Fine Grained Authorization scenario

This is actually a common scenario which I will also be posting in my blog

A request coming from the client will be authenticated at WSO2 ESB proxy, which acts as a XACML PEP and authorizes the request to access the back-end service by processing the request at WSO2 IS which acts as the XACML PDP.

So the actors in the scenario are;
PEP - Policy Enforcement Point - WSO2 ESB
PDP - Policy Decision Point - WSO2 IS
BE - echo service in WSO2AS
client - SoapUI


 Let's try step by step:

1. Configure Entitlement proxy (ESB-4.8.0)
a) Create a custom proxy, giving echo service as the wsdl;
WSDL URI - http://localhost:9765/services/echo?wsdl

b) In-Sequence
- Select Entitlement mediator and add entitlement information
Entitlement Server - https://localhost:9444/services/
Username - admin
Password - admin
Entitlement Callback Handler - UT
Entitlement Service Client Type - SOAP - Basic Auth

- Add results sequences for OnAccept and OnReject nodes.

OnReject as below;

 

OnAccept as below - send mediator to BE service;

c) OutSequence
-Add a send mediator

My complete proxy service is built like this;

<?xml version="1.0" encoding="UTF-8"?>

<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="EntitlementProxy"
       transports="https"
       statistics="disable"
       trace="disable"
       startOnLoad="true">
   <target>
      <inSequence>
         <entitlementService remoteServiceUrl="https://localhost:9444/services/"
                             remoteServiceUserName="admin"
                             remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="
                             callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler"
                             client="basicAuth">
            <onReject>
               <makefault version="soap11">
                  <code xmlns:soap11Env="http://schemas.xmlsoap.org/soap/envelope/"
                        value="soap11Env:VersionMismatch"/>
                  <reason value="Wrong Value"/>
                  <role/>
               </makefault>
            </onReject>
            <onAccept>
               <send>
                  <endpoint>
                     <address uri="https://localhost:9445/services/echo"/>
                  </endpoint>
               </send>
            </onAccept>
            <obligations/>
            <advice/>
         </entitlementService>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
      <faultSequence>
         <send/>
      </faultSequence>
   </target>
   <publishWSDL uri="http://localhost:9765/services/echo?wsdl"/>
   <enableSec/>
   <policy key="conf:/repository/axis2/service-groups/EntitlementProxy/services/EntitlementProxy/policies/UTOverTransport"/>
   <description/>
</proxy>

2) Start the back-end service.
In my scenario it is the echo service in WSO2AS-5.2.0
https://192.168.1.3:9445/services/echo/


3) Configure XACML Policy using IS-4.5.0
a) Go to Policy Administration > Add New Entitlement Policy > Simple Policy Editor
b) Give a name to the policy and fill in other required data.
This policy is based on - Resource
Resource which is equals to -{echo} ---> wild card entry for BE service name.
Action - read

                           

 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="TestPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">echo</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"/>
</Policy>

      


c) After creating the policy, Click 'Publish To My PDP' link.

d) Go to 'Policy View' and press 'Enable'

e) To validate the policy, create a request and tryit. Click on the 'TryIt' link of the policy (in the 'Policy Administration' page) and give request information as below;

                  

 <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{echo}</AttributeValue>
</Attribute>
</Attributes>
</Request>

4) Send a request from client
a) Launch SoapUI and create a project using echo service wsdl.
 -  Add username/password in request properties
 -  Set the proxy url as the endpoint URL
 -  Send the request

NOTE:
Enable DEBUG logs in PDP and view the request and response as below;
a) Open IS_HOME/repository/conf/log4j.properties

b) Add following line
log4j.logger.org.wso2.carbon.identity.entitlement=DEBUG

c) View IS logs as below;

How to read properties file from custom UserStoreManager

Scenario : 

You have developed a XUserStoreManager extending an inbuilt userstoremanager implemetation (i.e. ActiveDirectoryUserStoreManager).

You need to read some configuration files from a property file, which you do not want embed in the XUserStoreManager.jar which is deployed in <IS_HOME>/repository/components/dropins

What is the best approach:

1. You can put your custom properties in <IS_HOME>/repository/conf/user-mgt.xml inside your <CustomUserStoreManager> section as below.

<Property name="customProperty">customValue</Property>

2. Put properties withing your CustomUserStoreManager configuration section. Then you can access your properties as below as in [1]

i.e.

String patterns = realmConfig.getUserStoreProperty(LDAPConstants.USER_DN_PATTERN); 

Applicable : WSO2IS-4.6.0

[1] - https://svn.wso2.org/repos/wso2/carbon/kernel/branches/4.0.0/core/org.wso2.carbon.user.core/4.0.2/src/main/java/org/wso2/carbon/user/core/ldap/ReadOnlyLDAPUserStoreManager.java

New release of WSO2 product family !!!!

Its been a little more than a week now. But I need to make a note of it. WSO2 released new versions of five of its products on 09th Oct.

It include;
WSO2 WSAS 3.1.1
WSO2 Governance Registry 3.0.1
WSO2 ESB 2.1.1
WSO2 IS 2.0.1
WSO2 Mashup Server 2.0.0

The release notes of Mashup Server and Identity Server (the ones that I talk about most) are given below.

WSO2 Identity Server 2.0.1
The WSO2 Identity Server team is pleased to announce the release of version 2.0.1 of the Open Source WSO2 Identity Server (IS).

IS 2.0.1 release is available for download at [1].

This is based on revolutionary the WSO2 Carbon [2] framework, Middleware a la carte'.

All the major features have been developed as pluggable Carbon components.

New Features
-------------------
1. SAML 2.0 Token Profile support
2. Passive STS
3. Equinox P2 based provisioning support
4. Improved Support for deploying on top of WebSphere, WebLogic, and JBoss.
5. Various bug fixes and enhancements including architectural improvements to Apache Axis2, Apache Rampart, Apache Sandesha2, WSO2 Carbon and other projects

Other Key Features
---------------------------
1. Entitlement Engine with XACML 2.0 support.
2. Claim based Security Token Service.
3. Extension points for SAML assertion handling.
4. OpenID Provider
5. Information Card Provider

How to Run
-------------
1. Extract the downloaded zip.
2. Go to the bin directory in the extracted folder.
3. Run the wso2server.sh or wso2server.bat as appropriate.
4. Point your browser to the URL https://localhost:9443/carbon
5. Use "admin", "admin" as the user name and password.
6. If you need to start the OSGi console with the server use the property -DosgiConsole when starting the server

Known issues
---------------
All the known issues have been filed here [3]. Please report any other issues you find as JIRA entries.

Contact us
-----------
WSO2 Identity Server developers can be contacted via the mailing lists:
For Users: carbon-user@wso2.org
For Developers: carbon-dev@wso2.org

Alternatively, questions can also be raised in the Identity Server forum at http://wso2.org/forum/308

Training
---------
WSO2 Inc. offers a variety of professional Training Programs, including training on general Web services as well as WSO2 Identity Server,Apache Axis2, Data Services and a number of other products. For
additional support information please refer to http://wso2.com/training/course-catalog/


Support
--------
WSO2 Inc. offers a variety of development and production support
programs, ranging from Web-based support up through normal business
hours, to premium 24x7 phone support. For additional support information
please refer to http://wso2.com/support/


For more information on WSO2 Identity Server, visit the WSO2 Oxygen Tank[4].

Thank you for your interest in WSO2 Identity Server.

-The WSO2 Identity Server team

[1]: http://wso2.org/downloads/identity
[2]: http://wso2.org/projects/carbon
[3]: https://wso2.org/jira/browse/CARBON
[4]: http://wso2.org


WSO2 Mashup Server 2.0.0


The WSO2 Mashup Server team is pleased to announce the release of version 2.0.0 of the Open Source WSO2 Mashup Server.

Downloads are available at http://wso2.org/downloads/mashup

For a complete list of project resources including SVN, Mailing lists, Forums, JIRA and Tutorials visit http://wso2.org/projects/mashup

"Create, deploy, and consume Web services Mashups in the simplest fashion."

The WSO2 Mashup Server is a powerful yet simple and quick way to tailor Web-based information to the personal needs of individuals and organizations. It is a platform for acquiring data from a variety of sources including Web Services, HTML pages, feeds and data sources, and process and combine it with other data using JavaScript with E4X XML extensions. The result is then exposed as a new Web service with rich metadata and artifacts to simplify the creation of rich user interfaces


Key Features
---------------
* Hosting of mashup services written using JavaScript with E4X XML extension
    - Simple file based deployment model
* JavaScript annotations to configure the deployed services
* Auto generation of metadata and runtime resources for the deployed mashups
    - JavaScript stubs that simplify client access to the mashup service
    - Code templates for developing rich HTML or Google Gadget interfaces
    - TryIt functionality to invoke the mashup service through a web browser
    - WSDL 1.1/WSDL 2.0/XSD documents to describe the mashup service
    - API documentation
* Ability to bundle a custom user interface for the mashups
* Many useful Javascript Host objects that can be used when writing mashups
    - WSRequest: invoke Web services from mashup services
    - File: File storage/manipulation functionality
    - System: Set of system specific utility functions
    - Session: Ability to share objects across different service invocations
    - Scraper: Extract data from HTML pages and present in XML format
    - APPClient: Atom Publishing Protocol client to retrieve/publish Atom
                 feeds with APP servers
    - Feed: A generic set of host objects to transparently read and create
            Atom and RSS feeds
    - Request: Ability get information regarding a request received
* Support for recurring and longer-running tasks
* Support for service lifecycles
* Ability to secure hosted mashups using a set of commonly used security scenarios
* Management console to easily manage the mashups


New Features In This Release
------------------------------

The 2.0 version of the Mashup Server is built on top of the Award Winning WSO2 Carbon Platform. All the major features have been developed as pluggable Carbon components.


Installation & Running
-----------------------
1. extract the downloaded zip file
2. Run the wso2server.sh or wso2server.bat file in the bin directory
3. Once the server starts, point your Web browser to
   https://localhost:9443/carbon/

For more details, see the Installation Guide


System Requirements
----------------------
1. Minimum memory - 256MB
2. Processor      - Pentium 800MHz or equivalent at minimum
3. The Management Console requires full Javascript enablement of the Web browser
   NOTE: On Windows Server 2003, it is not allowed to go below the medium security level in Internet Explorer 6.x.

For more details see
http://wso2.org/wiki/display/carbon/System+Requirements


WSO2 Mashup Server Binary Distribution Directory Structure
---------------------------------------------------------------
  CARBON_HOME  
       |-bin      
       |-conf   
       |-database
       |-dbscripts
       |-docs     
       |-lib      
       |-logs
       |-repository     
       |---dataservices            
       |---scripts      
       |---services
       |-resources      
       |---security
       |-tmp      
       |-webapps      
       |-- LICENSE.txt
        |-- README.txt
        |-- INSTALL.txt
        |-- release-notes.html
   

   - bin
      Contains various scripts .sh & .bat scripts

    - conf
      Contains configuration files

   - database
     Contains the database

    - lib
      Contains the basic set of libraries required to startup WSO2 Mashup Server in standalone mode

    - logs
      Contains all log files created during execution

    - repository
      The repository where Carbon artifacts & Axis2 services and modules deployed in WSO2 Mashup Server are stored. In addition to this other custom deployers such as javascript, dataservices, axis1services and pojoservices are also stored.
     
            - dataservices
              Contains the Data Services hosted in the Mashup Server.
             
            - scripts
              Contains the Javascript Services (Mashups) hosted in the Mashup Server.
             
            - services
              Contains the Java Services hosted in the Mashup Server.

    - resources
      Contains additional resources that may be required

    - tmp
      Used for storing temporary files, and is pointed to by the java.io.tmpdir System property

    - webapps
      Contains the WSO2 Mashup Server webapp. Any other webapp also can be deployed in this directory

    - LICENSE.txt
      Apache License 2.0 under which WSO2 Mashup Server is distributed.

    - README.txt
      This document.

    - INSTALL.txt
          This document will contain information on installing WSO2 Mashup Server

    - release-notes.html
      Release information for WSO2 Mashup Server 2.0


Training
---------
WSO2 Inc. offers a variety of professional Training Programs, including training on general Web services as well as WSO2 Mashup Server, Apache Axis2, Data Services and a number of other products.

For additional support information please refer to http://wso2.com/training/course-catalog/


Support
---------
WSO2 Inc. offers a variety of development and production support programs, ranging from Web-based support up through normal business hours, to premium 24x7 phone support.

For additional support information please refer to http://wso2.com/support/

For more information on WSO2 Mashup Server, visit the WSO2 Oxygen Tank (http://wso2.org)


Enjoy the WSO2 Mashup Server,

The WSO2 Mashup Server Team ~~~~