Abstract
Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam_xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Rafae Bhatti, James Joshi, Elisa Bertino, and Arif Ghafoor. Access Control in Dynamic XML-Based Web-Services with X-RBAC. In Liang-Jie Zhang, editor, Proceedings of the International Conference on Web Services, IGWS’ 03, June 23–26, 2003, Las Vegas, Nevada, USA, pages 243–249. CSREA Press, 2003.
Scott Cantor, John Kemp, Rob Philpott, and Eve Maler. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. Standard, OASIS, March 2005.
David W Chadwick and Alexander Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure. In SAGMAT’02. ACM, June 3–4 2002.
N. Damianou, N. Dulay, E. C. Lupu, and M. Sloman. Ponder: a language for specifying security and management policies for distributed systems. Imperial College Research Report DoC 2000/1, 2000.
Yuri Demchenko, Leon Gommans, and Cees de Laat. Using SAML and XACML for Complex Authorisation Scenarios in Dynamic Resource Provisioning. In ARES’ 07: Proceedings of the The Second International Conference on Availability, Reliability and Security, pages 254–262, Washington, DC, USA, 2007. IEEE Computer Society.
David Durham, Jim Boyle, Ron Cohen, Shai Herzog, Raju Rajan, and Arun Sastry. RFC 2748: The COPS (Common Open Policy Service) Protocol. The Internet Society, January 2000.
Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, and Michael Carl Tschantz. Verification and Change-Impact Analysis of Access-Control Policies. In ICSE’ 05: Proceedings of the 27th international conference on Software engineering, pages 196–205, New York, NY, USA, 2005. ACM.
Grig Gheorghiu, Tatyana Ryutov, and Clifford Neuman. Authorization for Meta-computing applications. In Proceedings of the 7th IEEE International Symposium on High Performance Distributed Computing, July 28–31 1998.
Leon Gommans, Cees de Laat, Bas van Oudenaarde, and Arie Taal. Authorization of a QoS path based on generic AAA. Future Gener. Gomput. Syst., 19(6):1009–1016, 2003.
Martin Gudgin, Marc Hadley, Noah Mendelsohn, Jean-Jacques Moreau, Henrik Frystyk Nielsen, Anish Karmarkar, and Yves Lafon. SOAP Version 1.2 Part 1: Messaging Framework (Second Edition). W3C Recommendation, April 2007.
Rajeev Gupta and Manish Bhide. A Generic XACML Based Declarative Authorization Scheme for Java. In Sabrina De Capitani di Vimercati, Paul F. Syverson, and Dieter Gollmann, editors, ESORICS, volume 3679 of Lecture Notes in Computer Science, pages 44–63. Springer, 2005.
Sushil Jajodia, Pierangela Samarati, and V. S. Subrahmanian. A Logical Language for Expressing Authorizations. In SP’ 97: Proceedings of the 1997 IEEE Symposium on Security and Privacy, page 31, Washington, DC, USA, 1997. IEEE Computer Society.
L. Kagal, T. Finin, and A. Joshi. A policy language for a pervasive computing environment, 2003.
Christiaan Lamprecht and Aad van Moorsel. Performance Measurement of Web Services Security Software. In 21st UK Performance Engineering Workshop, 2005.
Kelvin Lawrence, Chris Kaler, Anthony Nadalin, Chris Kaler, Ronald Monzillo, and Phillip Hallam-Baker. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004). W3C Recommendation, February 2006.
M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones. RFC 1928, SOCKS Protocol Version 5, June 1996.
R. Lepro. Cardea: Dynamic access control in distributed systems. Technical Report NAS Technical Report NAS-03-020, NASA Advanced Supercomputing (NAS) Division, Moffett Field, CA 94035, November 2003.
Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafura, and Sumit Shah. First experiences using XACML for access control in distributed systems. In XMLSEG’ 03: Proceedings of the 2003 ACM workshop on XML security, pages 25–37, New York, NY, USA, 2003. ACM.
Tim Moses. eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard, February 2005.
Heiko Niedermayer, Andreas Klenk, and Georg Carle. The Networking Perspective of Security Performance — a Measurement Study. In MMB 2006, Nürnberg, Germany, March 2006.
The Open Group. Authorization (AZN) API. Jan. 2000. ISBN: 1-85912-266-3.
Vipin Samar and Roland J. Schemers. Unified Login with Pluggable Authentication Modules (PAM). Open Software Foundation: Request For Comments RFC 86.0, October 1995.
John R. Vollbrecht, Pat R. Calhoun, Stephen Farrell, Leon Gommans, George M. Gross, Betty de Bruijn, Cees T.A.M. de Laat, Matt Holdrege, and David W. Spence. RFC 2904: AAA Authorization Framework. The Internet Society, Aug. 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Klenk, A., Heide, T., Radier, B., Salaun, M., Carle, G. (2009). Pluggable Authorization and Distributed Enforcement with pam_xacml. In: David, K., Geihs, K. (eds) Kommunikation in Verteilten Systemen (KiVS). Informatik aktuell. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-92666-5_21
Download citation
DOI: https://doi.org/10.1007/978-3-540-92666-5_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-92665-8
Online ISBN: 978-3-540-92666-5
eBook Packages: Computer Science and Engineering (German Language)