SlideShare uma empresa Scribd logo

Attribute-Based Access Control in Symfony

A
Adam Elsodaney

Here at Veruscript, we have many edge case scenarios where we need fine-grained access controls in our academic journal publishing platform. Therefore performing authorisation to a resource by analysing any number of arbitrary attributes allows for the application to scale appropriately. Known as Attribute-Based Access Control (ABAC), these attributes are evaluated regardless of context; This could be username, role, organisation, domain, time-of-day, country, is the Queen of England, because the sky is blue, etc. It is why Security Voters are the recommended way to check for user permissions in Symfony applications. Security Voters provide a mechanism that has a small learning curve to set up these fine-grained restrictions in Symfony applications using attributes. In the simplest case, only a minimal amount of setup and configuration is required, the main advantage over ACLs. In the most complex case, policies can be added or modified without significant changes to the codebase. The talk will compare different access control paradigms: ABAC, RBAC and ACL, and will look into detail one specification for ABAC - Extensible Access Control Markup Language (XACML) and how this might be implemented in Symfony, for those considering a more "enterprise" use of Security Voters.

Software
1 de 84
Baixar para ler offline
How to approach authorisation within your Symfony or PHP application. Adam Elsodaney Attribute-Based Access Control in Symfony Symfony UK Meetup 30 August 2018
This presentation is split into 4 parts …maybe 5.
Out-of-the-box Symfony SecurityBundle Access Control 0
There are 2 steps to securing a resource.
Authentication is enforced with Firewalls Authorisation is enforced with Access Controls
That’s easy! Path Role String, Regular Expression String, RoleInterface, Hierarchical
…but not finely-grained.
Access Control Lists ACL Role-Based Access Control RBAC Attribute-Based Access Control ABAC There are many types of access control paradigms depending on your needs
RBAC 1
Implementing RBAC: Probably the most common variant of authorization is role-based access control (RBAC). As the name implies, • Users are assigned roles • Roles are assigned permissions. • Users inherit the permission for any roles they have been assigned. • Actions are validated for permissions. “ https://martinfowler.com/articles/web-security-basics.html
Bob Associate Editor USER ROLE Users have roles
Associate Editor ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Roles have permissions
Reject Article Submission PERMISSION Approve Article Submission PERMISSION Users inherit the permissions for any roles they have been assigned Bob USER
Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Actions are validated for permissions
Bob Associate Editor USER ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Action Role Code String, RoleInterface, Hierarchical Permission String
Editor-in-Chief ROLE Associate Editor ROLE Reviewer ROLE Author ROLE Journal Admin ROLE System Admin ROLE In some cases, roles inherit the permissions from other roles via a hierarchy…
…and/or permissions inherit the permissions from other roles via a hierarchy. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Make Decision on Submission PERMISSION Do WTH you want with submissions PERMISSION Leave abusive Linus- Torvalds-style comments PERMISSION Administrate journal PERMISSION Like Sylius RBAC
$ composer require sylius/rbac $ composer require sylius/rbac-bundle Install for Symfony apps Install for non-Symfony apps
Consider RBAC When • Permissions are relatively static. • Roles in your policies actually map reasonably to roles within your domain, rather than feeling like contrived aggregations of permissions. • There isn't a terribly large number of permutations of permission, and therefore roles that will have to be maintained. • You have no compelling reason to use one of the other options. “ https://martinfowler.com/articles/web-security-basics.html
Shortcomings of RBAC 1. Cannot grant permissions per-resource, only by resource type. 2. Does not scope resource properties.
ACL (Symfony ACL) 2
How to Use Access Control Lists (ACLs): In complex applications, you will often face the problem that access decisions cannot only be based on the person (Token) who is requesting access, but also involve a domain object that access is being requested for. This is where the ACL system comes in. “ https://symfony.com/doc/3.4/security/acl.html
ACL ACE his hers ACE ACE ACL ACE ACE ACE Access Control Lists (ACL) First, check if the domain object requested has an associated ACL. Each ACL contains one or more Access Control Entries (ACEs) that defines specific permissions for the ACL’s resource.
ACL ACE ACE ACE Second, check the domain as a whole. ACE ACLs can be associated with both objects (entities) and domains (classnames).
Otherwise, deny access.
Using the Symfony ACL 1. Install Bundle $ composer require symfony/acl-bundle 2. Configure 3. Initialise
acl_entries table • id • class • object identity • security identity • field name • ACE order • mask • is granting • granting strategy • audit success • audit failure
As the boss of this website I should be able to edit a particular message posted In order to moderate the content
As the boss of this website I should be able to edit a particular message all messages posted In order to moderate the content
Alternatives to ACLs Using [ACLs] isn't trivial, and for simpler use cases, it may be overkill. If your permission logic could be described by just writing some code (e.g. to check if a Blog is owned by the current User), then consider using voters. A voter is passed the object being voted on, which you can use to make complex decisions and effectively implement your own ACL. Enforcing authorization (e.g. the isGranted() part) will look similar to what you see in this article, but your voter class will handle the logic behind the scenes, instead of the ACL system. “ https://symfony.com/doc/3.4/security/acl.html
ABAC using Symfony Voters 3
Security Voters provide a mechanism to set up fine-grained restrictions in Symfony applications. The main advantage over ACLs is that they are an order of magnitude easier to set up, configure and use. “ http://symfony.com/blog/new-in-symfony-2-6-simpler-security-voters
In Symfony, an authorisation decision will always be based on the following: TOKEN When a user is authenticated (identified) they will receive a token from the firewall to hand over to the access control in the authorisation step. We can get the user’s identity from the token. SET OF ATTRIBUTES Each attribute stands for a certain right the user should have. Eg. Role, Order Number, Email Address,Time of Day RESOURCE Any object for which access control needs to be checked, like an article or a comment object (or a piggy bank object containing bitcoins)
Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 Contains all voters. Some might be supported based on the attributes to vote on. Access Decision Manager
Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager
Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Affirmative Strategy grant access as soon as there is one voter granting access PERMIT
Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Consensus Strategy grant access if there are more voters granting access than there are denying PERMIT
Access Decision Manager Unanimous Strategy DENY grant access only if none of the voters have denied access Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN
Built-in Symfony Voters RoleVoter RoleHierarchyVoter All are in the SymfonyComponentSecurityCoreAuthorizationVoter namespace
Built-in Symfony Voters AuthenticatedVoter ExpressionVoter
Creating custom voters First, define what attributes you want to check.
Second, check if your voter should vote on the given subject or attributes.
Third, cast the vote.
Finally, declare the service and it is ready to use. In this example, the customer who make a purchase order did so without creating an account or logging in, but would still need be able to access their order details on the website.
Shortcomings of Symfony Voters 1. Not necessarily runtime capable - Still requires writing code for access rules, unless you implement a Voter that loads its rules from the database.
ABAC via XACML* 4 *Pronounced “X-akamull”, “X-A-C-M-L” or “zakamull”
[What is XACML?] XACML (eXtensible Access Control Markup Language) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time based on policies which determine what actions a user or service can perform on a given information asset and in a specific context. “ https://www.axiomatics.com/100-pure-xacml/
http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
XACML Administration Policy Data PAP • Create, View, Delete policies • Version policies on Update • Evaluate policies before committing Policy Administration Point (PAP) (Very similar to the IAM in Amazon Web Services) policy policy set
XACML Enforcement Flow Symfony Authorization Checker PDP XACML Request PEP Context Data PIP PRP Policy Data Allow Deny XACML Response isGranted() Policy Enforcement Point Policy Information Point Policy Retrieval Point Policy Decision Point time of day server env current user policy policy set sky is blue resource request …
PolicySet Policy PolicySetPolicy Rule Rule Rule Rule Rule Rule Rule Rule Policy Policy Policy Sets contain a collection of Policies. They may also contain or reference other Policy Sets. However, the Decision Point will only evaluate at Policy level. Rules are never evaluated by themselves. XACML 3.0 Policies
Targets and Rules Part of what [the] XACML PDP [Policy Decision Point] needs to do is find a policy that applies to a given request. To do this, XACML provides another feature called a Target. A Target is basically a set of simplified conditions for the Subject, Resource and Action that must be met for a PolicySet, Policy or Rule to apply to a given request. If all the conditions of a Target are met, then its associated PolicySet, Policy, or Rule applies to the request. In addition to being a way to check applicability, Target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. “ https://www.axiomatics.com/100-pure-xacml/
Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G A Request must be matched to a Policy This is done using Targets
Policy Rule Rule Rule Rule XACML 3.0 Targets TARGET Subject Resource Action Policies, Policy Sets and Rules only apply if the Target matches. Policy Set TARGET Subject Resource Action Policy Policy Policy Policy Rule Permit TARGET Subject Resource Action
REQUEST POLICY Targets consist of Subject, Resource and Action behaves like Voter::supports() in Symfony TARGET Subject: Bob Resource: CJES Article #3 Action: edit TARGET Subject: Bob Resource: CJES Article Action: edit TARGET Subject: Bob Resource: CJES Article Action: create TARGET Subject:Alice Resource: FNAN Article Action: any
Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G More than one policy may be matched
XACML 3.0 Rule Example * The XACML syntax is more verbose than what you see here.
Understanding XACML combining algorithms If a policy contains multiple rules, and the rules return different decisions e.g. Permit and Deny, what should the policy return? Permit? Deny? Neither? “ https://www.axiomatics.com/blog/understanding-xacml-combining-algorithms/ Policy Rule Rule Rule Rule
XACML 3.0 Rule-Combining and Policy-Combining Algorithms deny-overrides permit-overrides first-applicable behaves like AccessDecisionManager Strategies in Symfony only-one-applicable (policy only) ordered-permit-overrides deny-unless-permit permit-unless-deny ordered-deny-overrides R1 R2 R3 D P D D P P D
XACML 3.0 Policy Example * The XACML syntax is more verbose than what you see here.
Conditions <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> Allow only logins between 9am and 5pm.
Conditions <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or- <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</A </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</A </Apply> </Condition> Allow only logins between 9am and 5pm. Apply Apply and Condition
current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions <!-- Only allow logins from 9am to 5pm --> <Condition f="and"> <Apply f="time-greater-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType="#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType="#time">09:00:00</AttributeValue> </Apply> <Apply f="time-less-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType=“#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType=#time">17:00:00</AttributeValue> </Apply> </Condition> Condition current-time time-one- and-only: time-greater-than-or-equal: * The XACML markup above has been condensed for brevity 09:00:00 and
current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions $timeGreaterThanOrEq = function($x, $y): bool { return $x >= $y; } $timeLessThanOrEq = function($x, $y): bool { return $x <= $y; } $timeOneAndOnly = function($x): DateTimeInterface { return new DateTimeImmutable($x); } $condition = Functionaltrue([ $timeGreaterThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’09:00:00’ ), $timeLessThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’17:00:00’ ), ]); Condition current-time time-one- and-only: time-greater-than-or-equal: 09:00:00 and
What’s a XACML Obligation? The XACML standard defines the concept of obligations which are elements which can be returned along with a XACML decision (either of Permit or Deny) in order to enrich that decision. Obligations are triggered on either Permit or Deny. The Policy Enforcement Point [PEP] must implement and enforce obligations. If it fails to do so, it must deny access to the requested resource (in the case of a Permit). “ https://www.webfarmr.eu/2015/02/tgif-xacml-whats-a-xacml-obligation/
Examples of Obligations • Auditing - Log when an action was performed on a resource. • Security Checkup - Ask the user to review their 2FA details after a remembered login. • Security Lockdown - If credentials entered incorrectly multiple times. • Break-the-Glass Scenario - Medical records may need to be accessed in emergency situations, regardless of what permissions were granted.
Shortcomings of XACML • XACML syntax is very verbose. • Is complex, though it better describes business requirements than ACL when rules are persisted. • Somewhat limited resources, or non-concise. • Perhaps overkill and Enterprise-y™ …?
and the winner is… ABAC using Symfony Voters3
• Symfony Voters solve 80% of your requirements for 20% of the work. SUMMARY • XACML would solve 100% of your requirements, would scale well, is designed for runtime and is enterprise-capable, but the learning curve is steep, and there are no well established tools in PHP. • RBAC is not compatible with single entities. • ACL is compatible with single entities, but is non-trivial.
Thank you for listening Adam Elsodaney LEAD DEVELOPER ACL Demo https://github.com/adamelso/acland Slides github.com/adamelso/symfony-uk-meetup-2018-08-30-access-control adam@veruscript.com @ArchFizz @Veruscript www.veruscript.com Publish high-quality, cost-effective journals with our publishing services

Recomendados

How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?
GreenD0g
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해
beom kyun choi
 
Laravel Artisan Cheat Sheet
Laravel Artisan Cheat SheetLaravel Artisan Cheat Sheet
Laravel Artisan Cheat Sheet
Rohit Urane
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
Purbarun Chakrabarti
 
Ansible - Hands on Training
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on Training
Mehmet Ali Aydın
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
VMware Tanzu
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Microservices Design Patterns | Edureka
Microservices Design Patterns | EdurekaMicroservices Design Patterns | Edureka
Microservices Design Patterns | Edureka
Edureka!
 

Recomendados

How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?
GreenD0g
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해
beom kyun choi
 
Laravel Artisan Cheat Sheet
Laravel Artisan Cheat SheetLaravel Artisan Cheat Sheet
Laravel Artisan Cheat Sheet
Rohit Urane
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
Purbarun Chakrabarti
 
Ansible - Hands on Training
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on Training
Mehmet Ali Aydın
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
VMware Tanzu
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Microservices Design Patterns | Edureka
Microservices Design Patterns | EdurekaMicroservices Design Patterns | Edureka
Microservices Design Patterns | Edureka
Edureka!
 
ProxySQL High Availability (Clustering)
ProxySQL High Availability (Clustering)ProxySQL High Availability (Clustering)
ProxySQL High Availability (Clustering)
Mydbops
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Sqlmap
SqlmapSqlmap
Sqlmap
Institute of Information Security (IIS)
 
Rest API
Rest APIRest API
Rest API
Rohana K Amarakoon
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Hibernate presentation
Hibernate presentationHibernate presentation
Hibernate presentation
Manav Prasad
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Spring beans
Spring beansSpring beans
Spring beans
Roman Dovgan
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3
Jukka Zitting
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
LeanIX GmbH
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
zakieh alizadeh
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Lucidworks
 

Mais conteúdo relacionado

Mais procurados

Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein
 

Mais procurados (20)

ProxySQL High Availability (Clustering)
ProxySQL High Availability (Clustering)ProxySQL High Availability (Clustering)
ProxySQL High Availability (Clustering)
 
Role based access control
Role based access controlRole based access control
Role based access control
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
XSS
XSSXSS
XSS
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Rest API
Rest APIRest API
Rest API
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Hibernate presentation
Hibernate presentationHibernate presentation
Hibernate presentation
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Spring beans
Spring beansSpring beans
Spring beans
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 

Semelhante a Attribute-Based Access Control in Symfony

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
Abdelmonaim Remani
 
Access ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdfAccess ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdf
anandshingavi23
 
Yii Framework Security
Yii Framework SecurityYii Framework Security
Yii Framework Security
Ilko Kacharov
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
Nordic APIs
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
InterSystems Corporation
 

Semelhante a Attribute-Based Access Control in Symfony (20)

S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
 
Access ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdfAccess ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdf
 
Yii Framework Security
Yii Framework SecurityYii Framework Security
Yii Framework Security
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NET
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Beyond API Authorization
Beyond API AuthorizationBeyond API Authorization
Beyond API Authorization
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practices
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
 

Último

The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Último (20)

The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 

Attribute-Based Access Control in Symfony

  • 1. How to approach authorisation within your Symfony or PHP application. Adam Elsodaney Attribute-Based Access Control in Symfony Symfony UK Meetup 30 August 2018
  • 2. This presentation is split into 4 parts …maybe 5.
  • 4. There are 2 steps to securing a resource.
  • 5. Authentication is enforced with Firewalls Authorisation is enforced with Access Controls
  • 6. That’s easy! Path Role String, Regular Expression String, RoleInterface, Hierarchical
  • 8. Access Control Lists ACL Role-Based Access Control RBAC Attribute-Based Access Control ABAC There are many types of access control paradigms depending on your needs
  • 10. Implementing RBAC: Probably the most common variant of authorization is role-based access control (RBAC). As the name implies, • Users are assigned roles • Roles are assigned permissions. • Users inherit the permission for any roles they have been assigned. • Actions are validated for permissions. “ https://martinfowler.com/articles/web-security-basics.html
  • 11. Bob Associate Editor USER ROLE Users have roles
  • 12. Associate Editor ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Roles have permissions
  • 13. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Users inherit the permissions for any roles they have been assigned Bob USER
  • 14. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Actions are validated for permissions
  • 15. Bob Associate Editor USER ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Action Role Code String, RoleInterface, Hierarchical Permission String
  • 16.
  • 17. Editor-in-Chief ROLE Associate Editor ROLE Reviewer ROLE Author ROLE Journal Admin ROLE System Admin ROLE In some cases, roles inherit the permissions from other roles via a hierarchy…
  • 18. …and/or permissions inherit the permissions from other roles via a hierarchy. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Make Decision on Submission PERMISSION Do WTH you want with submissions PERMISSION Leave abusive Linus- Torvalds-style comments PERMISSION Administrate journal PERMISSION Like Sylius RBAC
  • 19.
  • 20. $ composer require sylius/rbac $ composer require sylius/rbac-bundle Install for Symfony apps Install for non-Symfony apps
  • 21. Consider RBAC When • Permissions are relatively static. • Roles in your policies actually map reasonably to roles within your domain, rather than feeling like contrived aggregations of permissions. • There isn't a terribly large number of permutations of permission, and therefore roles that will have to be maintained. • You have no compelling reason to use one of the other options. “ https://martinfowler.com/articles/web-security-basics.html
  • 22. Shortcomings of RBAC 1. Cannot grant permissions per-resource, only by resource type. 2. Does not scope resource properties.
  • 24. How to Use Access Control Lists (ACLs): In complex applications, you will often face the problem that access decisions cannot only be based on the person (Token) who is requesting access, but also involve a domain object that access is being requested for. This is where the ACL system comes in. “ https://symfony.com/doc/3.4/security/acl.html
  • 25. ACL ACE his hers ACE ACE ACL ACE ACE ACE Access Control Lists (ACL) First, check if the domain object requested has an associated ACL. Each ACL contains one or more Access Control Entries (ACEs) that defines specific permissions for the ACL’s resource.
  • 26. ACL ACE ACE ACE Second, check the domain as a whole. ACE ACLs can be associated with both objects (entities) and domains (classnames).
  • 28. Using the Symfony ACL 1. Install Bundle $ composer require symfony/acl-bundle 2. Configure 3. Initialise
  • 29.
  • 30. acl_entries table • id • class • object identity • security identity • field name • ACE order • mask • is granting • granting strategy • audit success • audit failure
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36. As the boss of this website I should be able to edit a particular message posted In order to moderate the content
  • 37.
  • 38.
  • 39. As the boss of this website I should be able to edit a particular message all messages posted In order to moderate the content
  • 40.
  • 41.
  • 42. Alternatives to ACLs Using [ACLs] isn't trivial, and for simpler use cases, it may be overkill. If your permission logic could be described by just writing some code (e.g. to check if a Blog is owned by the current User), then consider using voters. A voter is passed the object being voted on, which you can use to make complex decisions and effectively implement your own ACL. Enforcing authorization (e.g. the isGranted() part) will look similar to what you see in this article, but your voter class will handle the logic behind the scenes, instead of the ACL system. “ https://symfony.com/doc/3.4/security/acl.html
  • 44. Security Voters provide a mechanism to set up fine-grained restrictions in Symfony applications. The main advantage over ACLs is that they are an order of magnitude easier to set up, configure and use. “ http://symfony.com/blog/new-in-symfony-2-6-simpler-security-voters
  • 45. In Symfony, an authorisation decision will always be based on the following: TOKEN When a user is authenticated (identified) they will receive a token from the firewall to hand over to the access control in the authorisation step. We can get the user’s identity from the token. SET OF ATTRIBUTES Each attribute stands for a certain right the user should have. Eg. Role, Order Number, Email Address,Time of Day RESOURCE Any object for which access control needs to be checked, like an article or a comment object (or a piggy bank object containing bitcoins)
  • 46. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 Contains all voters. Some might be supported based on the attributes to vote on. Access Decision Manager
  • 48. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Affirmative Strategy grant access as soon as there is one voter granting access PERMIT
  • 49. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Consensus Strategy grant access if there are more voters granting access than there are denying PERMIT
  • 50. Access Decision Manager Unanimous Strategy DENY grant access only if none of the voters have denied access Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN
  • 51.
  • 52. Built-in Symfony Voters RoleVoter RoleHierarchyVoter All are in the SymfonyComponentSecurityCoreAuthorizationVoter namespace
  • 54. Creating custom voters First, define what attributes you want to check.
  • 55. Second, check if your voter should vote on the given subject or attributes.
  • 57. Finally, declare the service and it is ready to use. In this example, the customer who make a purchase order did so without creating an account or logging in, but would still need be able to access their order details on the website.
  • 58. Shortcomings of Symfony Voters 1. Not necessarily runtime capable - Still requires writing code for access rules, unless you implement a Voter that loads its rules from the database.
  • 60. [What is XACML?] XACML (eXtensible Access Control Markup Language) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time based on policies which determine what actions a user or service can perform on a given information asset and in a specific context. “ https://www.axiomatics.com/100-pure-xacml/
  • 62. XACML Administration Policy Data PAP • Create, View, Delete policies • Version policies on Update • Evaluate policies before committing Policy Administration Point (PAP) (Very similar to the IAM in Amazon Web Services) policy policy set
  • 63. XACML Enforcement Flow Symfony Authorization Checker PDP XACML Request PEP Context Data PIP PRP Policy Data Allow Deny XACML Response isGranted() Policy Enforcement Point Policy Information Point Policy Retrieval Point Policy Decision Point time of day server env current user policy policy set sky is blue resource request …
  • 64. PolicySet Policy PolicySetPolicy Rule Rule Rule Rule Rule Rule Rule Rule Policy Policy Policy Sets contain a collection of Policies. They may also contain or reference other Policy Sets. However, the Decision Point will only evaluate at Policy level. Rules are never evaluated by themselves. XACML 3.0 Policies
  • 65. Targets and Rules Part of what [the] XACML PDP [Policy Decision Point] needs to do is find a policy that applies to a given request. To do this, XACML provides another feature called a Target. A Target is basically a set of simplified conditions for the Subject, Resource and Action that must be met for a PolicySet, Policy or Rule to apply to a given request. If all the conditions of a Target are met, then its associated PolicySet, Policy, or Rule applies to the request. In addition to being a way to check applicability, Target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. “ https://www.axiomatics.com/100-pure-xacml/
  • 66. Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G A Request must be matched to a Policy This is done using Targets
  • 67. Policy Rule Rule Rule Rule XACML 3.0 Targets TARGET Subject Resource Action Policies, Policy Sets and Rules only apply if the Target matches. Policy Set TARGET Subject Resource Action Policy Policy Policy Policy Rule Permit TARGET Subject Resource Action
  • 68. REQUEST POLICY Targets consist of Subject, Resource and Action behaves like Voter::supports() in Symfony TARGET Subject: Bob Resource: CJES Article #3 Action: edit TARGET Subject: Bob Resource: CJES Article Action: edit TARGET Subject: Bob Resource: CJES Article Action: create TARGET Subject:Alice Resource: FNAN Article Action: any
  • 69. Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G More than one policy may be matched
  • 70. XACML 3.0 Rule Example * The XACML syntax is more verbose than what you see here.
  • 71. Understanding XACML combining algorithms If a policy contains multiple rules, and the rules return different decisions e.g. Permit and Deny, what should the policy return? Permit? Deny? Neither? “ https://www.axiomatics.com/blog/understanding-xacml-combining-algorithms/ Policy Rule Rule Rule Rule
  • 72. XACML 3.0 Rule-Combining and Policy-Combining Algorithms deny-overrides permit-overrides first-applicable behaves like AccessDecisionManager Strategies in Symfony only-one-applicable (policy only) ordered-permit-overrides deny-unless-permit permit-unless-deny ordered-deny-overrides R1 R2 R3 D P D D P P D
  • 73. XACML 3.0 Policy Example * The XACML syntax is more verbose than what you see here.
  • 74. Conditions <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> Allow only logins between 9am and 5pm.
  • 75. Conditions <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or- <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</A </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</A </Apply> </Condition> Allow only logins between 9am and 5pm. Apply Apply and Condition
  • 76. current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions <!-- Only allow logins from 9am to 5pm --> <Condition f="and"> <Apply f="time-greater-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType="#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType="#time">09:00:00</AttributeValue> </Apply> <Apply f="time-less-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType=“#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType=#time">17:00:00</AttributeValue> </Apply> </Condition> Condition current-time time-one- and-only: time-greater-than-or-equal: * The XACML markup above has been condensed for brevity 09:00:00 and
  • 77. current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions $timeGreaterThanOrEq = function($x, $y): bool { return $x >= $y; } $timeLessThanOrEq = function($x, $y): bool { return $x <= $y; } $timeOneAndOnly = function($x): DateTimeInterface { return new DateTimeImmutable($x); } $condition = Functionaltrue([ $timeGreaterThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’09:00:00’ ), $timeLessThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’17:00:00’ ), ]); Condition current-time time-one- and-only: time-greater-than-or-equal: 09:00:00 and
  • 78. What’s a XACML Obligation? The XACML standard defines the concept of obligations which are elements which can be returned along with a XACML decision (either of Permit or Deny) in order to enrich that decision. Obligations are triggered on either Permit or Deny. The Policy Enforcement Point [PEP] must implement and enforce obligations. If it fails to do so, it must deny access to the requested resource (in the case of a Permit). “ https://www.webfarmr.eu/2015/02/tgif-xacml-whats-a-xacml-obligation/
  • 79. Examples of Obligations • Auditing - Log when an action was performed on a resource. • Security Checkup - Ask the user to review their 2FA details after a remembered login. • Security Lockdown - If credentials entered incorrectly multiple times. • Break-the-Glass Scenario - Medical records may need to be accessed in emergency situations, regardless of what permissions were granted.
  • 80. Shortcomings of XACML • XACML syntax is very verbose. • Is complex, though it better describes business requirements than ACL when rules are persisted. • Somewhat limited resources, or non-concise. • Perhaps overkill and Enterprise-y™ …?
  • 81.
  • 82. and the winner is… ABAC using Symfony Voters3
  • 83. • Symfony Voters solve 80% of your requirements for 20% of the work. SUMMARY • XACML would solve 100% of your requirements, would scale well, is designed for runtime and is enterprise-capable, but the learning curve is steep, and there are no well established tools in PHP. • RBAC is not compatible with single entities. • ACL is compatible with single entities, but is non-trivial.
  • 84. Thank you for listening Adam Elsodaney LEAD DEVELOPER ACL Demo https://github.com/adamelso/acland Slides github.com/adamelso/symfony-uk-meetup-2018-08-30-access-control adam@veruscript.com @ArchFizz @Veruscript www.veruscript.com Publish high-quality, cost-effective journals with our publishing services