MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson.
Colleagues,
If anyone tries to e-mail the commenter, please note that I got
his e-mail address wrong. It should be
Chiusano Joseph <chiusano_joseph@bah.com>
Anne
On 7 October, Anne Anderson writes: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson.
> From: Anne Anderson <Anne.Anderson@Sun.com>
> To: XACML TC <xacml@lists.oasis-open.org>
> CC: Anne.Anderson@Sun.com
> Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services. Forwarded message from Anne Anderson.
> Date: Tue, 7 Oct 2003 11:34:05 -0400
>
> ------- start of forwarded message -------
> From: Anne Anderson <Anne.Anderson@Sun.com>
> To: Chiusana Joseph <chiusana_joseph@bah.com>
> CC: Anne.Anderson@Sun.com, sunxacml <sunxacml-discuss@lists.sourceforge.net>
> Subject: Re: [sunxacml-discuss] XACML: Access Control for Web Services
> Date: Tue, 7 Oct 2003 11:32:30 -0400
>
> Joseph,
>
> Let me try answering your question.
>
> There are several aspects of using XACML for access control with web
> services:
> 1) how is the access control policy expressed?
> 2) how are attributes conveyed via standard web services
> protocols such as SAML used in XACML access control
> policies?
> 3) how is the web service bound to the XACML policy?
> 4) how is the XACML access control policy bound to the web
> service?
>
> 1. HOW IS THE POLICY EXPRESSED
>
> This is done through standard XACML rules, which state conditions
> under which access is allowed. The XACML 1.1 specification is
> available at:
> http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf
>
> The access control policy for an on-line book club web service
> may be that only members of the on-line book club can order items
> from the club's web site.
>
> This would be expressed in XACML as follows:
>
> <Rule Effect="Permit">
> <Condition FunctionId="and">
> <Apply FunctionId="equal">
> <AttributeValue>member</AttributeValue>
> <SubjectAttributeDesignator AttributeId="membership-status"/>
> </Apply>
> <Apply FunctionId="equal">
> <AttributeValue>order</AttributeValue>
> <ActionAttributeDesignator AttributeId="action-id"/>
> </Apply>
> </Condition>
> </Rule>
>
>
> 2. HOW SAML ATTRIBUTES ARE CONVEYED AND REFERENCED
>
> XACML handles "authorization", not "authentication". An X.509
> identity certificate is associated with "authentication". It
> would be used by the web service's authentication mechanism
> (possibly federated) as a first step to determine that the
> subject making a request is who they claim to be. Only after the
> service has done that step would XACML be invoked to check for
> the authenticated subject's authorization to do some particular
> action.
>
> So assume the book club web service has authenticated its subject
> as being "Anne H. Anderson". It now wants to determine using its
> access control policy that Anne H. Anderson has permission to
> order the book with ISBN 0201787911
>
> Assume there is a SAML Attribute Assertion indicating that
> Subject "Anne H. Anderson" has the attribute "membership status"
> with a value of "member". The web service trusts this attribute
> value since it has authenticated that the subject is "Anne
> H. Anderson".
>
> So the web service might extract this information and pass it in
> a SAML Authorization Decision Query to its XACML PDP. [It
> requires a simple SAML extension to pass an XACML Request as a
> new type of SAML Authorization Decision Query. An extension for
> this should be standard for SAML 2.0].
>
> Example:
>
> <saml:Query>
> <XACMLAuthorizationDecisionQuery>
> <xacml:Request>
> <Subject>
> <Attribute AttributeId="membership-status">
> <AttributeValue>member</AttributeValue>
> </Attribute>
> </Subject>
> <Resource>
> <Attribute AttributeId="ISBN">
> <AttributeValue>0201787911</AttributeValue>
> </Attribute>
> </Resource>
> <Action>
> <Attribute AttributeId="action-id">
> <AttributeValue>order</AttributeValue>
> </Attribute>
> </Action>
> </xacml:Request>
> </XACMLAuthorizationDecisionQuery>
> <saml:Query>
>
> Note that web service might pass the subject-id attribute of
> "Anne H. Anderson" to the XACML PDP, rather than the
> membership-status attribute. This would work fine so long as the
> XACML PDP has access to the attributes for Anne H. Anderson (the
> XACML PDP may even make a SAML AttributeQuery back to the web
> service for an attribute value that it needs). But either the
> web service's PEP or the XACML PDP side will have to obtain the
> SAML attribute assertion and extract the attribute identity and
> attribute value from the SAML assertion before using it in an
> authorization decision.
>
> 3. HOW THE WEB SERVICE IS BOUND TO THE XACML ACCESS CONTROL POLICY
>
> The XACML profile for Web-services (WSPL) ways how this can be
> done: the policy is distributed in a WSDL service description
> "EndPointPolicy" element or in a SOAP header Policy element.
>
> The current WSPL specification is available at:
> http://www.oasis-open.org/committees/download.php/3661/draft-xacml-wspl-04.pdf
>
> 4. HOW THE XACML ACCESS CONTROL POLICY IS BOUND TO THE WEB SERVICE
>
> The XACML profile for Web-services (WSPL) says how this can be
> done:
>
> In the XACML PolicySet, specify "access control" objective, the
> web service's WSDL portType, operation, and message as part of
> the XACML policy's Target.
>
> Example:
>
> <PolicySet>
> <Target> <!-- This PolicySet is for book-club-service:portX -->
> <Resources>
> <ResourceMatch MatchId="equal">
> <AttributeValue>book-club-service:portX</AttributeValue>
> <ResourceAttributeDesignator AttributeId="portId"/>
> </ResourceMatch>
> </Resources>
> </Target>
>
> <!-- sub-PolicySets may specify particular WSDL operations
> and operation messages within serviceX:portX. In
> this example, the Policy for access control applies
> to ALL serviceX:portX operations and messages -->
>
> <Policy>
> <Target> <!-- This Policy is for access control -->
> <Actions>
> <ActionMatch MatchId="equal">
> <AttributeValue>access-control</AttributeValue>
> <ActionAttributeDesignator AttributeId="objectiveId"/>
> </ActionMatch>
> </Actions>
> </Target>
>
> <Rule Effect="Permit">
> <!-- this is where the policy rule above would go -->
> </Rule>
>
> </Policy>
>
> <!-- Other Policies for aspects of serviceX:portX other than
> access control may occur here -->
>
> </PolicySet>
>
> Anne Anderson
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
> ------- end of forwarded message -------
>
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]