I am new in security. I have downloaded wso2 sso sample and executed it. Now I want to configure xacml into this project.
My requirement is when user logged in with sso I want to restrict them to access some particular jsp pages. Please give me some suggestion how to implement it and how I can send xacml request.
thank you
[1] is a comprehensive blog written by Asela Pathberiya on XACML and how you can leverage XACML on the wso2 identity server. Please read the blog to clarify different use cases you might have and how you can achieve them using wso2 identity server.
Basically, WSO2 uses Balana - XACML implementation on top of Sun XACML which supports XACML 3.0 specification.
You can use WSO2 Identity Server as a XACML policy decision point (PDP) quite easily. You can leverage the SOAP client or the thrift client to send XACML request to WSO2 Identity Server Entitlement Service and receive the decisions. There are samples that suit you exact use case at [2]
So basically you can do the following to achieve what you want to do,
Configure XACML policies in WSO2 Identity Service using policy editor
Call the Entitlement Service via SOAP or thrift from you app to get the entitlement decisions [3].
[1] http://xacmlinfo.org/category/xacml/
[2] https://github.com/wso2/balana/tree/master/modules/balana-samples
[3] https://github.com/wso2/carbon-identity-framework/tree/master/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement
Related
I have using Wso2 indendity server 5.7.
i have seen some document for wso2.
link:
https://docs.wso2.com/display/IS570/Entitlement+with+APIs#EntitlementwithAPIs-addPolicy()
my problem how to use this things in postman.
i have seen some document in rest api but in rest api documentation create policy rest api not available.
Rest Api Document:
https://docs.wso2.com/display/IS570/Entitlement+with+REST+APIs
The API documentation you pointed was the SOAP APIs. There is no rest API for creating XACML policy in WSO2 IS. If your requirement is to use postman to publish the policies, you can refer to this. It explains how to send the SOAP request from postman
We are using WSO2 IS as the Identity Bus for our solutions. We make REST API in WSO2 ESB to implement our Integration and use OAuth mediator in that to securing our API.
in WSO2 IS we create a service provider as sp1 and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx and request URI is http://wso2ESB.uri/sampleApi/app and method is GET.
please help me to make this XACML policy in WSO2 IS.
Currently WSO2 Identity Server support only scope based XACML policy evaluation for oauth2/oidc service providers, where there is no out of the box capability to evaluate policy against client_ip, request URI, HTTP method. One way to handle this situation is irrespective of oauth mediator you can write custom class mediator to intercept the request (PEP) and invoke EntitlementService to evaluate request against XACML PDP in Identity Server. Inside custom class mediator you can write necessary logic to extract necessary information for XACML request client_ip, request URI, HTTP method ...etc
[1] https://docs.wso2.com/display/IS570/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies
I need to secure a SOAP web service (based on Axis2) with this configuration:
Client tries to consume the service
Client is redirected to an authentication server for authentication
If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.
However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.
I am trying to use wso2 identification server as authorization center:
there are several system, they share same user information
I want them to utilize identification server to perform authentication and authorization
In current research, I have found the API which I can use to perform authentication, and also soap api to perform user/group/permission management soap api
But I could not find the api which I can use to perform authorization request? So far those code are written in AuthrozationMgrJDBCImpl, there is no soap API expose those API.
Is there anybody know such API?
Yes.. WSO2 Identity Server can be used as centralized authorization management. There are two approaches
Use XACML capabilities of the WSO2IS. This is the standard way. WSO2IS can act as XACML PDP. You can create policies for different appolications. PDP is exposed as web service API, Application can call this web service API to receive authorization decision based on the policies. You can see the WSDL by pointing to https://localhost:9443/services/EntitlementService?wsdl. You can find more details on XACML and WSO2IS from here.
Use "AuthorizationAdminService" services. This is a custom way that you have referred. WSO2IS stores permission data in its own database and manage it through JDBCAuthorizationManager. However it only supports for RBAC. (in XACML you can use ABAC). you can see the WSDL by pointing to https://localhost:9443/services/AuthorizationAdminService?wsdl.
Note : You can see the WSDL of this service. But it is not exposed by default. Please go through this OS question. Also "AuthorizationAdminService" service available only after WSO2IS 450 version.
In the link
http://blog.facilelogin.com/2008/10/wsas-hiddedn-services.html I saw WSo2 Soap apis , can I get it's equivalent rest apis. And an example which shows how to pass authentication details. I need this one for wso2 Identity server.
In Identity server, You can find many management web services API that can be used for authentication, authorization, user management and so on. Could you let us know the API that you are looking for.. then we can say what is exact web service that you could use. As an example for XACML based authorization, there are "EntitlementService" web service where you can find more details here. But still rest API is not available for this service.
Normally it is mentioned these web service API as admin services in WSO2 products.
Currently (With IS 450), It has a rest API for user management based on SCIM where you find them here. However, you can expose all SOAP based API as Rest API using WSO2 APIM product.