All geek questions in one place

Fine-grained authorization for web applications

I have a C # .net application that serves both internal users and external clients. I need to do small authorization, like, who is accessing which resource. So I need something like resource-based or attribute-based, and not role-based authorization.

What comes to my mind:

  • Implement custom authorization mechanism and sql tables for my .net application
  • Use / implement a standard mechanism, such as software that implements XACML (e.g. Axiomatics)

The problem with the first method is that it is not centralized or standard, so other systems cannot use it for authorization.

The problem with the second approach is that it is potentially slower (due to additional calls required for each resource). Also, I'm not sure how widely standard authorization, such as XACML, is supported by applications in the market to simplify future integration.

So, in general, what are some good practices for fine-grained authorization for web applications that should serve both internal users and external clients?

+6
source share
2 answers

I would definitely go for external authorization. This does not mean that it will be slower. This means that you have purely divided access control from business logic.

An XACML overview is a good way to go. TC is very active, and active companies such as Boeing, EMC, Veteran Administration, Oracle and Axiomatics are active participants.

The XACML architecture ensures that you can get the performance you need. Because enforcement (PEP) and decision making (PDP) are loosely coupled, you can choose how they communicate, which protocol they use, use multiple decisions, etc. This means that you have the choice to integrate according to your performance needs.

There is also a standard PDP interface defined in the SAML profile for XACML. This guarantees you "control of the future" if you are not blocked by any specific solution for suppliers.

Access Control for webapps You can simply go to PEP for .Net webapps using HTTP filters in ISAPI and ASP.NET. Axiomatics has one ready-made option for this.

Ongoing implementations If you check the Axiomatics customer page, you will see that they have Paypal, Bell Helicopter and more. Thus, XACML is indeed a reality, and it can solve very large deployments (hundreds of millions of users).

In addition, Datev eG, a leading financial services provider, uses the Axiomatics.Net PDP implementation for its services / applications. Since .Net PDP is implemented in this case, performance is optimal.

Otherwise, you can always choose from ready-made PEPs for .Net that integration with any PDP is, for example, SOAP-based XACML authorization service.

High performance with XACML In July last year, at the Gartner Catalyst conference, Axiomatics announced the launch of its latest product, Axiomatics Reverse Query, which will help you deal with the "billion records" problem. It is intended for access control for data sources, as well as for the RIA. It uses a pure XACML solution so that it remains compatible with other solutions.

In fact, Kuppinger Cole will soon host a webinar on this topic: http://www.kuppingercole.com/events/n10058

Check out the Axiomatics ARQ press release here: http://www.axiomatics.com/latest-news/216-axiomatics-releases-new-reverse-query-authorization-product-a-breakthrough-innovation-for-authorization-services .html

+8
source

Definitely look for an authorization module to enter the ASP.NET application. I'm just not talking about this because I implement fault-tolerant systems on BiTKOO , but because I have had to work with homegrown auth in the past. Creating your own authorization system for a single application is really impractical to use your time or resources if you do not intend to make a career as a result of implementing security systems.

An external authorization solution from your application is a good idea from an architectural point of view. Implementing the authz solution gives you tremendous flexibility to change your access criteria on the fly without having to disconnect your web service or reconfigure the web server itself. Decoupling the web interface from the authz mechanism allows you to scale each independently according to the load and traffic patterns of your application and allows you to share the authz mechanism with multiple applications.

Yes, adding a network call to your web application will add some overhead to your web response compared to no authorization at all or using a local database on the web server. This should not be a reason not to consider external authorization. Any serious authorization product that you consider will provide some caching capability to minimize the number of network calls required for each web request or even for a user session in multiple web requests.

In the BiTKOO Keystone system, for example, user attributes can be cached on a web server for each user session, so only one internal network request is required as part of establishing a user login on a first page request. Subsequent page requests (for the duration of the cached credentials, usually 5 minutes or so) can be processed by the web server without reusing the authz service. It scales well in cloud web farms and is built on XACML standards.

+3
source

Source: https://habr.com/ru/post/900646/

More articles:


All Articles