[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson.
------- start of forwarded message ------- From: Anne Anderson <Anne.Anderson@Sun.com> To: Chiusana Joseph <chiusana_joseph@bah.com> CC: Anne.Anderson@Sun.com, sunxacml <sunxacml-discuss@lists.sourceforge.net> Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services Date: Tue, 7 Oct 2003 11:32:30 -0400 Joseph, Let me try answering your question. There are several aspects of using XACML for access control with web services: 1) how is the access control policy expressed? 2) how are attributes conveyed via standard web services protocols such as SAML used in XACML access control policies? 3) how is the web service bound to the XACML policy? 4) how is the XACML access control policy bound to the web service? 1. HOW IS THE POLICY EXPRESSED This is done through standard XACML rules, which state conditions under which access is allowed. The XACML 1.1 specification is available at: http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf The access control policy for an on-line book club web service may be that only members of the on-line book club can order items from the club's web site. This would be expressed in XACML as follows: <Rule Effect="Permit"> <Condition FunctionId="and"> <Apply FunctionId="equal"> <AttributeValue>member</AttributeValue> <SubjectAttributeDesignator AttributeId="membership-status"/> </Apply> <Apply FunctionId="equal"> <AttributeValue>order</AttributeValue> <ActionAttributeDesignator AttributeId="action-id"/> </Apply> </Condition> </Rule> 2. HOW SAML ATTRIBUTES ARE CONVEYED AND REFERENCED XACML handles "authorization", not "authentication". An X.509 identity certificate is associated with "authentication". It would be used by the web service's authentication mechanism (possibly federated) as a first step to determine that the subject making a request is who they claim to be. Only after the service has done that step would XACML be invoked to check for the authenticated subject's authorization to do some particular action. So assume the book club web service has authenticated its subject as being "Anne H. Anderson". It now wants to determine using its access control policy that Anne H. Anderson has permission to order the book with ISBN 0201787911 Assume there is a SAML Attribute Assertion indicating that Subject "Anne H. Anderson" has the attribute "membership status" with a value of "member". The web service trusts this attribute value since it has authenticated that the subject is "Anne H. Anderson". So the web service might extract this information and pass it in a SAML Authorization Decision Query to its XACML PDP. [It requires a simple SAML extension to pass an XACML Request as a new type of SAML Authorization Decision Query. An extension for this should be standard for SAML 2.0]. Example: <saml:Query> <XACMLAuthorizationDecisionQuery> <xacml:Request> <Subject> <Attribute AttributeId="membership-status"> <AttributeValue>member</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="ISBN"> <AttributeValue>0201787911</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="action-id"> <AttributeValue>order</AttributeValue> </Attribute> </Action> </xacml:Request> </XACMLAuthorizationDecisionQuery> <saml:Query> Note that web service might pass the subject-id attribute of "Anne H. Anderson" to the XACML PDP, rather than the membership-status attribute. This would work fine so long as the XACML PDP has access to the attributes for Anne H. Anderson (the XACML PDP may even make a SAML AttributeQuery back to the web service for an attribute value that it needs). But either the web service's PEP or the XACML PDP side will have to obtain the SAML attribute assertion and extract the attribute identity and attribute value from the SAML assertion before using it in an authorization decision. 3. HOW THE WEB SERVICE IS BOUND TO THE XACML ACCESS CONTROL POLICY The XACML profile for Web-services (WSPL) ways how this can be done: the policy is distributed in a WSDL service description "EndPointPolicy" element or in a SOAP header Policy element. The current WSPL specification is available at: http://www.oasis-open.org/committees/download.php/3661/draft-xacml-wspl-04.pdf 4. HOW THE XACML ACCESS CONTROL POLICY IS BOUND TO THE WEB SERVICE The XACML profile for Web-services (WSPL) says how this can be done: In the XACML PolicySet, specify "access control" objective, the web service's WSDL portType, operation, and message as part of the XACML policy's Target. Example: <PolicySet> <Target> <!-- This PolicySet is for book-club-service:portX --> <Resources> <ResourceMatch MatchId="equal"> <AttributeValue>book-club-service:portX</AttributeValue> <ResourceAttributeDesignator AttributeId="portId"/> </ResourceMatch> </Resources> </Target> <!-- sub-PolicySets may specify particular WSDL operations and operation messages within serviceX:portX. In this example, the Policy for access control applies to ALL serviceX:portX operations and messages --> <Policy> <Target> <!-- This Policy is for access control --> <Actions> <ActionMatch MatchId="equal"> <AttributeValue>access-control</AttributeValue> <ActionAttributeDesignator AttributeId="objectiveId"/> </ActionMatch> </Actions> </Target> <Rule Effect="Permit"> <!-- this is where the policy rule above would go --> </Rule> </Policy> <!-- Other Policies for aspects of serviceX:portX other than access control may occur here --> </PolicySet> Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ------- end of forwarded message ------- -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]