Monday, October 7, 2013

Fine-grained authorization with PIP points - WSO2 IS

Use Case Scenario :-
User ‘john’ trying to get READ access by using his user id.
Authorization should be given by validating the user id against user name, requesting use name information via PIP point.

PIP requesting information from a web service.











Now lets see how to implement this use case scenario.

1 ) First of all you need to have the jax-rs service implemented.
2) Then you need to deploy it in the application server.

6) You can use the TryIt tool in Identity Server as the PEP to test the XACML policy
7) You need to expose the entitlement service of the IS and then send request via SoapUI (you can also configure WSO2 ESB to further enhance the use case ) 




Sunday, October 6, 2013

How to expose the entitlement service in WSO2 Identity Server and send requests via SoapUI

Hi All,

First lets talk about how to expose the entitlement service in the Identity Server.

1) Go to <IS HOME>\wso2is-4.5.0\repository\conf and open the carbon.xml.

2) Change <HideAdminServiceWSDLs> to false as follows.




3) Start the Identity Server.

4) Copy and paste the following url on the browser address bar.


https://localhost:9444/services/EntitlementService?wsdl

If you have saved the settings correctly , you should be able to view the entitlement server wsdl.

5) Save the wsdl file.


Now lets see how to use the wsdl and SoapUI to send requests.

1) Open SoapUI.

2) Go to File in top menu bar and select New SoapUI Project.

3) Give a project and browse for the wsdl file.




















4) Then click OK and the simple requests for all operations will be created automatically.

5) Then Select getDecisionByAttributes request as follows.



















6) Then fill in the parameter details as follows for our xacml policy we have written.





















7) Then you have to authorize the request by entering authorization values as admin , admin for username and password respectively.















Now you can send the request and check for the decisions. The Permit is received as the decision only when the user id 124 trying to READ.

In the next post we will look at a use case scenario where fine grained authorization achieved via xacml engine in WSO2 IS 4.5.0 with PIP points.

Thank you!

How to use the TryIt tool in WSO2 IS

Lets try out the xacml policy we have written using WSO2 IS TryIt tool.

Login to IS and go to PEP > TryIt












Lets look at the picture above and understand the input values for xacml request.

Here we are using the TryIt tool as the Policy Enforcement Point in XACML engine.

We are trying to send the request and enforce the policy and get the policy decision from PEP.

Lets fill out the input values as follows in the tool :-

1) Resource - the service name you have given in the policy

2) Subject Name :- the user trying to access . Here, we are sending the user id of the user, where the policy send the request to PIP to get the user informaiton

3) Action - We are mentioning the action of the user in this case is READ

4) Environment Name - since we haven't mentioned any in the policy , we do not have to input it here

Now lets look at the Request created by the TryIt tool. Click on the Create Request button.




 The request is created with the values we have filled out.

Now lets Evaluate with PDP to get the decision. Click on Evaluate with PDP button.





















You can see the decision is Permit.

You can go back and try to evaluate with different input values and see the decision of the PDP.

The policy only permits when user id 124 trying to READ.

Thank you and see you all soon :)

How to write a simple XACML policy in WSO2 IS

We meet again :)

Lets talk about how to write a simple xacml policy in WSO2 IS.


First lets recall our scenario.


Please refer the following links on understanding the scenario.


1) http://umeshagunasinghe.blogspot.com/2013/09/how-to-create-jax-rs-service-using-wso2.html


2) http://umeshagunasinghe.blogspot.com/2013/09/how-to-deploy-jax-rs-service-in-wso2.html

3) http://umeshagunasinghe.blogspot.com/2013/10/how-to-write-pip-point-for-wso2-is.html

4) http://umeshagunasinghe.blogspot.com/2013/10/how-to-register-pip-in-wso2-is.html

We wrote our jax-rs service with users initialized.

Lets say we had 'john' user with user id 124 and another user with user id 125.


Now we have a requirement that we need to permit john to read something.

But nobody else should be able to read it.

So how can we handle this authorization situation?? 


It is really simple to write xacml policies with new user interface provided by WSO2 IS 4.5.0.


Login to IS and go to 

















Now lets fill in the necessary information.

1) First give the xacml policy a name


2) Then you can fill in a description


3) Then select on what this policy is based on. For our scenario this based on the resource we have which is the web service that is deployed on the Application Server. Therefore we can select Resource.


4) Then give the resource name

Note that the input values may change on what the policy is based on

5) Now lets focus on the bottom part. We do not intend to give child resource.

Our user is john
The action is READ
you can give an environment even.

Now we have filled the information we need to implement the policy.


You  can follow the following links to get in depth understanding of writing xacml policies in WSO2 IS.


1) http://xacmlinfo.org/2013/09/02/how-write-xacml-policies-1/


2) http://xacmlinfo.org/2013/09/03/how-to-write-xacml-policies-part-2/


3) http://xacmlinfo.org/2013/09/05/how-to-write-xacml-policies-part-3-basic-policy-editor/


After filling the information regarding the xacml policy click on finish button.


Now lets think about what is the purpose of we registered the PIP. The reason because we needed to get user information needed for authorization.

What user information we were trying to access form the web service? It was the username that is given to the user id.

So what we have actually done? We have written a xacml policy to permit READ access to john.


Now, we need to mention in the policy that "Look, you have to give permit 'john' to give READ rights to certain information, but only the user id of john is provided. So you have to verify the user id with the username before giving any permission. You have to look for a PIP to get this information."


But actually we haven't mention in the policy how to get this information.


Lets go do that. Go to 


















You can see the information we have given. Check out the user information section. There you have to mention where to get the user information to permit access to john. There you have to mention the attribute Id you have given when you wrote the PIP. In this case it is 'USERNAME'.

Now the policy knows everything :). Go to Policy Administration and Click on Publish to My PDP to publish the policy.










Then click on Publish.









Then go to Policy View and Enable the policy.










Now the policy is all ready. In the next post lets talk about the Try It tool to checkout the policy.

See y'all!

Saturday, October 5, 2013

How to register a PIP in WSO2 IS

Okay, in the previous post I explained a sample PIP code
Now we need to register this PIP in WSO2 IS.
I am using the newly released WSO2 IS 4.5.0 for the scenario.
Following are the steps that you should follow to register the PIP point with IS.

1) First of all you have to build the code the create the .jar file for the PIP. e.g:-using maven

2) Then download the WSO2 IS 4.5.0 from here and go to <IS HOME>\wso2is-4.5.0\repository\components\lib and put that .jar file there. 

Important : - you should remember to include other dependency .jar files you have downloaded to build the PIP code in the above location.

3) Finally . go to <IS HOME>\wso2is-4.5.0\repository\conf\security and add the following line to the entitlement.properties file.



UserPIPAttributeFinder is our sample PIP.

Now you have your PIP registered with IS.

In my next post , I will be focusing on how to write a simple XACML policy to access the PIP we registered for authorization.

Thank You!

How to write a PIP point for WSO2 IS

Today, we are going to talk about how to write a PIP for WSO2 IS.

In my previous posts I have discussed how to write a jax-rs service and how to deploy it in WSO2 Application Server and send requests.

In this post we are going a step forward and discuss how we can access that service deployed in Application server to get information needed for authorization purpose.

WSO2 Identity server supports  fine grained authorization with XACML 3.0 in IS 4.5.0.
We can register PIP points to retrieve information related for authorization. For that,  a PIP should be written and registered with IS.

You can download a sample PIP from here.

Here , lets talk about main sections of the code sample on how to customize to access the jax-rs service deployed in App Server.

1) Supported attributes should be initiated.








2) Then, getAttributeValues method should be implemented to setup the connection to the service in the application server and get the required values.

 As you can see in the above code sample, the serviceURL is set to the the username and the subject is passed to the method as user id.

In the next post we will talk about how to register the PIP in WSO2 IS.