[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson.
Colleagues, If anyone tries to e-mail the commenter, please note that I got his e-mail address wrong. It should be Chiusano Joseph <chiusano_joseph@bah.com> Anne On 7 October, Anne Anderson writes: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson. > From: Anne Anderson <Anne.Anderson@Sun.com> > To: XACML TC <xacml@lists.oasis-open.org> > CC: Anne.Anderson@Sun.com > Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson. > Date: Tue, 7 Oct 2003 11:34:05 -0400 > > ------- start of forwarded message ------- > From: Anne Anderson <Anne.Anderson@Sun.com> > To: Chiusana Joseph <chiusana_joseph@bah.com> > CC: Anne.Anderson@Sun.com, sunxacml <sunxacml-discuss@lists.sourceforge.net> > Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services > Date: Tue, 7 Oct 2003 11:32:30 -0400 > > Joseph, > > Let me try answering your question. > > There are several aspects of using XACML for access control with web > services: > 1) how is the access control policy expressed? > 2) how are attributes conveyed via standard web services > protocols such as SAML used in XACML access control > policies? > 3) how is the web service bound to the XACML policy? > 4) how is the XACML access control policy bound to the web > service? > > 1. HOW IS THE POLICY EXPRESSED > > This is done through standard XACML rules, which state conditions > under which access is allowed. The XACML 1.1 specification is > available at: > http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf > > The access control policy for an on-line book club web service > may be that only members of the on-line book club can order items > from the club's web site. > > This would be expressed in XACML as follows: > > <Rule Effect="Permit"> > <Condition FunctionId="and"> > <Apply FunctionId="equal"> > <AttributeValue>member</AttributeValue> > <SubjectAttributeDesignator AttributeId="membership-status"/> > </Apply> > <Apply FunctionId="equal"> > <AttributeValue>order</AttributeValue> > <ActionAttributeDesignator AttributeId="action-id"/> > </Apply> > </Condition> > </Rule> > > > 2. HOW SAML ATTRIBUTES ARE CONVEYED AND REFERENCED > > XACML handles "authorization", not "authentication". An X.509 > identity certificate is associated with "authentication". It > would be used by the web service's authentication mechanism > (possibly federated) as a first step to determine that the > subject making a request is who they claim to be. Only after the > service has done that step would XACML be invoked to check for > the authenticated subject's authorization to do some particular > action. > > So assume the book club web service has authenticated its subject > as being "Anne H. Anderson". It now wants to determine using its > access control policy that Anne H. Anderson has permission to > order the book with ISBN 0201787911 > > Assume there is a SAML Attribute Assertion indicating that > Subject "Anne H. Anderson" has the attribute "membership status" > with a value of "member". The web service trusts this attribute > value since it has authenticated that the subject is "Anne > H. Anderson". > > So the web service might extract this information and pass it in > a SAML Authorization Decision Query to its XACML PDP. [It > requires a simple SAML extension to pass an XACML Request as a > new type of SAML Authorization Decision Query. An extension for > this should be standard for SAML 2.0]. > > Example: > > <saml:Query> > <XACMLAuthorizationDecisionQuery> > <xacml:Request> > <Subject> > <Attribute AttributeId="membership-status"> > <AttributeValue>member</AttributeValue> > </Attribute> > </Subject> > <Resource> > <Attribute AttributeId="ISBN"> > <AttributeValue>0201787911</AttributeValue> > </Attribute> > </Resource> > <Action> > <Attribute AttributeId="action-id"> > <AttributeValue>order</AttributeValue> > </Attribute> > </Action> > </xacml:Request> > </XACMLAuthorizationDecisionQuery> > <saml:Query> > > Note that web service might pass the subject-id attribute of > "Anne H. Anderson" to the XACML PDP, rather than the > membership-status attribute. This would work fine so long as the > XACML PDP has access to the attributes for Anne H. Anderson (the > XACML PDP may even make a SAML AttributeQuery back to the web > service for an attribute value that it needs). But either the > web service's PEP or the XACML PDP side will have to obtain the > SAML attribute assertion and extract the attribute identity and > attribute value from the SAML assertion before using it in an > authorization decision. > > 3. HOW THE WEB SERVICE IS BOUND TO THE XACML ACCESS CONTROL POLICY > > The XACML profile for Web-services (WSPL) ways how this can be > done: the policy is distributed in a WSDL service description > "EndPointPolicy" element or in a SOAP header Policy element. > > The current WSPL specification is available at: > http://www.oasis-open.org/committees/download.php/3661/draft-xacml-wspl-04.pdf > > 4. HOW THE XACML ACCESS CONTROL POLICY IS BOUND TO THE WEB SERVICE > > The XACML profile for Web-services (WSPL) says how this can be > done: > > In the XACML PolicySet, specify "access control" objective, the > web service's WSDL portType, operation, and message as part of > the XACML policy's Target. > > Example: > > <PolicySet> > <Target> <!-- This PolicySet is for book-club-service:portX --> > <Resources> > <ResourceMatch MatchId="equal"> > <AttributeValue>book-club-service:portX</AttributeValue> > <ResourceAttributeDesignator AttributeId="portId"/> > </ResourceMatch> > </Resources> > </Target> > > <!-- sub-PolicySets may specify particular WSDL operations > and operation messages within serviceX:portX. In > this example, the Policy for access control applies > to ALL serviceX:portX operations and messages --> > > <Policy> > <Target> <!-- This Policy is for access control --> > <Actions> > <ActionMatch MatchId="equal"> > <AttributeValue>access-control</AttributeValue> > <ActionAttributeDesignator AttributeId="objectiveId"/> > </ActionMatch> > </Actions> > </Target> > > <Rule Effect="Permit"> > <!-- this is where the policy rule above would go --> > </Rule> > > </Policy> > > <!-- Other Policies for aspects of serviceX:portX other than > access control may occur here --> > > </PolicySet> > > Anne Anderson > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > ------- end of forwarded message ------- > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]