Published on WSO2 Oxygen Tank (http://wso2.

org)
Home > Stories > Using XACML Fine Grained Authorization with the WSO2 Product Platform

Using XACML Fine Grained Authorization with the WSO2 Product Platform
By mccloud35 Created 2010-10-17 05:49

The problem in most security schemes is that it will not give you the ability to fine grain your authorization scheme unless a substantial amount of work goes into implementing such a scheme from scratch. The WSO2 product platform relieves this burden off the system architect and allows you to integrate XACML based authorization into a deployment and have a full blown authorization scheme in place with minimum effort.

Introduction
The XACML Fine Grained entitlement gives you an extremely flexible way of limiting access to resources based on environment, role, user or any other attribute. An example would be ?Allow Tharindu and any user in an Admin role to access MarketDataService only between 8 AM ? 5 PM on weekdays?. We will be using the WSO2 ESB and the WSO2 Identity Server (IS) to implement the XACML authorization scheme. A knowledge of Web Services, XML and security principles is expected as a pre-requirement to follow and understand this article.

Applies To
WSO2 Identity Server WSO2 ESB Version 3.0.0 and above Version 3.0.0 and above

Table of Contents
Architecture Considerations HOWTO - Setting up the WSO2 products for XACML based authorization Testing the setup Conclusion Resources

Architecture
In this scheme for authorization we will be using the Identity Server (IS) as the PDP and the ESB as the PEP. Any request that comes in to the ESB will be checked for necessary authorization by generating a

IS will then validate that request against the XACML policy and inform the ESB whether to allow or deny access to the request.XACML request and sending it to IS. the Entitlement mediator in the ESB and then set up the Entitlement Proxy Service. Roles and Groups in the Identity Server The request will be authorized according to the roles and groups set up in the IS. setup the Identity server with the XACML policy. Therefore. the guide explains first how to set up roles and groups in the Identity server according to authorization requirements. Then all users who need access to resource X must have user accounts belonging to the 'admin' role in the IS. The communication between the IS and the ESB will be thorough HTTPS. A sample Java client will be used to test this pattern. Since this is an authorization checkpoint. Considerations XACML expertise XACML expertise would be needed in defining a proper policy to accommodate complex requirements. HOWTO . if the XACML policy states that admin users have access to resource X. extensive testing should be carried out to ensure the accuracy of the policy after a modification.Setting up the WSO2 products for XACML based authorization In this pattern. The following sections will explain each of these steps: Setting up the servers Setting up roles and groups in Identity Server Setting up IS with XACML Policy Setting up in out sequences with an Entitlement mediator Setting up an Entitlement Proxy Service Setting up the servers . The ESB will then act accordingly to deny or allow access to the request.

But it is an important process as it determines which users get authorization to access which resource and so forth.sh (*nix) or wso2server.xml [1].wso2. Setting up Roles and Groups in the Identity Server Setting up roles and groups is a simple process in the IS. please replace the mgt-transport. Therefore. we will change the ports used by the WSO2 Identity Server to 9765 (http) and 9763 (https). Click on 'Roles' Click on 'Add New Role' .bat (Windows) to start the servers.org/files/mgt-transports. Let us create a new role and add users into it as well as add users to an existing role.The WSO2 Identity Server and the WSO2 ESB both use the ports 9763 (http) and 9443 (https) by default. Then start up both servers by going to the respective bin directories of each server and run the wso2server. Creating a new role and adding users Click on 'Users and Roles' on the main menu on the right.xml located at $IDENTITY_SERVER_HOME/repository/conf with the one provided here . For this.

It is not related to the XACML request. . This step applies to the permissions that apply within IS. Let us just give the role. Therefore.Let us create a new role named 'Architect'. 'login' permissions. This step can be skipped if no users exist yet or the user profiles are not yet created. case it will be the user 'Tharindu' added to this role. Now we will have to give permissions to this user. the permissions given here should only be given according to what the user in a particular role needs to do in IS. In this. Let us add a user into this role.

. Enter user name or '*' to list all users. Select users needed in the 'admin' role and click Update. Go to 'Roles' as before and click on 'Users'.This concludes the steps needed to create a new role. The new list of roles will now be shown. Adding a user to a role Let us add a new user to an admin role.

The admin/admin default credentials work if they have not been removed.It will indicate the role has been update accordingly. It will then be listed under ?Available Entitlement Policies?. Now click on the Policies listed under the Entitlement menu. Log in to the Identity Server with an account that login and manage privileges.org/files/sample-xacml-policy.xml [2]. .sh (Linux). Setting up the Identity Server with XACML Policy Start up the Identity Server using wso2server.xml available at wso2. This file or any other policy file can be imported using the ?Import New Entitlement Policy? button. A user can click on the ?Add New Entitlement Policy? and edit the template policy accordingly. In the next sections a XACML policy defined to give access to any user in an admin role is setup in the Identity Server. The policy used for this article is located in the sample-xacml-policy.bat (Windows) or wso2server.

w3. In this case.0:action:action-id" DataType= <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment/> </Request> This request means that the 'admin' user from the user group is trying to access the http://localhost:8280/services/echo web service.w3. This will result in a Permit/Deny/Not Applicable output. It is also given below: <Request xmlns="urn:oasis:names:tc:xacml:2. it will be permitted.0:context:schema:os" xmlns:xsi="http:/ <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1. Setting up in out sequences with an Entitlement mediator Log in to the ESB Management console by going to ENTER URL and using admin/admin as username and password.0:subject:subject-id" DataType="http://www.xml [3].org/2001/XMLSchema#string"> <AttributeValue>admin</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.The XACML policy can be evaluated using by clicking ?Evaluate Entitlement Policies? (refer screenshot above). create a sequence by clicking ?Sequences? in the left menu and then clicking ?Add Sequence? in the Mediation Sequences page.org/2001/XMLSchema#string"> <AttributeValue>admin</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www. . This brings up a dialog where you can enter your XACML request.0:resource:resource-id" DataT <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.org/files/sample-xacmlrequest. Now. A sample request is included in the sample-xacml-request file available at wso2.

if IS is running on the local machine on port 9445. ?Entitlement Server? should be the URL of the IS server.Name the sequence ?EntitlementInSequence? and add the ?Entitlement? mediator though Add Child ? Advances ? Entitlement In the Entitlement Mediator. Now. For example. add a ?Header? mediator though ?Add Sibling? ? Transform ? Header. The user here should have login and manage permissions in the IS. . the URL is https://localhost:9445/services/ [4].

Add a send mediator and drop mediator to the sequence through Add Sibling ? Core ? Send and Add Sibling ? Core ? Drop and save the sequence.xsd?.The Header mediator is configured to remove the Security header. .org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.oasisopen. Click on the namespaceas and enter prefix as ?wsse? and URI as ?http://docs.

The in sequence is now completed with all the necessary mediators. Create a new sequence and name it ?EntitlementOutSequence?. This will complete both sequences. Add a Send and Drop mediator as step 5. Set up the Entitlement Proxy Service Create a Custom Proxy through Add ? Proxy Service on the left menu. .

Name the proxy EntitlementService and only allow https as the transport. Pick the EntitlementInSequence as the In Sequene thorugh the import option click Next. Unclick the http option and click Next. Do the same for tne EntitlementOutSequence as the Out Sequence and click Finish to save the proxy. .

org/files/WSEntitlementTestClient. Enable Security in the drop down menu by setting option Yes.zip [5]. The complete source package is attached to this article at http://wso2. This concludes all the steps necessary to setup XACML based authorization on the WSO2 platform. they will not be allowed to access the echo service due to the XACML based authorization that takes place. Now in the dashboard click Security under QoS configurations. Give access to all roles. It can be opened up in an IDE and run against this setup without any modifications.Now apply Username Token security to the proxy. Testing the setup The following client can be used to test the pattern for admin/admin credentials. Click on Option 1: username token and click Next. This further demonstrates that although any user will be able to access the proxy service. Click on the proxy service name. Please add the jars in .

options = new Options().apache. StAXOMBuilder builder = new StAXOMBuilder("policy. trustStore = "wso2carbon. policy).axis2. org. // TRANS_URL points to proxy service options.ssl.jks System. org.axiom.KEY_RAMPART_POLICY. org.getPolicy(builder.axiom.axis2. Options options = null. // To the ESB.impl.setOptions(options). org.neethi.net.createConfigurationContextFromFileSystem(" // This is the security policy of the proxy service applied UT.xml"). static String TRANS_URL = "https://localhost:8243/services/EntitlementServi public static void main(String[] args) throws Exception { ServiceClient client = null. // We are accessing ESB over HTTPS . OMElement response = null.you will have Rampart module engaged in the cl context = ConfigurationContextFactory.ConfigurationContextFactory.rampart. org.client.Policy.apache.setProperty("javax. import import import import import import import import import import import import import import public final final org.net.context.Constants.om. options. . org.apache. // You need to import the ESBs public certificate to this key store.builder.axis2.apache.TRANSPORT_URL.apache. // Password of mykeystore. trustStore).OMFactory. org.om.setTo(new EndpointReference(ADDR_URL)).getDocumentElement()).setAction("urn:echoString").OMNamespace.apache. org.setProperty("javax.addressing.setProperty(RampartMessageData.apache.om.om. options.apache.OMElement. org. options.axis2.apache. String trustStore = null. org.ConfigurationContext.Configuration.so need to set trustStore parameters.client.apache.EndpointReference. NOTE: To test on any select users make sure the user exists on the ESB as well as on the IS. ConfigurationContext context = null.setUserName("admin"). TRANS_URL).jks".trustStore". Policy policy = PolicyEngine.engageModule("addressing").PolicyEngine. "wso2carbon").setPassword("admin"). client.ssl. null). org.Options.setProperty(Constants.trustStorePassword". // Create configuration context .apache.ServiceClient.apache. class WSEntitlementTestClient { static String ADDR_URL = "http://localhost:8280/services/echo".neethi.om.$ESB_HOME/repository/components/plugins to the classpath before running the project.axiom. client.RampartMessageData.axiom. // This is the addressing URL pointing to the echo service deployed in ESB options. System.StAXOMBuilder.apache.axis2.axiom. the proxy service options.axis2. org.context. org.apache. client = new ServiceClient(context. The roles that the user belongs to is evaluated according to the user data in the IS.OMAbstractFactory.

setText(value).html [6] Adding fine grained authorization to a proxy service in WSO2 ESB http://blog.sendReceive(getPayload("Hello world")). References IS 2. Software Engineer.carbon. OMElement childElem = null. But. } } Conclusion XACML is an open standard that brings a powerful and extensible fine grained authorization model to a deployment's security framework.xml [2] sample-xacml-request.addChild(childElem). ns = factory. factory = OMAbstractFactory. complex deployment with the WSO2 product stack.org".0 standard specification .org/xacml/2.core.34 KB .0-core-spec-os. } private static OMElement getPayload(String value) { OMFactory factory = null. return elem.services. OMNamespace ns = null.createOMElement("in".pdf [8] Author Tharindu Mathew.html [7] The XACML 2.xml [3] mgt-transports. ns).http://docs. Attachment sample-xacml-policy.println(response).facilelogin. childElem = factory.81 KB WSEntitlementTestClient.zip [5] 29. elem. a system developer just needs to follow the same steps to enable XACML based security in a large.engageModule("rampart").http://blog.wso2. null).com/2009/05/identity-server-20-as-xacmlengine.facilelogin. "ns1 elem = factory. System.oasis-open.0 as a XACML engine .createOMNamespace("http://echo. just as we have secured a simple web service with a simple XACML policy. WSO2 Inc.com/2009/05/adding-fine-grained-authorization-for. response = client.out.0/access_controlxacml-2. childElem. The sample policy demonstrated in this article barely scratches the surface of what's possible with XACML based security.getOMFactory().client. OMElement elem = null.05 KB 943 bytes 3.xml [9] Size 2.createOMElement("echoString".

com/bootstrap/'. document.facilelogin.facilelogin. d = document.html [8] http://docs.getElementsByTagName('body')[0].html [7] http://blog.protocol+'//dnn506yrbagrg.com/wso2/"). Source URL: http://wso2.type = 'text/javascript'.com/wso2/" : "http://connect. rw_log(pkBaseURL.xml [3] http://wso2.com/bootstrap/' : 'http://c.org/files/sample-xacml-policy.getElementsByTagName('head')[0] || document. s. footer Licenses Privacy Policy Terms of Use Community Guidelines Feedback wso2.compete. var pkBaseURL = (("https:" == document. document.com/2009/05/adding-fine-grained-authorization-for.cloudfront.compete.zip [6] http://blog. if (d) { d.js'. s.Articles Intermediate Security © 2010 WSO2 Inc. } }()).appendChild(s).src = t + __compete_code + '/bootstrap.org/files/mgt-transports.org/files/sample-xacml-request.createElement('script').js' type='text/javascript'%3E%3C/script%3E")).write(unescape("%3Cscript src='" + pkBaseURL +"std/resource/script/rwts.wso2.location.org/xacml/2.org/files/WSEntitlementTestClient.net/pages/scripts/0011/4922.js"%3E%3C%2Fscript%3 var rw_ext_id=''.org/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform Links: [1] https://wso2.protocol ? 'https://c.protocol) ?"https://connect. t = 'https:' == document.org/files/mgt-transports.location.pdf [9] http://wso2. (function () { var s = document.0/access_control-xacml-2.location.write(unescape('%3Cscript type="text/javascript" "'+document.xml [2] http://wso2.0-core-spec-os.async = 'async'.xml .xml [4] https://localhost:9445/services/ [5] http://wso2.oasis-open.com __compete_code = 'a56ed378f1a9259cd4db80722cbf2623'.wso2.com/2009/05/identity-server-20-as-xacml-engine. 4220). s.