Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.
Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.
The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”
During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.
In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!
David joined Axiomatics in January 2010 to focus on customer deployments and pre-sales. Previously, he had worked for 5 years at BT (British Telecom) in the United Kingdom in the Security Architectures Center. His main area of expertise is SOA security and governance.
David has published several papers and contributed to several books on the topic of SOA security and governance.
David has been a member of the XACML Technical Committee and the Trust Elevation Committee at OASIS since 2010. In the XACML TC, David is focusing on developer adoption through the development of a JSON-based profile for XACML.
David holds a Master’s of Engineering from the French National Institute of Applied Sciences, INSA Lyon. He is also a Sun Certified Architect (SCEA) and a Certified Security Testing Professional (CSTP).