How can I test my policy? What after generate Balana jar files? - authorization

I have installed Balana correctly and run mvn clean install with no error,
How can I get benefit from Jar file?
How can I test the policy that I have written in XACML?

Balana is just the engine. Once you Balana compiled (and presumably jarred), you need to start it and pass it the XACML policies you wrote. Now, at start-up, Balana should validate that the files are valid XACML 2.0 or XACML 3.0 files.
What you want to do next is send an authorization request using a tool e.g. SoapUI or Postman to the endpoint Balana exposes (if any that is). That will help you validate the endpoint.
PS: I have limited experience with Balana. I work mostly with Axiomatics Policy Server (disclaimer: it's where I work).
PS2: if you want to stay down the path of open source, check out AuthZForce. It's much more active.

When WSO2 Implements open standard protocols like XACML, SCIM they do not tightly coupled implementation with WSO2 platform components. For EX: Balana for XACML [2], Charon for SCIM [1]. Inside WSO2 Identity Server [3] you will find two artifacts org.wso2.balana_1.1.5.jar, org.wso2.balana.utils_1.1.5.jar which are relevant to WSO2 XACML implementation. If you want to make use of Balana artifacts pls refer [4].
[1] https://github.com/wso2/charon
[2] https://github.com/wso2/balana
[3] https://docs.wso2.com/display/IS570/
[4] https://docs.wso2.com/display/IS570/Working+with+XACML

Related

URL accessible at specific hours only XACML

I have a knotty problem (at least for me) to solve
In a nutshell:
A web server exposing a single URL (static page)
the URL should only be accessible between 9 am and 5 pm
(everyday)
the whole thing should be implemented through XACML
Questions
What actually do I need in order to accomplish my objective?
Is there any Oracle implementation of XACML which I should install? Is it by any chance free?
Could other XACML implementation be suitable? I'm refering to WSO2 Balana
Which tools should I use?
How should I start with?
Thanks a lot
You'll need:
a PEP (policy enforcement point) to intercept the request to the server. In your case you are controlling access to a web server. If you're using a Java web server e.g. Tomcat, you can implement a Servlet Filter PEP.
a PDP (policy decision point) to receive the request from the PEP and return a decision (either Permit or Deny). Oracle used to have a PDP solution called Oracle Entitlements Server (OES) but it was discontinued. Nowadays you have several options
Balana, an open-source XACML engine
AuthZForce, the latest and possibly most complete open-source XACML 3.0 PDP
Axiomatics, a commercial solution that provides you with turnkey PDP, PEP, and policy authoring (aka PAP)
a PAP (policy administration / authoring point): you need to write your policy. I typically use alfa which is easy-to-read shorthand notation for XACML.
In your case, the policy would look like the following:
policy allowOfficeHours{
apply firstApplicable
rule allowOfficeHours{
target clause current_time>"09:00:00":time and current_time<"17:00:00":time
permit
}
}
Plan of action
Start
Start with downloading the PDP of your choice. If you need free, then go to AuthZForce. You can ask and tag questions with authzforce here. Their main architect / dev is active here.
Then download the ALFA plugin for Eclipse to start writing some policies.
Finally, use AuthZForce's PEP SDK to write your own PEP. Look at Java servlet filters as an easy means to write a PEP. Check out this post and that one for tips.

How to integrate Wso2 IS xacml with java MVC application

I am trying to implement Wso2 identity server's XACML based access control with the JAVA MVC application.
Use Case : User logs in and view only selected pages/menus(and also the action on these page ex.view,post,delete etc.) defined in the XACML policy.
What I have checked in WSO2 IS XACML will return Permit/Deny/NotApplicable for particular resource.
So just want to know is this use case's solution is possible with the Wso2 IS XACML and how.
Please help.
Thanks
This is totally possible. There are two ways you can achieve this.
Using WSO2 Identity Server as the entitlement engine
With this option. You can create and manage policies using WSO2 Identity Server provided policy editor. You can manage the lifecycle of policies (publish/unpublish) etc.
Then you can consume the SOAP Entitlement Service provided by Identity Server from your application. With IS 5.3.0 we provide a REST service for XACML as well.
Read more about these in [1], [2]
Using WSO2 Balana entitlement Engine.
Balana is WSO2's open source implementation of XACML. WSO2 Identity Server internally uses this library/engine for Entitlement. You can use this library directly in you application to achieve you use case. In fact, part of the use case is available as a sample in Balana. This sample explain how Balana could be used to filter resources in a web page based on user(or his role). Read more about the sample here.

Sample Example of Authentication and Authorization using XACML policy, wso2is-5.1, wso2esb-4.9 and wso2as-5.3

I am new to wso2 environment. I am doing a sample application for authentication and authorization using wso2 technologies. On http://wso2.com/library/articles/, i found same sample application but these sample application are based on older version of wso2 software.
I am using XACML-3.0, wso2is-5.1, wso2esb-4.9 and wso2as-5.3 for my application. I am getting mainly configuration problem.
If anyone have sample application or know link, where i can get, Please let me know.
Thanks
You can use Balana the XACML engine that is used by WSO2 Identity server internally. You can use Balana as a java library in your applications for XACML based access control. We have a few code samples[1] that you can have a look at.
The other option is to use the entitlement service provided by WSO2 Identity Server. So basically you need a PEP client to send XACML requests to the entitlement service and get the response from the server. Please have a look at [2] for details on how to achieve this.
[1] https://github.com/wso2/balana/tree/master/modules/balana-samples
[2] http://xacmlinfo.org/2012/06/14/pep-client-for-wso2is-pdp/

XACML with WSO2 Identity Server

I just started learning xacml with wso2 and I went through this example post, which is working fine. My question is instead of wso2as if I use tomcat to deploy my war file then how I can protect my protected pages.
Thank You
You need to start with the basics. Do you know the XACML architecture? There is a component called PEP (policy enforcement point) which is responsible for protecting your resources.
The PEP can be of different form factors. It could be an API gateway or in your case, it would likely be a servlet filter. You can write your Servlet Filter. Follow these instructions.
To learn more about XACML, check out the Wikipedia site for it. I keep adding information on a regular basis. Also check out the ABAC and ALFA pages.
There are multiple ways to do this, I will explain you one such method
If you are deploying you web app on tomcat, you can write a tomcat filter[1] or tomcat valve to act as the PEP (Policy Enforcement Point).
You can configure the WSO2 Identity Server with XACML policies. Thereafter you can call the Entitlement service from within the tomcat filter/valve you implemented using the SOAP/thrift entitlement client
(Refer [2])
You can implement a filter similar to [3]. You need to configure the filter in the web.xml of your web app. Make use of [4] to configure the filter. WSO2 Application uses tomcat internally to host web apps so it is not much different than deploying on tomcat
[1] https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/Filter.html
[2] Xacml integration with saml in wso2
[3] https://github.com/wso2-extensions/identity-agent-entitlement-filter/blob/master/components/org.wso2.carbon.identity.entitlement.filter/src/main/java/org/wso2/carbon/identity/entitlement/filter/EntitlementFilter.java
[4] https://docs.wso2.com/display/AS530/Enable+XACML+Fine+Grained+Authorization+for+Web+Apps

Open source policy editor tool for XACML 3.0 policy creation

I am using XACML 3.0 for authorization in my project is their any open source policy editor tool so that I can create policies on the fly.
There are several open source policies editors. As i know,
UMU XACML editor
WSO2 Identity Server
OpenAM Server
Also Non open sources, but you can download freely such as
ALFA Plugin by Axiomatics (non-commercial use)
Free GUI based XACML Editor (XACML2.0 to XACML3.0 conversion)
If you want to integrate policy creation in to your project. I guess, best approach is to use Balana utils library. It is a library that can be used to create XACML 3.0 policies and XACML 3.0 request using an simple object model. You find the source code of Balana util from here. Basically WSO2 Identity Server policy editors are used this library to build the policies.