1

I am trying to work on Authorization with XACML.

I have successfully communicate with WSO2 Identity server (PDP) from normal Axis2 Interceptor.

Now I am trying to use Wso2 ESB as PEP (mentioned in below sample)

http://wso2.com/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform/

The problem is I am not able to understand how to call ESB From web application? In the above link they are using java client to connect with ESB, by calling ESB's Proxy service with UT Security.

I am not sure if the given Java class in this example is correct way to do it. As its requires knowledge of Proxy service and its security Policy.

Also I have seen that if you want to abstract your PDP, so in future you have open option to replace it with any other new PDP , then you should use WS-XACML standard for PEP to PEP communication.

I haven't found any sample on this one yet,

Is there any other standard way to achieve this? Or any example which can be useful.

Budhh
  • 153
  • 8

1 Answers1

1

WSO2 ESB contains the PEP which is called as Entitlement Mediator. ESB can be used as an security gateway for your back end web services. Let me explain some use case of ESB. As an example, you have some legacy services (or standard web services with SOAP and REST) in your system. You have a requirement to apply security (Authentication & Authorization) for that back services. Therefore you can front those services with WSO2 ESB and secure them without changing your existing system. Your existing services can be easily exposed as standard SOAP based web service (Proxy Services) or REST API using the ESB. Then you can use Web Service security (WS-Security, yes UT or any other) or API security (OAuth/Basic Auth) secured them. You can easily manage the authentication with those approaches. If you need fine grain authorization, then you can use Entitlement mediator with the WSO2IS.

OK, I am not sure about your exact scenario. I think, you have a web application and you need to call a web service. You have fronted by it using ESB to achieve authorization How do you authenticated ? You may have some authentication mechanism that have been implemented within web application? Then you can have the username of the authenticated user, that username value can be send to the ESB in HTTP header (assuming Web Application and ESB are in internal network and with SSL). Inside the ESB meditation flow, you can extract that username and set it in to Entitlement mediator (Therefore you do not need to always apply UT). Only requirement is that the username must be available for the entitlement mediator to work (it is simple, user must be authenticated before the authorization)

So, from Web app to ESB, you do not need a java client, it can be an any client that can call a your web services.

WS-XACML is some old and not popular profile. I do not think it is better to use it. Standard way is to communicate with PEP-PDP is the REST/JSON profile. But WSO2IS is not still support it. You can find more detail from here

Asela
  • 5,781
  • 1
  • 15
  • 23
  • HI, Asela, Thank you very much for answer. But If want to create an architecture for now, what should I use with WSO2 product, so infuture when WSO2 IS provide JSOn/Rest support We can easily replace it without too much changes. – Budhh Dec 02 '14 at 06:41
  • At time of login, while we call for authorization - Can we get all the authorization details for the User (like what resources he can use) so for each URL or any other resource we don't have to call ESB and Identity server every time? – Budhh Dec 02 '14 at 07:21
  • Currently API login of the Identity Server or ESB (UT) provides a Boolean result. There are some places where we can retrieve user's attributes while login (Such as SAML Token, OpenId-connect). I do not think it is good idea to get all permissions of the user while login.. it would take more time for the login.. and user may not use all these permissions in that session.. I think, in some cases it is more effective to load permission on demand.. You can use multiple decision profile in XACML to get more than one results.. – Asela Dec 02 '14 at 08:52
  • http://xacmlinfo.org/2013/12/06/multiple-decision-profile-repeated-attribute-categories/ – Asela Dec 02 '14 at 08:53
  • You Rock Asela :) ! Yes completely agree with you. Thanks again. – Budhh Dec 02 '14 at 12:29
  • One more in this, is it ok if instead of using WSO2 ESB as PEP (an extra layer ) we can create an abstract PEP Layer in application(s) and directly make calls to Entitlement services of WSO2 Identity server? This way we will remove one layer from architecture as well as we can get maximum performance. What issues can come if we go for this approach? – Budhh Dec 03 '14 at 14:49