Focusing on the User Experience of Policy Authoring

Version 6 of Axiomatics Policy Server (APS) comes with a brand-new web-based Policy Editor which gives the user a completely new and smooth way of working with access policies as well as communicating them. This blog post explains why managing attribute-based access policies will be a seamless user experience (UX) when using the Axiomatics solution.

Continue reading
3882 Hits
0 Comments

Applying fine-grained access control in applications and APIs using Axiomatics Java PEP SDK

Security and in particular authorization is often an after-thought in application design and development. Authorization is usually implemented within application code. This results in business logic being tightly-coupled with authorization logic.

XACML aims to resolve this. By promoting an architecture where the enforcement is decoupled from the decision making, XACML lets developers write application logic independently of authorization logic. In this blog post we show how one can apply fine-grained access control in Java application and APIs using Axiomatics Java PEP SDK.

Continue reading
2963 Hits
0 Comments

Understanding XACML combining algorithms

The XACML policy language uses three structural elements: policy sets, policies, and rules. A policy set can contain any number of policies and policy sets. Policies, in turn, can contain multiple rules. Rules define the desired effect, either of Permit or Deny.

If a policy contains multiple rules, and the rules return different decisions e.g. Permit and Deny, what should the policy return? Permit? Deny? Neither?

Similarly, if a policy set contains multiple policies (and policy sets) and those policies return different decisions, what should the policy set return?

This is where combining algorithms step in. They are here to help combine the decisions produced by different children of a parent policy (or policy set) into a single decision that the given policy will return to its own parent.

Continue reading
6845 Hits
0 Comments

Exposing Axiomatics PDP as a REST Authorization Service

Security and in particular authorization is often an after-thought in application design and development. Authorization is usually implemented within application code. This results in business logic being tightly-coupled with authorization logic.

XACML aims to resolve this. By promoting an architecture where the enforcement is decoupled from the decision making, XACML lets developers write application logic independently of authorization logic.

Today, most XACML-based authorization engines expose a proprietary SOAP-based interface which makes it particularly hard to integrate the authorization with an existing application, especially if the application’s framework has poor support for SOAP.

To address this, Remon Sinnema (twitter | blog) of EMC2 and a fellow member of the XACML Technical Committee, designed a XACML profile which defines how to expose XACML authorization as a REST-like service. In the profile, a XACML request can be sent as either JSON or XML. The response comes back in the same format (JSON or XML).

In this article we look at the Axiomatics Policy Server 5.x

Continue reading
2613 Hits
0 Comments

Authoring Multiple Decision Profile requests

This blog post describes some non trivial scenarios that an access control or authorization developer may encounter and provides several ideas to simplify them by utilizing features available in Axiomatics PEP SDK for Java.

Continue reading
1969 Hits
0 Comments

Scaling XACML Architecture Deployment

XACML, which stands for eXtensible Access Control Markup Language, exists to solve the problem of authorization (AuthZ) with focus on extensibility, granularity and scalability. From a first glance at the standard specification it appears to do all the magic with a seemingly over-simplified reference model; at least it was my impression when I first learnt about it. However the simplicity of the model is the key that makes XACML easy to adopt and gives the flexibility to the implementor to scale it up to meet any requirement. This post will discuss the various options available to scale a XACML deployment.

Axiomatics Policy Server 5 architecture will be used as example for the different approached discussed in this post.

Continue reading
1700 Hits
0 Comments

Custom claims-based authorization in .NET using Axiomatics PEP SDK for .NET

The .NET Framework 4.5 has introduced important updates to its claims-based model, known as Identity Model. One of the additions is the ClaimsAuthorizationManager - which becomes the single entry point for all authorization requests. This post describes a sample implementation of the custom ClaimsAuthorizationManager; as an example it will use the Axiomatics PEP SDK for .NET as the authorization engine. The post will wrap up with a few usage scenarios.

Side note: .NET claims-based model known as Identity Model is a generic identity management and authorization solution that may be used in any type of application such as WPF Applications, WCF services, ASP.NET or ASP.NET MVC applications or even in Console Applications.

Continue reading
4835 Hits
0 Comments

Using Aspect Oriented Programming to apply fine-grained authorization

In this blog post we will focus on adding an access control advice via Aspect Oriented Programming (AOP) to implement a well separated, generic, Attribute Based Access Control (ABAC) -protected system without interfering with other, functional, code. In particular we will look at how we can define attributes via annotations on methods and objects to form a request and add a pointcut to intercept service invocations and trigger calls to an XACML PDP within this aspect. We also show how this can be weaved with AspectJ to assemble the final form of bytecode.

Continue reading
2026 Hits
0 Comments

XACML Reference Architecture

In this post we will dive deeper into the architecture of XACML, one of the core aspects of the standard.

XACML stands for eXtensible Access Control Markup Language. It is the OASIS standard for fine-grained authorization management based on the concept of Attribute-based access control (ABAC), where access control decisions are made based on attributes associated with relevant entities, a natural evolution from Role Based Access Control (RBAC).

XACML 1.0 was ratified as an OASIS standard in 2003 and the latest version 3.0 was ratified in January 2013.

Continue reading
6157 Hits
0 Comments