I have only one policy file for my server, so do not want to use wso for PDP, but instead trying to write my own PDP with "balana", I can see their is a PDP class and also a Policy class, so which class to use and how to load my "policy.xml" file to the PDP.
I think your requirement is you want to customize the PDP. You can create a wrapper on the top of WSO2 balana PDP that will serve your purpose according to your requirement. You can use PDP class. I am not sure how you are using policies . If you are using Balana or balana samples locally in your system you can store your policies in the resource folder. Take a look at this sample provided by Balana.
https://github.com/wso2/commons/tree/master/balana/modules/balana-samples
Related
I have a knotty problem (at least for me) to solve
In a nutshell:
A web server exposing a single URL (static page)
the URL should only be accessible between 9 am and 5 pm
(everyday)
the whole thing should be implemented through XACML
Questions
What actually do I need in order to accomplish my objective?
Is there any Oracle implementation of XACML which I should install? Is it by any chance free?
Could other XACML implementation be suitable? I'm refering to WSO2 Balana
Which tools should I use?
How should I start with?
Thanks a lot
You'll need:
a PEP (policy enforcement point) to intercept the request to the server. In your case you are controlling access to a web server. If you're using a Java web server e.g. Tomcat, you can implement a Servlet Filter PEP.
a PDP (policy decision point) to receive the request from the PEP and return a decision (either Permit or Deny). Oracle used to have a PDP solution called Oracle Entitlements Server (OES) but it was discontinued. Nowadays you have several options
Balana, an open-source XACML engine
AuthZForce, the latest and possibly most complete open-source XACML 3.0 PDP
Axiomatics, a commercial solution that provides you with turnkey PDP, PEP, and policy authoring (aka PAP)
a PAP (policy administration / authoring point): you need to write your policy. I typically use alfa which is easy-to-read shorthand notation for XACML.
In your case, the policy would look like the following:
policy allowOfficeHours{
apply firstApplicable
rule allowOfficeHours{
target clause current_time>"09:00:00":time and current_time<"17:00:00":time
permit
}
}
Plan of action
Start
Start with downloading the PDP of your choice. If you need free, then go to AuthZForce. You can ask and tag questions with authzforce here. Their main architect / dev is active here.
Then download the ALFA plugin for Eclipse to start writing some policies.
Finally, use AuthZForce's PEP SDK to write your own PEP. Look at Java servlet filters as an easy means to write a PEP. Check out this post and that one for tips.
I have installed Balana correctly and run mvn clean install with no error,
How can I get benefit from Jar file?
How can I test the policy that I have written in XACML?
Balana is just the engine. Once you Balana compiled (and presumably jarred), you need to start it and pass it the XACML policies you wrote. Now, at start-up, Balana should validate that the files are valid XACML 2.0 or XACML 3.0 files.
What you want to do next is send an authorization request using a tool e.g. SoapUI or Postman to the endpoint Balana exposes (if any that is). That will help you validate the endpoint.
PS: I have limited experience with Balana. I work mostly with Axiomatics Policy Server (disclaimer: it's where I work).
PS2: if you want to stay down the path of open source, check out AuthZForce. It's much more active.
When WSO2 Implements open standard protocols like XACML, SCIM they do not tightly coupled implementation with WSO2 platform components. For EX: Balana for XACML [2], Charon for SCIM [1]. Inside WSO2 Identity Server [3] you will find two artifacts org.wso2.balana_1.1.5.jar, org.wso2.balana.utils_1.1.5.jar which are relevant to WSO2 XACML implementation. If you want to make use of Balana artifacts pls refer [4].
[1] https://github.com/wso2/charon
[2] https://github.com/wso2/balana
[3] https://docs.wso2.com/display/IS570/
[4] https://docs.wso2.com/display/IS570/Working+with+XACML
To get started quickly with API Connect, I just want to import a Swagger spec of an existing service and make this service a managed API in API Connect.
API Connect provides an import function for YAML files, but the API can not be tested.
I've seen this scenario several times, so I though it might be useful to have some documentation on this.
When importing a swagger specification, you need to modify a few settings to transform this service definition into an API definition (even though they are quite similar). You need to modify the following parameters:
Schemes https - The Gateway enforces HTTPS
Host: $(catalog.host) - This variable links to the current host (in a certain catalog)
Then, you need to build an assembly. The proxy policy is well suited for building facades, as all content from Headers, Body, etc. is re-routed. For the URL, enter the URL of the endpoint + a context variable that refers to the incoming path, like:
http://example.com$(request.path)
I have created a small video on Youtube to demonstrate the neccessary steps.
I am trying to implement Wso2 identity server's XACML based access control with the JAVA MVC application.
Use Case : User logs in and view only selected pages/menus(and also the action on these page ex.view,post,delete etc.) defined in the XACML policy.
What I have checked in WSO2 IS XACML will return Permit/Deny/NotApplicable for particular resource.
So just want to know is this use case's solution is possible with the Wso2 IS XACML and how.
Please help.
Thanks
This is totally possible. There are two ways you can achieve this.
Using WSO2 Identity Server as the entitlement engine
With this option. You can create and manage policies using WSO2 Identity Server provided policy editor. You can manage the lifecycle of policies (publish/unpublish) etc.
Then you can consume the SOAP Entitlement Service provided by Identity Server from your application. With IS 5.3.0 we provide a REST service for XACML as well.
Read more about these in [1], [2]
Using WSO2 Balana entitlement Engine.
Balana is WSO2's open source implementation of XACML. WSO2 Identity Server internally uses this library/engine for Entitlement. You can use this library directly in you application to achieve you use case. In fact, part of the use case is available as a sample in Balana. This sample explain how Balana could be used to filter resources in a web page based on user(or his role). Read more about the sample here.
I just started learning xacml with wso2 and I went through this example post, which is working fine. My question is instead of wso2as if I use tomcat to deploy my war file then how I can protect my protected pages.
Thank You
You need to start with the basics. Do you know the XACML architecture? There is a component called PEP (policy enforcement point) which is responsible for protecting your resources.
The PEP can be of different form factors. It could be an API gateway or in your case, it would likely be a servlet filter. You can write your Servlet Filter. Follow these instructions.
To learn more about XACML, check out the Wikipedia site for it. I keep adding information on a regular basis. Also check out the ABAC and ALFA pages.
There are multiple ways to do this, I will explain you one such method
If you are deploying you web app on tomcat, you can write a tomcat filter[1] or tomcat valve to act as the PEP (Policy Enforcement Point).
You can configure the WSO2 Identity Server with XACML policies. Thereafter you can call the Entitlement service from within the tomcat filter/valve you implemented using the SOAP/thrift entitlement client
(Refer [2])
You can implement a filter similar to [3]. You need to configure the filter in the web.xml of your web app. Make use of [4] to configure the filter. WSO2 Application uses tomcat internally to host web apps so it is not much different than deploying on tomcat
[1] https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/Filter.html
[2] Xacml integration with saml in wso2
[3] https://github.com/wso2-extensions/identity-agent-entitlement-filter/blob/master/components/org.wso2.carbon.identity.entitlement.filter/src/main/java/org/wso2/carbon/identity/entitlement/filter/EntitlementFilter.java
[4] https://docs.wso2.com/display/AS530/Enable+XACML+Fine+Grained+Authorization+for+Web+Apps