Pluggable authorization and distributed enforcement with pam-xacml

Andreas Klenk; Tobias Heide; Benoit Radier; Mikael Salaun; Georg Carle

doi:10.1007/978-3-540-92666-5_21

Pluggable authorization and distributed enforcement with pam-xacml

Andreas Klenk, Tobias Heide, Benoit Radier, Mikael Salaun, Georg Carle

Informatics 8 - Chair of Network Architectures and Services

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam-xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.

Original language	English
Title of host publication	16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE)
Publisher	Kluwer Academic Publishers
Pages	253-264
Number of pages	12
ISBN (Print)	9783540926658
DOIs	https://doi.org/10.1007/978-3-540-92666-5_21
State	Published - 2009
Event	16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - 16th Conference on Communication in Distributed Systems, KiVS 2009 - Kassel, Germany Duration: 2 Mar 2009 → 6 Mar 2009

Publication series

Name	Informatik aktuell
ISSN (Print)	1431-472X

Conference

Conference	16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - 16th Conference on Communication in Distributed Systems, KiVS 2009
Country/Territory	Germany
City	Kassel
Period	2/03/09 → 6/03/09

Access to Document

10.1007/978-3-540-92666-5_21

Cite this

Klenk, A., Heide, T., Radier, B., Salaun, M., & Carle, G. (2009). Pluggable authorization and distributed enforcement with pam-xacml. In 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE) (pp. 253-264). (Informatik aktuell). Kluwer Academic Publishers. https://doi.org/10.1007/978-3-540-92666-5_21

Klenk, Andreas ; Heide, Tobias ; Radier, Benoit et al. / Pluggable authorization and distributed enforcement with pam-xacml. 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE). Kluwer Academic Publishers, 2009. pp. 253-264 (Informatik aktuell).

@inproceedings{79b2352323824216b7f4e45b18cfa661,

title = "Pluggable authorization and distributed enforcement with pam-xacml",

abstract = "Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam-xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.",

author = "Andreas Klenk and Tobias Heide and Benoit Radier and Mikael Salaun and Georg Carle",

year = "2009",

doi = "10.1007/978-3-540-92666-5_21",

language = "English",

isbn = "9783540926658",

series = "Informatik aktuell",

publisher = "Kluwer Academic Publishers",

pages = "253--264",

booktitle = "16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE)",

note = "16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - 16th Conference on Communication in Distributed Systems, KiVS 2009 ; Conference date: 02-03-2009 Through 06-03-2009",

}

Klenk, A, Heide, T, Radier, B, Salaun, M & Carle, G 2009, Pluggable authorization and distributed enforcement with pam-xacml. in 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE). Informatik aktuell, Kluwer Academic Publishers, pp. 253-264, 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - 16th Conference on Communication in Distributed Systems, KiVS 2009, Kassel, Germany, 2/03/09. https://doi.org/10.1007/978-3-540-92666-5_21

Pluggable authorization and distributed enforcement with pam-xacml. / Klenk, Andreas; Heide, Tobias; Radier, Benoit et al.
16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE). Kluwer Academic Publishers, 2009. p. 253-264 (Informatik aktuell).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Pluggable authorization and distributed enforcement with pam-xacml

AU - Klenk, Andreas

AU - Heide, Tobias

AU - Radier, Benoit

AU - Salaun, Mikael

AU - Carle, Georg

PY - 2009

Y1 - 2009

N2 - Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam-xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.

AB - Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam-xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.

UR - http://www.scopus.com/inward/record.url?scp=84879931956&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-92666-5_21

DO - 10.1007/978-3-540-92666-5_21

M3 - Conference contribution

AN - SCOPUS:84879931956

SN - 9783540926658

T3 - Informatik aktuell

SP - 253

EP - 264

BT - 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE)

PB - Kluwer Academic Publishers

T2 - 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - 16th Conference on Communication in Distributed Systems, KiVS 2009

Y2 - 2 March 2009 through 6 March 2009

ER -

Klenk A, Heide T, Radier B, Salaun M, Carle G. Pluggable authorization and distributed enforcement with pam-xacml. In 16. Fachtagung Kommunikation in Verteilten Systemen, KiVS 2009 - Eine Veranstaltung der Gesellschaft fur Informatik (GI) unter Beteiligung der Informationstechnischen Gesellschaft (ITG/VDE). Kluwer Academic Publishers. 2009. p. 253-264. (Informatik aktuell). doi: 10.1007/978-3-540-92666-5_21

Pluggable authorization and distributed enforcement with pam-xacml

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this