Sunday, October 6, 2013

How to write a simple XACML policy in WSO2 IS

We meet again :)

Lets talk about how to write a simple xacml policy in WSO2 IS.

First lets recall our scenario.

Please refer the following links on understanding the scenario.





We wrote our jax-rs service with users initialized.

Lets say we had 'john' user with user id 124 and another user with user id 125.

Now we have a requirement that we need to permit john to read something.

But nobody else should be able to read it.

So how can we handle this authorization situation?? 

It is really simple to write xacml policies with new user interface provided by WSO2 IS 4.5.0.

Login to IS and go to 

Now lets fill in the necessary information.

1) First give the xacml policy a name

2) Then you can fill in a description

3) Then select on what this policy is based on. For our scenario this based on the resource we have which is the web service that is deployed on the Application Server. Therefore we can select Resource.

4) Then give the resource name

Note that the input values may change on what the policy is based on

5) Now lets focus on the bottom part. We do not intend to give child resource.

Our user is john
The action is READ
you can give an environment even.

Now we have filled the information we need to implement the policy.

You  can follow the following links to get in depth understanding of writing xacml policies in WSO2 IS.




After filling the information regarding the xacml policy click on finish button.

Now lets think about what is the purpose of we registered the PIP. The reason because we needed to get user information needed for authorization.

What user information we were trying to access form the web service? It was the username that is given to the user id.

So what we have actually done? We have written a xacml policy to permit READ access to john.

Now, we need to mention in the policy that "Look, you have to give permit 'john' to give READ rights to certain information, but only the user id of john is provided. So you have to verify the user id with the username before giving any permission. You have to look for a PIP to get this information."

But actually we haven't mention in the policy how to get this information.

Lets go do that. Go to 

You can see the information we have given. Check out the user information section. There you have to mention where to get the user information to permit access to john. There you have to mention the attribute Id you have given when you wrote the PIP. In this case it is 'USERNAME'.

Now the policy knows everything :). Go to Policy Administration and Click on Publish to My PDP to publish the policy.

Then click on Publish.

Then go to Policy View and Enable the policy.

Now the policy is all ready. In the next post lets talk about the Try It tool to checkout the policy.

See y'all!

No comments:

Post a Comment