A fine-grained authorization (FGA) system, based on XACML specification, can increase agility and control through evaluation rules based on contextual and environmental information in addition to the traditional Role Based Access Control (RBAC) method of authorizing users based on their roles. Subbu Devulapalli spoke at the recent JavaOne 2010 Conference about the standards and deployment models in user authorization domain.
Subbu started off the presentation saying that authorization policies are often hard coded into application code making it difficult and expensive to adapt to changes in the business environment. Fine-grained authorization and entitlements need to be managed differently than the traditional entitlements. The authorization requirements should be given enough emphasis right from the initial phases of software development process. Efforts like Rich Security Modeling help with the design of user authorization model before actually coding the solution. Policy modeling should include the different components of a policy such as Principle, Target, Action, and Constraints in modeling and design efforts. And QA testing efforts should include testing the security policies as part of the application testing process.
Fine-grained authorization models include:
- Role Based Access Control (RBAC)
- Attribute Based Access Control (ABAC)
- Access Control Lists (ACLs)
- Label/Lattice Based Access Control (LBAC)
The standards in the authorization and access control include JAAS Permissions, XACML, and OpenAZ (Java binding for XACML) project. On the deployment side, there are two fine-grained authorization models:
- Centralized: This model involves calling into a centralized server for authentication and authorization. It can be implemented in two ways: Web Services which is most compatible but is slow at run-time and Binary Protocol which offers better performance.
- Embedded: In this model, authorization code is deployed as part of the application code. The model provides the best performance but it also has a larger footprint.
Developers should think beyond POJOs when implementing the authorization requirements in the applications. Since fine-grained authorization is used in all the layers of application architecture - UI elements (JSP, Servlets, HTML, AJAX), Data Security (tailoring security for data objects), Services (EJB, JMS, RMI, Web Service), Content & Documents - they should think in terms of services in designing for the user authorization. Application data security should be managed with tasks like validating queries before sending them to database, placing additional query restrictions based on CRUD operations, and filtering (or black out) items in data set returned by the query.
The speaker discussed the performance and HA considerations like minimizing the overhead because of authorization calls, scalability considerations in the areas of clustering, multi-threading, caching etc., Policy Decision Points (PDPs) need to autonomous (i.e. should be able to provide services even if other components are down). He concluded the session by suggesting that architects and developers need to look beyond the immediate project needs for the company's future direction in terms of acquisitions and regulations as well as consider architecture requirements such as interoperability.