Authorization, it’s not just about who you are – feedback from JavaZone 2013

I was fortunate enough to be one the speakers at JavaZone 2013 in Oslo, a stone’s throw from the Axiomatics headquarters in Stockholm. One of the organizers, Ole-Alex had asked me to give an overview of XACML to a crowd of Java developers and architects.
I decided to focus on the consolidation and flexibility aspects of XACML. For a developer, the natural reflex when it comes to implementing authorization is to “do-it yourself” or at best to use a framework, e.g. Spring Security or JAAS. While these frameworks are great and the right step towards externalized authorization, they fall short of implementing truly dynamic authorization.
The first part of the presentation therefore covers the current state of the art before introducing Attribute-based access control (ABAC) and then diving into XACML, the eXtensible Access Control Markup Language.
The latter part of the presentation focused on hands-on examples of policy enforcement points for Java: servlet filters, JAX-WS handlers, and annotations-based enforcement courtesy of my colleague Andreas Sjoholm. We also looked into authoring policies using the ALFA plugin for Eclipse – a free tool to author XACML policies that uses an abstraction language called ALFA.
The slides are available on SlideShare as usual and are also embedded hereafter:
The video of the presentation will be made available shortly on JavaZone’s Vimeo album.
The presentation was well received and sparked some interesting questions around performance (yes, it’s possible to embed a PDP inside an application), attribute retrieval (yes, you can cache attribute retrieval), and database access control. Axiomatics whom I work for does provide an extension to XACML to be able to convert authorization policies into SQL statements.
Lastly, as mentioned before, this piece of work wouldn’t be possible without the XACML Technical Committee. So if you want to give back, feel free to join the conversation at OASIS.

EDIT September 16th
The video has now been put up online here.

Authorization: it’s not just about who you are!