I was wondering if you could point me out to URLs and documentation on how XACML applies to front end (presentation) authorization. In other words deciding what to enable, what to mask, what to make visible. Asking this when it comes to presentation widgets like: buttons, menus, grid columns, grid rows, text boxes, labels, etc. From what I have been reading XACML applies quite well to service requests that are to be authorized or not and that certain obligations need to precede and / or follow. I would appreciate very much a response regarding XCAML and presentation tier access control.
Asked
Active
Viewed 148 times
1 Answers
1
You can also apply XACML to the presentation tier. It becomes specific to whatever tier you use. For instance in C# you could do a callout to a PDP to determine whether a component should be enabled e.g.:
log.Debug("Checking with the PDP to see whether button should be enabled");
bool pdpDecision = PDPUtil.authorized(User.Identity.Name, po.Identifier, "approve");
log.Debug("The PDP said: " + pdpDecision);
log.Debug("The PO currently is approved: " + po.Approved);
approvePOBUtton.Enabled = !po.Approved && pdpDecision;
I've got additional samples for JSP / JSF.
Consider using the Multiple Decision Profile to collect a series of authorization requests before sending them to a PDP. Also consider reversing the authorization process. Instead of asking a typical XACML yes/no question, ask for a list of items. You can do that with The Axiomatics Reverse Query) (disclaimer - I do work for Axiomatics)
David Brossard
- 13,584
- 6
- 55
- 88
-
1Either using the multiple decision profile or asking for a list of allowed items up-front would definitely be the way to go, especially if you're using a remote PDP and not an in-process one. I work for IBM, and our product Security Policy Manager supports querying for a list of entitled resources as well. – craigforster May 02 '12 at 22:02