应在授权逻辑集中还是分散? [英] Should authorization logic be centralized or decentralized?
问题描述
我们有一个SSO系统来验证用户。
我们有这两个选项之间的争论:
-
我们应该集中每个应用程序数据库(或其他任何单一的解决方案)的授权和检索SSO请求内的信息
-
每个Web应用程序客户端应该管理它自己的授权逻辑在它的本地数据库/方案。
您应该努力从非功能性需求,如身份认证,日志中分离出业务逻辑,当然授权。
您已经实现了单点登录和肯定您使用用户目录作为后端的SSO来存储用户的身份。这说明你已经成功地从外在你保护的应用程序的认证。你会不会考虑让每个应用程序用户名/密码的数据库?你会不会考虑编写逻辑来管理密码,哈希等..?当然不是!这同样适用于授权。
Gartner的调查,分析公司,确定你正在考虑为区域的外部化授权管理的。你可以在这里找到更如果你是一个客户Gartner公司
有实现外部化授权2主要型号有:无论您使用的是基于角色的访问控制模型(RBAC),或者你努力构建基于属性的访问控制(ABAC)。 NIST的定义提供了更多为:
许多应用程序框架提供某种形式的外化。以Java的春天:它配备了春季安全和访问决策管理(更多关于Spring架构的这里)。 PHP和Ruby,Python和.NET的名字,但几个都有自己的方式了。
所以,如果可以的话,不实现应用程序内的授权逻辑,而是利用你被赋予的框架。
更进一步,你甚至可以考虑您的标准化外部化授权。就像SSO有其标准(SAML),外化的授权有XACML(扩展访问控制标记语言),由OASIS很像SAML定义,并支持由IBM,Oracle和公理化的同类标准 - 这是我的工作。
XACML为您提供了外部化,细粒度授权的基于策略的方法。你可以写策略,并将其应用到任意数量的应用程序。当然,你可以用XACML扩展您的SSO层。
使用外部化授权的好处 - 特别是在标准化XACML - 是:
- 授权逻辑的统一:它更容易和更便宜的维护
- 更好的安全性:XACML更前pressive你现在有一个地方去检查安全是否正确实施 。
- 要揭露新业务的能力:一些我处理的目标客户的揭露应用到Web /第三方。使用细粒度的授权可以让他们控制谁可以做什么,在哪些情况下。
- 合规性:看看我们今天生活的世界。我们必须遵守这取决于我们的工作领域(银行,保险,医疗......)许多规定。这些规定很难在code实现,但易恩preSS作为政策这正是XACML提供。
如果你想知道更多,我发表在Java和XACML一个presentation在JavaZone 2013年幻灯片<一个href=\"http://www.webfarmr.eu/2013/09/authorization-its-not-just-about-who-you-are-feedback-from-javazone-2013/\"相对=nofollow>这里。
你用什么SSO解决方案? SiteMinder的给你一个授权API(ActivePolicy)来实现细粒度的授权。看看这一点。
我希望这有助于!
We have an SSO system for authenticating users.
We have a debate between these 2 options:
Should we centralize the authorization of each application to one database (or any other single solution) and retrieve the information within the SSO request
Each web application client should manage it's own authorization logic in it's a local database / scheme.
You should strive to decouple your business logic from non functional requirements such as authentication, logging, and of course authorization.
You already implemented SSO and surely you use a user directory as the backend for the SSO to store user identities. This shows you've successfully externalized authentication from the applications you protect. Would you ever consider having a username/password database per app? Would you ever consider writing logic to manage passwords, hashes, etc...? Of course not! The same applies to authorization.
Gartner, the analyst firm, defines the area you are considering as Externalized Authorization Management. You can find more here if you are a Gartner customer.
There are 2 main models to achieve externalized authorization: either you use a role-based access control model (RBAC) or you strive for attribute-based access control (ABAC). NIST provides definitions and more for both:
Many application frameworks provide some form of externalization. Take Java Spring: it comes with Spring Security and Access Decision Managers (more on the Spring architecture here). PHP, Ruby, Python, and .NET to name but a few all have their own ways too.
So, if you can, do not implement authorization logic within the app but rather leverage the frameworks you are being given.
Going further, you can even consider standardizing your externalized authorization. Much like SSO has its standard (SAML), externalized authorization has XACML (eXtensible Access Control Markup Language), a standard defined by OASIS much like SAML and backed by the likes of IBM, Oracle, and Axiomatics - which is where I work.
XACML gives you a policy-based approach to externalized, fine-grained authorization. You can write policies and apply them to any number of applications. And of course you can extend your SSO layer with XACML.
The benefits of using externalized authorization - and in particular standardized on XACML - are:
- consolidation of authorization logic: it's easier and cheaper to maintain
- better security: XACML is more expressive and you now have one place to go to to check whether security is correctly implemented.
- ability to expose new business: some of the customers I deal with want to expose apps to the web / 3rd parties. Using fine-grained authorization lets them control who can do what and under which circumstances.
- compliance: look at the world we live in today. We have to comply with many regulations depending on our field of work (banking, insurance, medical...). These regulations are hard to implement in code but easy to express as policies which is exactly what XACML delivers.
If you want to know some more, I delivered a presentation on Java and XACML at JavaZone 2013. The slides are here.
What SSO solution do you use? SiteMinder gives you an authorization API (ActivePolicy) to implement finer-grained authorization. Have a look at that.
I hope this helps!
这篇关于应在授权逻辑集中还是分散?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
