Apply Role security to WSO2 ESB Proxy using Java API - wso2-esb

I am looking for a way to apply Role based security on existing Proxy WSDLs of WSO2 ESB using Java API.
Using org.wso2.carbon.proxyadmin.stub.ProxyServiceAdminStub I could manage to enable security for unsecured proxy service, but unable to find a way to apply Role based security (please note the roles are coming from WSO2 Identity Server). I understand it's possible to perform this action with Wso2 ESB management console, but is there is a way to handle it through Java API? Any carbon backend web service available?

Sample Client here
This helped in disabling and enabling security as well as applying Role based security for a given proxy service. This is what I was looking for. Hope it helps some one out there...
public void applySecurity(String serviceName, String policyId,
String[] userGroups, String[] trustedKeyStoreArray,
String privateStore)
throws SecurityAdminServiceSecurityConfigExceptionException, RemoteException {
ApplySecurity applySecurity;
applySecurity = new ApplySecurity();
applySecurity.setServiceName(serviceName);
applySecurity.setPolicyId("scenario" + policyId);
applySecurity.setTrustedStores(trustedKeyStoreArray);
applySecurity.setPrivateStore(privateStore);
applySecurity.setUserGroupNames(userGroups);
securityAdminServiceStub.applySecurity(applySecurity);
log.info("Security Applied");
}

Related

Spring Security and WSO2 Authorization

I am new to wso2 and its very confusing. I'm developing a web application using authorization Provider: WSO2 Identity Server (IS)
I am looking for minimum configuration on the wso2 side so the simple way is to use SOAP call AuthenticationAdmin services https://host:port/services/AuthenticationAdmin?wsdl
I couldn't find much about the interaction between the authorization server and the resource server and how should it look like.
How to configure spring-security, maybe there is some sample I can look at
You can find more information about the concepts of the OAuth here. You find how to work with OAuth in WSO2 IS also. You can also refer to the white paper
Here is a blog about how to secure Spring Boot based web application using OpenID Connect. This blog includes a sample

Azure Active Directory Active ActAs WCF

I'm trying to create an MVC 5 app secured using WIF against Azure Active Directory. I'm trying to use SAML tokens with the following code:
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
SaveSigninToken = true
}
});
The plan is to use the returned token to pass through to a back end WCF service. From my investigations, I understand I would need to use the "active flow" here, where the web app will need to request an access token from Azure AD in order to authenticate with the WCF service.
Is this flow supported by Azure Active Directory? Everything I am ready seems to suggest it's not, and these days we are very much steered towards WebAPI / OpenIdConnect.
I'm really keen to get confirmation one way or another on whether this is possible (with WCF) or whether it's time to give up on this approach.
Thanks
David
That flow isn't supported by Azure AD. Furthermore, your impression is correct- there is no explicit support for WCF in Azure AD, and although it is technically possible to arm-twist WCF to use Azure AD tokens, it is very difficult and requires heavy customizations.
I highly recommend considering web API moving forward, you'll find that all of our samples and SDKs from the last 5 years or so are all predicated on that.

How to apply different policies to service and proxy service?

I have a mule service, named IS, deployed on mule runtime and proxied on API gateway. I'd like to set up different policies to the IS and its proxy service. How can I do it?
My environment:
Mule runtime: 3.7.4
Mule API gateway: 2.1.1
The following are two valid and equally correct solutions that you can choose from, taking into account that your implementation API is a Mule app:
Create an API on API Platform
Solution A:
Configure the autogenerated proxy to use your implementation API URL
Deploy the proxy to a correctly configured API Gateway/Mule runtime
>= v3.8.0
Apply one or more policies to the tracked proxy
Solution B:
Add autodiscovery to your implementation API, using the same API
name and API version name than your already created API on API
Platform
Deploy the impl app to a correctly configured API
Gateway/Mule runtime >= v3.8.0
Apply one or more policies to the tracked implementation app
With solution A, you have to make sure that your implementation app is only accessible by the proxy app (eg with a firewall).
If your implementation API would not be a Mule app, then Solution B would not be possible.
We can create endpoint with a proxy or select Basic endpoint if you create your API outside API Manager, for example, you created the API using Mule ESB. You don’t need a proxy in this case. So policies will be applied to API. For more details go through the link.
https://docs.mulesoft.com/api-manager/setting-up-an-api-proxy
If you're using Mule runtime v3.8.x, and if the service is an HTTP/S listener, you can actually make it auto-discovered in the API Manager and have policies applied directly on it, even if the mule config is not generated using APIkit.
https://docs.mulesoft.com/api-manager/api-auto-discovery
Choose the flow that you want the API Manager to manage and apply policies.
Do note that you will need to have to right entitlement (API Gateway) in the Mule Runtime license and that it has the right Anypoint Platform Client ID/Secret pairs configured in the wrapper.conf. The IDs should be automatically configured if you've added the Mule Runtime server in the Anypoint Runtime Manager.
Here is my solution to apply policy to proxy service:
Create a new API using proxy service's url
Apply policy to API created in step1
Can anyone confirm this is the correct way?

How to integrate Wso2 IS xacml with java MVC application

I am trying to implement Wso2 identity server's XACML based access control with the JAVA MVC application.
Use Case : User logs in and view only selected pages/menus(and also the action on these page ex.view,post,delete etc.) defined in the XACML policy.
What I have checked in WSO2 IS XACML will return Permit/Deny/NotApplicable for particular resource.
So just want to know is this use case's solution is possible with the Wso2 IS XACML and how.
Please help.
Thanks
This is totally possible. There are two ways you can achieve this.
Using WSO2 Identity Server as the entitlement engine
With this option. You can create and manage policies using WSO2 Identity Server provided policy editor. You can manage the lifecycle of policies (publish/unpublish) etc.
Then you can consume the SOAP Entitlement Service provided by Identity Server from your application. With IS 5.3.0 we provide a REST service for XACML as well.
Read more about these in [1], [2]
Using WSO2 Balana entitlement Engine.
Balana is WSO2's open source implementation of XACML. WSO2 Identity Server internally uses this library/engine for Entitlement. You can use this library directly in you application to achieve you use case. In fact, part of the use case is available as a sample in Balana. This sample explain how Balana could be used to filter resources in a web page based on user(or his role). Read more about the sample here.

WCF Data Services with Integrated Authentication issue

I have a web project that has Anonymous access and Integrated Windows authentication enabled. I built a WCF Data Service and since it allows only one authentication, I enabled Integrated authentication on the service. I am able to view the service in browser. However when I try to query the service for any Entity, it gives me Forbidden error. I tried to enable Anonymous access on service too, but it does not work.
Do I need to give it some other access or it is not possible to enable one authentication on the service itself keeping the project virtual directory as Anonymous and Integrated.
Update: I do no have any operations in my Data Service. For the entities, I have already set the "All" permission on all entities.
Only one authentication method is permitted on a WCF Data Service.
If you choose to go the Integrated Security route then you need to set the credentials after constructing the DataServiceContext.
Something like this would work for using the current user's Windows identity.
employeeEntities = new EmployeeDataService.EmployeeEntities(new Uri("http://.../employeedata.svc"));
employeeEntities.Credentials = CredentialCache.DefaultCredentials;