I'd like to use Authzforce with MongoDB as the PRP.
I saw that for the policy evaluation part there is already a MongoDB policy provider. Did someone try to implement the DomainDAO part for PAP support?
Are there other implementations besides FileBasedDomainDaoImpl?
There is no DomainDAO implementation based on MongoDB for AuthzForce Server to my knowledge (as one of the main contributors), but you can use the MongoDB policy provider with AuthzForce RESTful PDP if you don't need all the features of AuthzForce Server. The RESTful PDP is a minimalist version but more customizable regarding the configuration of the PDP.
Related
I would like to implement automatic rules of API Goverment in a WSO2 API Manager platform like, for example, validating context with a regular expresion, or version numbering or API name or API resources endpoint naming or parameters, etc.
I checked in version 2.6.0 (and previous versions of major 2) that it can be done in jaggery apps of publisher, but this is a mix of data and presentation (view structure with js and html) and it is not a clear and right way to implement it.
Is there any rules engine or other dedicated mechanism to do it? If not, is it in the roadmap of WSO2 AM to add this kind of features? It would be great.
APIM 3.x onwards UIs are implemented using react and backend services are exposed via REST APIs. SO from this version onwards, this is clearly separated. UI level validations can be changed in the React and if there are any additional validations required, REST API interceptors or workflow interceptors can be used to enforce any validations.
This is a very basic question. I want to do an SSO integration using ColdFusion but do not know where to start. I found the website ssoeasy.com through a google search, but am very confused about how to use it and where to find documentation.
I think it has something related with cfldap or cfhttp but not sure what and where:
<cfhttp method="get" url="http://testsso.com/login.cfm">
</cfhttp>
It really depends on what role you want to play in an SSO ecosystem. Are you an app in a larger federation (Service Provider), or are you trying to implement an SSO style login across multiple applications that you control, or are you looking to setup so that your users can log in with Google or Facebook or such other identity registers?
A few years back we did an implementation with Shibboleth (https://shibboleth.net/) and CF where our intended place in the system would be that of a Service Provider to other companies Identity Providers. It works pretty straight forward as we let Shibboleth handle all the SAML federation grunt work and then when it's completed we get an e-mail address (the unique identifier we decided on) back from Shibboleth saying that the user has been authenticated via the Identity Provider.
Other 'SSO' implementations are around for other types of integrations.
From CFCs to handle OAuth -- https://github.com/coldfumonkeh/oauth2
To integrated oauth support if you're running a new enough version of ColdFusion https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-m-o/cfoauth.html
Hope this is of assistance to you.
If I understand your SSO use case, the application will be a cloud service provider (SP). There are three things you need to determine to help in the selection of the appropriate technology, mainly (1) SSO protocol to integrate, mainly SAML, OAuth, OpenID Connect (OIDC), etc. (2) Hosting, mainly Cloud, On-Prem, or hybrid, and (3) whether or not IdP discovery is needed for your business partners.
Being ColdFusion based as well as working to be a cloud SP web application, my experience is that the application is to be hosted by your organization, such that an on premise SSO capability is desired, as well as IdP Discovery will be needed for your partners.
As noted in your question there are some options for integration. I have found the most popular approach to being a SP website is to utilize a vendor product that handles the SSO protocol (e.g. SAML, OIDC) where the integration with your ColdFusion application is based upon a simple REST API integration. With this design pattern, the vendor product manages all the security of the SSO protocol and then simplifies integration to your application as a secure REST API exchange of identity information. This will minimize the impact to your application and also give the most support for modern identity. One product that offers this capability is PingFederate via the Agentless integration (also referred to as Reference ID integration). I have had much success integrating ColdFusion applications following this type of approach.
SAML seemed to be the easiest to implement for our team. Phil Duba's 2013 Beyond Encrypt() presentation is a good starting place. His website is down right now, but I'm sure you can find the downloadable file somewhere. Learning about SAML in general would be a good idea. Also, you can use Java, so maybe look at SAML/OAUTH Java examples and try doing that for Coldfusion since it is based on Java.
The instructions for providing FIWARE based authentication for Wirecloud suggest installing KeyRock (a frontend/backend combo of the Horizon/Keystone GE). Is the frontend (Horizon) really necessary if the only application to be secured is a Wirecloud instance (and possibly some backend services). The point is to avoid, if possible, to have to configure/style/maintain etc. a second frontend. Is it possible to authenticate directly using a Django plugin like this? Pros and cons?
WireCloud is currently linked to the use of django.contrib.auth, any authentication plugin based on it should work. Moreover, the instructions for using KeyRock are using python-social-auth so, in fact, you can use it for authenticating using any of the backends supported by python-social-auth: GitHub, Twitter, OpenId, ...
In that regard, I don't see any problem in the use of the plugin you are proposing (Although I have not tested it).
The advantage of using the KeyRock backend provided by WireCloud is that it enables operators and widgets to propagate the credentials to third-party services using KeyRock for authentication (e.g. Orion Context Broker, Object Storage, ... and in general, any service behind a PEP proxy).
I was wondering what could be a standard way to do access control for some private online services which are hosted on the cloud?
Basically, the service on the cloud is a MapProxy, which itself does not support much authentication methods. Therefore, I was thinking to build a proxy in front of that Map Proxy to do some connection handling. We have decided to use cookies as a way of authentication, and now what is a standard way to do authorization?
Is there any well-documented library could help to build a connection handler for authorization ?
It all depends on what you mean with authorization. If your goal is to define true access control logic e.g.:
a user can call this method of my API if the user role is manager and the user location is the same as the location of the document requested in the API,
then you can use XACML, the eXtensible Access Control Markup Language. I have already replied to a similar question here: RESTFul API endpoint design with filtering and authorization and https://stackoverflow.com/questions/24514711/authorization-framework-in-a-java-web-application/24526891#24526891
To implement ABAC, you will need XACML, the eXtensible Access Control Markup Language. It's an OASIS standard (the same body behind SAML and many other standards). XACML defines:
a policy language to express the authorization requirements above
a request/response scheme to query the authorization e.g. "Can Alice view document d?"
an architecture which defines standard components such as the policy decision point (PDP) and the policy enforcement point (PEP). The latter protects your app and sends the authorization question to the PDP.
When to choose XACML (and ABAC) over other frameworks e.g. Spring Security (and RBAC)? If you have relationships between your users and your data (e.g. ownership, doctor-patient, team leader - team member...), then XACML is for you. If you have many different apps in different languages (Python, Java, .NET, Ruby...) then XACML is for you. XACML is technology-agnostic so it makes it easier to reuse across all your apps.
There are several frameworks that provide you with XACML. Some are vendor-based such as Axiomatics (where I work). Others are open-source such as SunXACML or Heras AF.
HTH,
David.
I would like to implement access control to a Web service (operations, messages, etc.). My findings indicate that this can be done via WS-Policy or XACML. It looked to me like Axis2 has a good implementation of WS-Policy and one can define assertions that regulate access to every operation for example.
I have some questions:
1) Assuming I have WS-Policy xml file in place, how do I include it in the WSDL (using APIs to include it in the generated WSDL or manually)
2) Assuming I have an application design where client discover services through a broker residing in a repository, are the policies integrated within the wsdl in this repository and every provider who wants to implement a service follows the wsdl+policies in the borker repo OR every provider gets the wsdl from the repo and augments it with its own policies ?
Which approach is correct and feasible in the context of Axis2
3) Can i limit what services a client can search for in the repo by using WS-Policy with UDDI ? Is is supported by Axis2 ?
Thank you very much !!
WS-Policy is a very generic policy language that is not particularly aimed at authorization or access control.
WS-Policy focuses more on what should happen to the message (e.g. signature, encryption...). WS-Policy policies can be referenced to from the WSDL or you can use XSLT to embed the policy inside the WSDL after you generated your WSDL from the service stub.
XACML is much more specific to access control. In that sense, it is probably better suited to your use case. There are several open-source and vendor alternatives. Axiomatics, the vendor I work for, has a JAX-WS interceptor which intercepts your web service message and applies fine-grained authorization using XACML.
Regarding your third question:
Can i limit what services a client can search for in the repo by using
WS-Policy with UDDI ? Is is supported by Axis2 ?
I don't believe you can do that. Also, UDDI isn't actively developed anymore. The standard is a bit old.
Bottom line: WS-Policy is more about how to expose your service and how to handle operations and messages. XACML is more about the actual business authorization logic.