What are the alternatives available while using WSO2 Identity server as PDP?
If we use WSO2 ESB, its creating one extra layer..
So what benefits we will get by using it? If we use Sun's XACML API to send and receive request and response in some class which act as PEP then would it be bad design?
It is not needed to use the WSO2 ESB as a PEP. You can write you own PEP to integrate with your application. As an example, if your application is an java web application, you can write your own PEP client to call the EntitlementService.
Advantage of using WSO2 ESB is that, It can act as Security Gateway for you all type of requests. It can do authentication/security protocol switching and more.. It has an extensible architecture.. If your all idea is to only to use WSO2ESB as PEP, I do not think it is worth. ESB is also calling EntitlementService of the WSO2IS. Therefore you can directly call it from your application. You can write simple PEP client using java. You can find java client from here and you can integrate it with your application as PEP. There are some place that have been done it. Please find one from here. In his sample, command line client calling the EntitlementService
Related
Can we implement a secured API in WSO2 ESB and can we provide an existing user's credential, (as a header) who is in ESB's use store, to access it?
This scenario can be done in ESB Proxy: Guide by providing a policy file. Can't we do the same in API too, if not what is the reason behind that?
If you are going to secure the APIs using Oauth2 you can use Oauth mediator but if you looking to use basic auth you need to write a class mediator(Here is an old article,you can get brief idea on implementing basic auth class mediator even though details are outdated )
I'm working on a master's degree project which the main goal is wso2 study.
Through wso2 I need to be able to:
Do protocol Bridging (eg: rest to soap);
Apply data transformation (apply xslt on xml);
Content based routing;
Load balancing;
Create authentication and authorization layer to legacy services (authentication via oauth 1.0a);
Exception shielding;
Service monitoring;
Services lifecycle control;
So, my question is: do I need any other wso2 product, or ESB is just fine? For example to implement the security layer and all the load balance stuff do I need to add wso2 identity server and wso2 elastic load balancer?
Or even more: do I need to extend the esb by writing custom code to solve any of this issues? In which cases extend the esb is the only way to go?
I hope to do not be naive trying to solve all this complicated issues, but I'm kinda lost on this big swiss knife that wso2 is.
Thanks
Please find my answer..
Do protocol Bridging (eg: rest to soap ---> ESB
Apply data transformation (apply xslt on xml) ----> ESB
Content based routing ----> ESB
Load balancing ---> ESB can be used. But i prefer Apache HTTP and Nginx. They are more intended for that purpose
Create authentication and authorization layer to legacy services (authentication via oauth 1.0a) --> ESB can be used. But you need an OAuth2 Authorization server for token validation. Also, XACML PDP for policy validation. Both are available with Identity Server. According to the Carbon, you can install those features with ESB as well. But it is not recommended much. Please see more details from here
Exception shielding ---> ESB
Service monitoring ----> ESB can be used. But if more, you can use BAM
Services lifecycle control ---> ESB can be used. If needed more, you can install G-reg features
I think. It is only enough to use WSO2 ESB and WSO2 IS for this purpose. Sometime you may need to write some code. But it is easy as there are lot of samples are available freely.
I would like to use/customize the PEP implementation provided by WSO2 IS, but I am not sure about two things:
if the PEP would be centralized or not. In other words, does each Web service has its own PEP or is it the same? In practice where would the PEP be placed?
Also, Does is there any examples of how a PEP implementation can be integrated or incorporated into an WSO2 Enterprise Service Bus? In other words, how can we use the two together?
If we are talking about WSO2ESB, There is entitlement mediator which is the PEP for WSO2 Identity Server. There must be one PEP implementation. But it can be used by several web services. In ESB, mediator is something that you can engage with the message path to intercept the message. Entitlement mediator can be used as same. It can be engaged with multiple proxy services in the ESB.
You can even write new PEP as a ESB mediator and engage your custom mediator in to the message path. You can refer this document on writing a new custom mediator. Also, you can reuse the PEP client code that can be found here. Basically you want to modify the PEP client code as a ESB custom mediator
I have an internal webservice exposed in SOAP/HTTP. What I am trying to achieve using API manager is to expose my internal SOAP based webservice over different protocols like XML, JSON etc.
Does WSO2 API manager have that capability.
Thanks and Regards
Privin Thomas
If you wish to transform the incoming message into a different format for the backend. This can be done using the underlying ESB capabilities of the API Manager - there are actualy several ways. IMHO, the easiest way to do this is with Mediation Extensions. For information on adding a Mediation Extension to an API, please see the documentation here:
https://docs.wso2.com/display/AM170/Adding+Mediation+Extensions
From what I've read and experienced, the API Manager 1.3.1 only generates proxies. However, I would like to proxy a back-end SOAP service with a SOAP service proxy and have the proxy implement a WS-Policy with a WS-SecurityPolicy.
Is there built-in support for this in API Manager 1.3.1?
Will there be support for this in the next version of API Manager?
If no, then what steps would I take to have the API Publisher and Store apps recognize SOAP proxies?
I hope that API Manager is not the ideal way to start to implement your use case. You should use Enterprise Serivce bus which provides the UI and necessary other tools to implement the scenario.
You can install the required features (Which is pre installed in ESB) to API manager and use those features. But you can just go ahead with WSO2 ESB as it is.
http://docs.wso2.org/wiki/display/ESB402/Secure+Proxy+Template
in wso2esb, itself contains throttling [1]/analytics[2] support.You can check the documentation on how to enable the throttling for proxies. If you like to use APIManager, define a proxy in another instance(like ESB) and provide that as endpoint when you create an API. But that proxy has to handle REST calls..
But from my understanding, you can simply use wso2esb.
[1]http://docs.wso2.org/wiki/pages/viewpage.action?pageId=15471353
[2]http://docs.wso2.org/wiki/display/ESB451/Statistics