Simulation of OAuth Message Sequence and Authorization Decisions

Slides:



Advertisements
Similar presentations
The Web Wizards Guide to Freeware/Shareware Chapter Four Essential Tools for Web Page Authors.
Advertisements

Java Script Session1 INTRODUCTION.
1 Authorization XACML – a language for expressing policies and rules.
XSL eXtensible Stylesheet Language. What is XSL? XSL is a language that allows one to describe a browser how to process an XML file. XSL can convert an.
Asap:// jury-rigged. ClientPEP PDP PolicySet Rule 1 Rule 2 etc Rule 1 Rule 2 etc Rule 1 Rule 2 etc Policy 1 Policy 2 Policy 3.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
DT211/3 Internet Application Development JSP: Processing User input.
28/1/2001 Seminar in Databases in the Internet Environment Introduction to J ava S erver P ages technology by Naomi Chen.
Microprocessor Simulation
Web Development & Design Foundations with XHTML Chapter 14 Key Concepts.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Java Enterprise Edition Java Web Development Structure of a web project Introduction to Web Applications The first project Introduction to Java Web Development.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Role of Account Management at ERCOT Market Participant Identity Management Overview (MPIM)
DICOM / HL7 Verfication / Java Basis Random user with no account justs wants to validate an HL7 message or DICOM object The next diagram shows a number.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
CSE 305 Theory of Database Tutorial on Connecting with Sybase from Java program and Developing GUI Jalal Mahmud, TA, CSE 305.
Application Servers: Tomcat. What is an application server? Servlets are Java’s answer to server-side programming. Servlets are a special type of Java.
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.
Introduction to Programming the WWW I CMSC Summer 2004 Lecture 6.
Database Application Security Models Database Application Security Models 1.
1 Creating File Access Services Presented by Ashraf Memon Hands-on Ashraf Memon, Ghulam Memon.
Safe Access File Exchange (SAFE). Safe Access File Exchange  The SAFEFTP application seeks to provide a means to distribute UNCLASSIFIED files as an.
CMPS 211 JavaScript Topic 1 JavaScript Syntax. 2Outline Goals and Objectives Goals and Objectives Chapter Headlines Chapter Headlines Introduction Introduction.
INTRODUCTION TO HTML5 Using jQuery with HTML5. Introducing jQuery  Although it is not a part of any W3C or WHATWG specification, jQuery performs an important.
Using Client-Side Scripts to Enhance Web Applications 1.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
Bookkeeping Tutorial. Bookkeeping & Monitoring Tutorial2 Bookkeeping content  Contains records of all “jobs” and all “files” that are created by production.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Proxy Installer for Windows Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response.
1 Georgia Tech, IIC, GVU, 2006 MAGIC Lab Rossignac Lecture 02b: Tutorial for Programming in Processing Jarek Rossignac.
1 Creating Web Services from a existing tool Presented by Ashraf Memon Hands-on Ashraf Memon, Ghulam Memon.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.
Javadoc Dwight Deugo Nesa Matic
”Java and JMLfor Dummies” The Java source code is written in a text file using your favourite editor (Notepad) and is saved with extension.java. Be careful.
JSP BASICS AND ARCHITECTURE. Goals of JSP Simplify Creation of dynamic pages. Separate Dynamic and Static content.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
1. 2 Purpose of This Presentation ◆ To explain how spacecraft can be virtualized by using a standard modeling method; ◆ To introduce the basic concept.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
CSI 3125, Preliminaries, page 1 JSP (Java Server Pages)
® IBM Software Group © 2006 IBM Corporation Rational Asset Manager v7.2 Using Scripting Tutorial for using command line and scripting using Ant Tasks Carlos.
Introduction to AzApi, OpenAz December 10, Motivation Provide XACML capabilities to the general authorization (az) environment –Make it easy to.
1 SIC / CoC / Georgia Tech MAGIC Lab Rossignac Processing  Install Processing  Learn how to edit, run, save, export,
CPSC 372 John D. McGregor Module 6 Session 4 Sonar.
Using Workflow With Dataforms Tim Borntreger, Director of Client Services.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.
DEVELOPING WEB SERVICES WITH JAVA DESIGN WEB SERVICE ENDPOINT.
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
Business rules.
Running a Forms Developer Application
Introduction to javadoc
How to Run a Java Program
Introduction to javadoc
Tutorial 10: Programming with javascript
Groups and Permissions
Presentation transcript:

Simulation of OAuth Message Sequence and Authorization Decisions OpenAz – OAuth 2.0 Simulation of OAuth Message Sequence and Authorization Decisions

What’s real and what’s simulated There is no HTTP, everything is in one JVM. HTTP messages are replaced by method calls between Java objects. There is one Java object for each of the following Oauth entities: Authorization Server Resource Owner Browser Client Application Resource Server

What’s real and what’s simulated (cont) The data elements in the method calls contain the same information that would be in corresponding HTTP msgs The method calls in the authorization server generate PepApi decide() calls, which, using a PepApi Mapper, convert the data elements to Xacml Attributes in a RequestContext. The RequestContext is submitted to the SunXacml PDP. The SunXacml PDP evaluates the RequestContext against XACML PolicySets. Therefore, in theory, if an HTTP Servlet binding were attached to this “Authorization Server”, it could serve as a real prototype for an Authorization Service in a real OAuth environment.

What is the purpose? First is to show how XACML Policy can be used to implement the Authorization Service Decision logic. Second is to show how OpenAz: PepApi can be used with the info in the HTTP requests to make authorization calls to a XACML PDP. Third is to show how the existing OpenAz PepApi/AzApi/SunXacml reference implementation can be used as a starting point to build a real OAuth Authorization Service

How to download, build, and run the simulation First go to OpenAzTutorial javadoc URL: http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/index.html?tutorial/OpenAzTutorial.html which is OpenAz project javadoc, which has link to project page, where you can download the project. Click on that link. To download the project, click on the “Download GNU Tarball File” and save the file into a directory of your choice referred to as “<TopOfProject>”, where you should now have a file called: openaz.tar.gz Finally: unzip the downloaded file in place so that all files go in <TopOfProject>\openaz\…

How to download, build, and run the simulation (cont) To build: Start a command prompt and execute the following instructions: cd <TopOfProject> cd openaz\test\build ant clean Ant That’s it. It should have built. If not, call technical support 

How to download, build, and run the simulation (cont) To run: First, as a sanity check, run the tutorial by executing the following commands from the cmd prompt from prev slide: cd \Notes\Downloads\OpenAz\V116\openaz\test\bin set baseline=\Notes\Downloads\OpenAz\V116\openaz java -cp .;%baseline%\pep\bin;%baseline%\pdp\bin;%baseline%\azapi\bin;%baseline%\lib\jakarta-commons\commons-logging.jar;%baseline%\pdp\lib\sunxacml.jar tutorial.OpenAzTutorial %baseline%\test\policy\OpenAz-Pseudo-Test-Policy.txt To run the Oauth simulation, all you need to do is execute the following command: java -cp .;%baseline%\pep\bin;%baseline%\pdp\bin;%baseline%\azapi\bin;%baseline%\lib\jakarta-commons\commons-logging.jar;%baseline%\pdp\lib\sunxacml.jar test.OAuthSimulator ..\request\sensitive.xml ..\policy\Test*.xml

Shorthand Xacml PolicySet Diagram of Simulation OAuth-Simulator OaResource-Owner OaClient . Shorthand Xacml PolicySet OaAzServer . OaResource-Server PepApi . AzService . OpenAz PolicyReader SunXacml PDP XacmlPolicyBuilder SunXacml Api Xacml PolicySet

Comments on Diagram The four boxes in upper right represent the Oauth message sequence explained more here: http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/index.html?test/OAuthSimulator.html The XACML shorthand policies are manually typed using any editor (ex. notepad), and explained more in following slides The OpenAzPolicyReader may be run from cmd prompt and it reads the Xacml shorthand policies and uses the SunXacml Api to build SunXacml Policy objects, and then serializes those objects to Xacml XML, which are official Xacml Policies that can be used by the Sun Xacml PDP.

Xacml Shorthand Policies The Xacml shorthand policies used by the OAuth simulation will be briefly described. The full PolicySet is part of the OpenAz install and may be found in: <TopOfProject>\openaz\test\policy\TestAzApi-OpenAz-OAuth-Pseudo-Policy.txt The OAuth part of this full PolicySet is in the 2nd half of the above file and contained in “PolicySet (PS10,in:PS1)”

Xacml Shorthand (cont) The main OAuth PolicySet contains 3 sub-PolicySets, one for each OAuth endpoint: PolicySet (PS10,in:PS1) ( cb:opo id:OAuth2-TopLevel-PolicySet mlev:1 desc:PS10,in=PS1 ) Target(PolicySet) PolicySet (PS10-1,in:PS10) ( cb:do id:OAuth2-Val-URI-PolicySet mlev:2 desc:PS10-1,in=PS10 ) Target(PolicySet) TR (vl-endpt-uri,"http://az-svr/vl-endpt/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) PolicySet (PS10-2,in:PS10) ( cb:do id:OAuth2-Az-URI-PolicySet mlev:2 desc:PS10-2,in=PS10 ) Target(PolicySet) TR (az-endpt-uri,"http://az-svr/az-endpt/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) PolicySet (PS10-3,in:PS10) ( cb:do id:OAuth2-Tk-URI-PolicySet mlev:2 desc:PS10-3,in=PS10 ) Target(PolicySet) TR (tk-endpt-uri,"http://az-svr/tk-endpt/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) Syntax of params is: ( [<name>:<value>] * ) mlev:n is nesting level of PolicySets

Xacml Shorthand (cont) A typical Policy filters out NotApplicables using attribute comparisons in Target (described next slide): Policy (P10-1-2,in:PS10-1) ( cb:ord-po id:OAuth2-Val-URI-Token-Policy desc:P10-1-2,in=PS10-1 ) Target(Policy) TS (res-svr,"http://res-svr/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) + (token-present,"true" dt:boolean mtId:boo-eq fnId:! issuer:! mbp:f ) // Note: could have a rule for token not valid and what to return + (token-valid,"true" dt:boolean mtId:boo-eq fnId:! issuer:! mbp:f ) TR (res-id,"oauth-access-token-confirmation" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) TA (act-id,"return-token-confirmation" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) Rules(Policy) Rule ( ef:Permit id:FinalRule ) Target(Rule) Obligations(Policy) Obligation ( fulfillOn:Permit id:ReturnAccessTokenValid ) OA (return-confirmation,"true" dt:boolean mtId:! fnId:! issuer:! mbp:f )

Xacml Shorthand (cont) The following describes Policy in prev slide: There are 3 subject attrs, each of which must meet its specified criteria: The attr named “res-svr” must have value: “http://res-svr/” The attr named “token-present” must be boolean w value “true” The attr named “token-valid” must be boolean w value “true” There is 1 resource attr: The attr named “res-id” must have value : “oauth-access-token-confirmation” There is 1 action attr: The attr named “act-id” must have value: “return-token-confirmation” There is 1 obligation that is returned on a “Permit” with: An attr named “return-confirmation” with a value: “true”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.