.
XACML
XACML defines a policy language and an architecture for decision making. The following diagram shows a basic XACML architecture that includes a Policy Enforcement Point (PEP) which intercepts any requests in a normal program flow, then asks a Policy Decision Point (PDP) to make an access decision based on the policies associated with the PDP. The PDP evaluates the XACML request created by the PEP and runs through the policies to make one of the 4 access decisions, namely
* PERMIT - approve,
* DENY - access denied,
* INDETERMINATE - error at the PDP,
* NOTAPPLICABLE - some attribute missing in the request or no policy match.
Java based XACML Implementations
In this article, we will use JBossXACML, a LGPL licensed library for developing the PEP and PDP for our fine grained authorization. JBossXACML is a standalone open source library that has dependence on a JAXB2 implementation alone (either you can use the Sun JAXB2 RI for JDK5 or it is provided by JDK6 onwards).
XACML Policy
Let us take a look at the XACML policy that will drive the a simple use case in this article. The use case is to control access to a web resource denoted by an URL "http://test/developer-guide.html" to a subject with a role of a "developer"...
Source:
http://java.dzone.com/articles/fine-grained-web-authorization
