I am working with XACML 3.0. When I am using the XACML v3.0 Hierarchical Resource Profile, how can I include root resource values in the XACML Response?
Ex:
Customer
|-->Name
|-->FirstName,LastName
Here,Customer is the Top root Resource .FirstName and LastName are the children of Name.
Here in my XACML Request I will send the top resource name Customer.By using Hierarchical resource feature of XACML3.0 ,Resource finder will evaluate the child resources.
How can i get root values Customer and Name in XACML Response?
Here the XACML Request,
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:root-resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:scope" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Descendants</AttributeValue>
</Attribute>
</Attributes>
</Request>
As one can see from the request, it contains 4 action categories, 1 subject category and 1 resource category. The latter uses the hierarchical resource profile. The repetition of the action category follows the Multiple Decision Profile of XACML. Essentially, it means that I am asking: "Can admin update...? Can admin read...? Can admin write...? Can admin delete...?"
Related
I'm trying to do a rule that allows access to any resource just when the action is read for every user. I have the doubt if I need to put something like any users like here
<Rule Effect="Permit" RuleId="Rule Permit #1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">any
</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true">
</AttributeDesignator>
</Match>
And then the action
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read
</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
Or maybe I can delete the first part and put directly the action because the resource is any.
Thank you!!
You only need to Match the action:
<Rule Effect="Permit" RuleId="Rule Permit #1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
In this case, if and only if the action-id equals 'read', the Rule evaluates to Permit, regardless of user or resource attributes, in other words: for any user or resource. Beware that the final decision depends on the rule combining algorithm on your enclosing Policy (and possibly policy combining algorithm on your PolicySet if you have one). If you get something different, that's an issue with the XACML implementation.
To be able to display the download status in a java application, I need to disable GZIP compression on a wildfly 10 server. It seems to be enabled by default. I found a lot of pages on how to enable it, nothing to disable it. Any clue ?
EDIT
I tried removing completely gzip filter from config as you can see below. The files I download (3 MB) are still compressed during transfert
<subsystem xmlns="urn:jboss:domain:undertow:3.1" statistics-enabled="true">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
I am using apache-tomcat-6.0.41 on Windows 7.After starting the server I am not able to see tomcat page but a windows asking for username and password prompts up.
I have also modified the tomcat-users.xml file as follows:-
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager"/>
<user username="admin" password="admin" roles="manager" />`
</tomcat-users>
My server.xml file also has the realm required as follows:-
?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Can anyone suggest the solution of this problem?
Please update the server port to a different port number such as 8050 apart from the default port 8080. I also faced the same issue and was able to resolve it by changing the port number.
This seems like you are switching to new page where you are using port 8080, but your tomcat is not actually started or not working on port 8080. Try changing port of tomcat instead of 8080 and check whether other service is not using 8080 port.
How do I get inbound the SOAP payload converted to a HTTP Post payload so that it can be sent via my HTTPEndpoint
An example would be greatly appreciated
You can set the endpoint format to pox to create a plain xml message to be posted. See for example: http://charithaka.blogspot.nl/2010/07/message-format-transformations-with.html
Are you referring to SOAP to REST conversion? In that case it would be like following.
<proxy xmlns="http://ws.apache.org/ns/synapse" name="testProxy" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
<target>
<inSequence>
<property name="messageType" value="application/xml" scope="axis2"/>
<send>
<endpoint>
<http method="POST" uri-template="http://localhost:9000"/>
</endpoint>
</send>
</inSequence>
<outSequence>
<send/>
</outSequence>
</target>
<description/>
</proxy>
The axis2 messageType property decides the MessageFormatter used to format the message before sending out. In this case its application/xml so the Content-Type of the outgoing POST request will be application/xml.
Is there an API for WSO2 API Manager that I can consume? As in say, get a list of the API's or whatever. I heard there is a SOAP API for this, but I cannot find anything about it. I'm hoping someone has got some information. I found this XML file (listed below) that may or may not be what I need but I'm a total noob when it comes to SOAP and don't know of this what I need. Here's the file contents. Is this what a WSDL file would look like?
<?xml version="1.0" encoding="UTF-8"?><serviceGroup name="API" successfullyAdded="true">
<service name="API" exposedAllTransports="true" serviceDeployedTime="1347567758279" successfullyAdded="true">
<operation name="getAPI">
<parameter name="AuthorizationAction">/permission/admin/manage/resources/govern/apis/list</parameter>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
</operation>
<operation name="updateAPI">
<parameter name="AuthorizationAction">/permission/admin/manage/resources/govern/apis/add</parameter>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
</operation>
<operation name="getAPIDependencies">
<parameter name="AuthorizationAction">/permission/admin/manage/resources/govern/apis/list</parameter>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
</operation>
<operation name="addAPI">
<parameter name="AuthorizationAction">/permission/admin/manage/resources/govern/apis/add</parameter>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
</operation>
<operation name="getAPIArtifactIDs">
<parameter name="AuthorizationAction">/permission/admin/manage/resources/govern/apis/list</parameter>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
</operation>
<operation name="deleteAPI">
<parameter name="AuthorizationAction">/permission/admin/manage/resources/govern/apis/add</parameter>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
</operation>
<bindings>
<binding name="APISoap12Binding">
<operation name="getAPI"/>
<operation name="updateAPI"/>
<operation name="getAPIDependencies"/>
<operation name="addAPI"/>
<operation name="deleteAPI"/>
<operation name="getAPIArtifactIDs"/>
</binding>
<binding name="APIHttpBinding">
<operation name="getAPI"/>
<operation name="updateAPI"/>
<operation name="getAPIDependencies"/>
<operation name="addAPI"/>
<operation name="deleteAPI"/>
<operation name="getAPIArtifactIDs"/>
</binding>
<binding name="APISoap11Binding">
<operation name="getAPI"/>
<operation name="updateAPI"/>
<operation name="getAPIDependencies"/>
<operation name="addAPI"/>
<operation name="deleteAPI"/>
<operation name="getAPIArtifactIDs"/>
</binding>
</bindings>
<policies/>
<module name="addressing" version="4.0" type="engagedModules"/>
<module name="relay" version="4.0" type="engagedModules"/>
<parameter name="enableMTOM">true</parameter>
<parameter name="adminService">true</parameter>
<parameter name="AuthorizationAction">/permission/admin/login</parameter>
<parameter name="hiddenService">true</parameter>
</service>
</serviceGroup>
Yes,there's a javascript API layer built with Jaggery which can be used to consume API Manager related functionalities in a REST way.
Currently,you can find them inside the two jaggery applications [store/publisher] with following location.Navigate to it,and you'll notice there are several sub-directories inside 'blocks' directory according to the terms that api manager related functionalities catogorized [eg:item-add,listing,search,etc].Open the reuired catogory and there will be a sub folder called 'ajax' since we are passing requests in AJAX way.Inside that you can find the jag file which contains the relevant API methods that can be consume in a REST way.
Yet we have not separate this API layer from the web-application flow to make a user easy to find and consume the API,but we are planning to add this API layer separate in to the apps in near future.
For the moment,what you can do is just go to the above mentioned location,and find the relevant API method to consume.Say for an example if you want to consume addAPI method in api-publisher,what you can do is navigate to 'ajax' sub-directory of'item-add' directory in the location .You'll see there's a file called 'add.jag'.Open it and identify what is the action[eg:addAPI] and what are the request parameters[eg:APIName,version,etc] you need to pass to process the action.Then send http request to the API function by using a REST client.[eg:CURL].For example here your http request will be following way.
"http://ip:port/publisher/site/blocks/item-add/ajax/add.jag -d "action=addAPI&name=API1&version=1.0.0&description=API&endpoint=http://search.twitter.com&wsdl=&tags=open,social&tier=Silver&thumbUrl=https://lh6.ggpht.com/RNc8dD2hXG_rWGzlj09ZwAe1sXVvLWkeYT3ePx7zePCy4ZVV2XMGIxAzup4cKM85NFtL=w124&context=/api2&tiersCollection=Gold&resourceCount=0&resourceMethod-0=POST&uriTemplate-0=/*";"
You can find three samples[TwitterSearch,YahooPlaceFinder,YoutubeFinds] written based on this JavaScript layer from the below location of your downloaded pack.
{API Manager HOME}/samples
Navigate to each three above samples inside the above location and have a look on APIPopulator.sh script,to get better understanding how the API Manager related jaggery API has been consumed from those.
Adding to above,for WSO2 API Manager implementation of its back-end major functionalities we have not used web-service invocations but a java API which can be found from here.You can use that API to do your custom implementations.You can find our java[back-end] implementation from this java API from here.