wiki:ndg_security/Overview

Overview

Authorisation

Authorisation Filter

The authorisation filter intercepts requests to the underlying application being protected. It checks that the client is authenticated by checking for the presence of a session cookie. If not present it will send a HTTP 401 Unauthorized response. This effectively signals to any authentication middleware to deal with the request.

Assuming the client is authenticated, the filter then goes on to apply a two step enforcement of access policy. In the first, a local policy matches resources which are being requested which are non-critical e.g. CSS files, graphics files etc. These don't need to be secured by the access control so when this policy matches them it short circuits any further access enforcement and allows access to go through: control is passed to the underlying application.

Example request filter:

<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
Policy used by a PDP local to the PEP to filter out some requests from
being passed on to the main authorisation service
</Description>

<!--
The Policy target(s) define which requests apply to the whole policy
-->
<Target>
    <Resources>
        <Resource>
            <!-- Pattern match all request URIs beginning with / -->
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                    <ResourceAttributeDesignator
                     AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                     DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    <AttributeValue 
                     DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/(?!\.static).*$</AttributeValue>
            </ResourceMatch>
        </Resource>
    </Resources>
</Target>
<Rule RuleId="Catch all" Effect="Deny"></Rule>
</Policy>

The above is a short XACML policy. A top-level Target element sets which requests this policy matches for. Inside the Target it defines resources upon which we want to match. It defines a resource (a URI) which we match based on a regular expression which is defined by the identifier, urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match. The AttributeValue defines the URI pattern to match: ^http://localhost/(?!\.static).*$. This will match any URI, provided that it does not start with the path .static. So for example, http://localhost/.static/myapp.css will not match but http://localhost/mydat.nc will. If the URI doesn't match, then the policy engine will return a NotApplicable decision. If a match is found, the only rule in the policy is enforced:

<Rule RuleId="Catch all" Effect="Deny"></Rule>

This applies a blanket Deny decision.

If the resource requested yields a deny decision then, the second step in the filter is activated. This is a callout to a separate authorisation web service. The call is made over HTTPS using a SAML authorisation decision query. The authorisation service checks its policy and returns a decision granting or denying access. The filter receives this response and enforces the decision. If access is granted, it passes control to the underlying application, if access is denied, it returns a HTTP 403 Forbidden response to the client.

Authorisation Service

Authorisation Flow

Starting conditions

  • PyDAP Python OPeNDAP application is secured with NDG Security
  • user is authenticated with PyDAP

Sequence

  1. Authorisation filter intercepts the request to PyDAP from a client
  2. It checks that for the presence of a cookie - cookie is present (see starting condition)
  3. It checks the local policy file request-filter.xml to see if the requested PyDAP URL is for a secured resource or simply for a stylesheet file, png file or other non-critical file
  4. The URL requested doesn't match the local policy, so the Authorisation Filter checks with the main Authorisation Service - it sends a SAML/SOAP authorisation decision query to the authorisation service.
  5. The Authorisation Service receives the request and checks for a matching policy rule
  6. A matching rule is found, the Authorisation Service queries the Attribute Service to find out what attributes (aka roles) the user is entitled to
  7. The Attribute Service returns a response saying that the user has the 'CMIP5 Research' role
  8. The Authorisation Service checks that this role entitlement satisfies the rule. It does, so the Authorisation Service returns a response to the PyDAP Authorisation filter.
  9. The PyDAP authorisation filter enforces this response and grants access. It passes control to the underlying PyDAP application to serve the requested data