Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Fine-grained authorization for web applications

I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization.

What comes to my mind is to either:

  1. Implement my own authorization mechanism and sql tables for my .net application
  2. Use/implement a standard mechanism, like a software that has implemented XACML (for instance Axiomatics)

The problem with the first method is that it is not centralized nor standard so other systems cannot use it for authorization.

The problem with the second approach is that it is potentially slower (due to extra calls needed for each resource). Also I am not sure how widely a standard authorization like XACML is supported by applications in the market to make future integrations easier.

So, in general what are the good practices for fine-grained authorization for web applications that are supposed to serve both internal users and external customers?

like image 202
kaptan Avatar asked Nov 02 '11 22:11

kaptan


People also ask

What is fine-grained authorization?

Fine-grained authorization allows rich business rules and authorization policies to be enforced. Policy writers can create complex rules and policies that contain multiple conditions relating to time, location, role, action, and more, and these will be enforced.


1 Answers

I would definitely go for externalized authorization. It doesn't mean it will be slower. It means you have cleanly separated access control from the business logic.

Overview XACML is a good way to go. The TC is very active and companies such as Boeing, EMC, the Veterans Administration, Oracle, and Axiomatics are all active members.

The XACML architecture guarantees you can get the performance you want. Since the enforcement (PEP) and the decision engine (PDP) are loosely coupled you can choose how they communicate, what protocol they use, whether to use multiple decisions, etc... This means you have the choice to go for the integration which fits your performance needs.

There is also a standard PDP interface defined in the SAML profile for XACML. That guarantees you 'future-proof' access control where you are not locked into any particular vendor solution.

Access control for webapps You can simply drop in a PEP for .Net webapps by using HTTP Filters in ISAPI and ASP.NET. Axiomatics has got one off-the-shelf for that.

Current implementations If you check Axiomatics's customers page, you'll see they have Paypal, Bell Helicopter, and more. So XACML is indeed a reality and it can tackle very large deployments (hundreds of millions of users).

Also, Datev eG, a leading financial services provider is using Axiomatics's .Net PDP implementation for its services / apps. Since the .Net PDP is embedded in that case, performance is optimal.

Otherwise, you can always choose from off-the-shelf PEPs for .Net that integration with any PDP - for instance a SOAP-based XACML authorization service.

High levels of performance with XACML Last July at the Gartner "Catalyst" conference, Axiomatics announced the release of their latest product, the Axiomatics Reverse Query which helps you tackle the 'billion record challenge'. It targets access control for data sources as well as RIA. It uses a pure XACML solution so that it remains interoperable with other solutions.

As a matter of fact, Kuppinger Cole will host a webinar on the topic very soon: http://www.kuppingercole.com/events/n10058

Check out the Axiomatics ARQ press release too here: http://www.axiomatics.com/latest-news/216-axiomatics-releases-new-reverse-query-authorization-product-a-breakthrough-innovation-for-authorization-services.html

like image 66
David Brossard Avatar answered Sep 22 '22 03:09

David Brossard