I am trying to implement Wso2 identity server's XACML based access control with the JAVA MVC application.
Use Case : User logs in and view only selected pages/menus(and also the action on these page ex.view,post,delete etc.) defined in the XACML policy.
What I have checked in WSO2 IS XACML will return Permit/Deny/NotApplicable for particular resource.
So just want to know is this use case's solution is possible with the Wso2 IS XACML and how.
Please help.
Thanks
This is totally possible. There are two ways you can achieve this.
Using WSO2 Identity Server as the entitlement engine
With this option. You can create and manage policies using WSO2 Identity Server provided policy editor. You can manage the lifecycle of policies (publish/unpublish) etc.
Then you can consume the SOAP Entitlement Service provided by Identity Server from your application. With IS 5.3.0 we provide a REST service for XACML as well.
Read more about these in [1], [2]
Using WSO2 Balana entitlement Engine.
Balana is WSO2's open source implementation of XACML. WSO2 Identity Server internally uses this library/engine for Entitlement. You can use this library directly in you application to achieve you use case. In fact, part of the use case is available as a sample in Balana. This sample explain how Balana could be used to filter resources in a web page based on user(or his role). Read more about the sample here.
Related
I am new to wso2 and its very confusing. I'm developing a web application using authorization Provider: WSO2 Identity Server (IS)
I am looking for minimum configuration on the wso2 side so the simple way is to use SOAP call AuthenticationAdmin services https://host:port/services/AuthenticationAdmin?wsdl
I couldn't find much about the interaction between the authorization server and the resource server and how should it look like.
How to configure spring-security, maybe there is some sample I can look at
You can find more information about the concepts of the OAuth here. You find how to work with OAuth in WSO2 IS also. You can also refer to the white paper
Here is a blog about how to secure Spring Boot based web application using OpenID Connect. This blog includes a sample
I have installed Balana correctly and run mvn clean install with no error,
How can I get benefit from Jar file?
How can I test the policy that I have written in XACML?
Balana is just the engine. Once you Balana compiled (and presumably jarred), you need to start it and pass it the XACML policies you wrote. Now, at start-up, Balana should validate that the files are valid XACML 2.0 or XACML 3.0 files.
What you want to do next is send an authorization request using a tool e.g. SoapUI or Postman to the endpoint Balana exposes (if any that is). That will help you validate the endpoint.
PS: I have limited experience with Balana. I work mostly with Axiomatics Policy Server (disclaimer: it's where I work).
PS2: if you want to stay down the path of open source, check out AuthZForce. It's much more active.
When WSO2 Implements open standard protocols like XACML, SCIM they do not tightly coupled implementation with WSO2 platform components. For EX: Balana for XACML [2], Charon for SCIM [1]. Inside WSO2 Identity Server [3] you will find two artifacts org.wso2.balana_1.1.5.jar, org.wso2.balana.utils_1.1.5.jar which are relevant to WSO2 XACML implementation. If you want to make use of Balana artifacts pls refer [4].
[1] https://github.com/wso2/charon
[2] https://github.com/wso2/balana
[3] https://docs.wso2.com/display/IS570/
[4] https://docs.wso2.com/display/IS570/Working+with+XACML
I am new to wso2 environment. I am doing a sample application for authentication and authorization using wso2 technologies. On http://wso2.com/library/articles/, i found same sample application but these sample application are based on older version of wso2 software.
I am using XACML-3.0, wso2is-5.1, wso2esb-4.9 and wso2as-5.3 for my application. I am getting mainly configuration problem.
If anyone have sample application or know link, where i can get, Please let me know.
Thanks
You can use Balana the XACML engine that is used by WSO2 Identity server internally. You can use Balana as a java library in your applications for XACML based access control. We have a few code samples[1] that you can have a look at.
The other option is to use the entitlement service provided by WSO2 Identity Server. So basically you need a PEP client to send XACML requests to the entitlement service and get the response from the server. Please have a look at [2] for details on how to achieve this.
[1] https://github.com/wso2/balana/tree/master/modules/balana-samples
[2] http://xacmlinfo.org/2012/06/14/pep-client-for-wso2is-pdp/
I just started learning xacml with wso2 and I went through this example post, which is working fine. My question is instead of wso2as if I use tomcat to deploy my war file then how I can protect my protected pages.
Thank You
You need to start with the basics. Do you know the XACML architecture? There is a component called PEP (policy enforcement point) which is responsible for protecting your resources.
The PEP can be of different form factors. It could be an API gateway or in your case, it would likely be a servlet filter. You can write your Servlet Filter. Follow these instructions.
To learn more about XACML, check out the Wikipedia site for it. I keep adding information on a regular basis. Also check out the ABAC and ALFA pages.
There are multiple ways to do this, I will explain you one such method
If you are deploying you web app on tomcat, you can write a tomcat filter[1] or tomcat valve to act as the PEP (Policy Enforcement Point).
You can configure the WSO2 Identity Server with XACML policies. Thereafter you can call the Entitlement service from within the tomcat filter/valve you implemented using the SOAP/thrift entitlement client
(Refer [2])
You can implement a filter similar to [3]. You need to configure the filter in the web.xml of your web app. Make use of [4] to configure the filter. WSO2 Application uses tomcat internally to host web apps so it is not much different than deploying on tomcat
[1] https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/Filter.html
[2] Xacml integration with saml in wso2
[3] https://github.com/wso2-extensions/identity-agent-entitlement-filter/blob/master/components/org.wso2.carbon.identity.entitlement.filter/src/main/java/org/wso2/carbon/identity/entitlement/filter/EntitlementFilter.java
[4] https://docs.wso2.com/display/AS530/Enable+XACML+Fine+Grained+Authorization+for+Web+Apps
We successfully launch Wso2 API management solution. One of the main functionality of our project is to orchestrate several simple API and make one Meta API. Then we want to publish this Meta API into Wso2 API Management Publisher and make it available to use.
Is any solution to this requirement?
You can do this. If I understand you correct, you only want to publish the meta api as a managed api. Other simple apis won't be published. If so, things are pretty easy.
WSO2 API Manager uses Apache Synapse as the mediation engine (which is used by WSO2 ESB too). This allows to do the chaining. Please go through the following articles.
http://wso2.com/library/articles/2014/03/batch-api-api-chaining-scenario/
https://docs.wso2.com/display/ESB470/Service+Chaining+Example
http://wso2.com/library/articles/2012/09/get-cup-coffee-wso2-way/