Hi Abimaran,
Please try following XACML policy,
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="XACMLSimplePolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides"
Version="1.0">
<Target></Target>
<Rule Effect="Permit" RuleId="permit_rule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>
http://localhost:8280/services/echo/</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
</Apply>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="
http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="http://wso2.org/claims/role";
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="denyRule"></Rule>
</Policy>
Note: you need to have Deny rule in your condition and try to use
"urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of" when
comparing roles. Then we can add additional roles later.
Thanks,
Thanuja
On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]>
wrote:
> I defined below policy,
>
> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>> PolicyId="SimplePolicy"
>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
>> Version="1.0">
>> <Target/>
>> <Rule Effect="Permit" RuleId="primary-group-customer-rule">
>> <Condition>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>> <Apply
>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>> <AttributeValue DataType="
>> http://www.w3.org/2001/XMLSchema#string";>
>> http://localhost:8280/services/echo/</AttributeValue>
>> <AttributeDesignator
>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>> </Apply>
>> <Apply
>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>> <AttributeValue DataType="
>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
>> <AttributeDesignator
>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="
>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>> </Apply>
>> </Apply>
>> <Apply
>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>> <AttributeValue DataType="
>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
>> <AttributeDesignator AttributeId="
>> http://wso2.org/claims/role";
>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>> </Apply>
>> </Apply>
>> </Condition>
>> </Rule>
>> </Policy>
>
>
>
> And, through Entitelment Mediator with ESB, when I send the request from a
> client with resource http://localhost:8280/services/echo/. I saw
> following debug logs in the ESB.
>
>
> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for
> Entitlement started
> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service name
> http://abimaran:8280/services/echo/
> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is :
> admin Resource ID is : http://abimaran:8280/services/echo//POST Action ID
> is : POST.
> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement Decision
> is : NotApplicable
> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not
> authorized to perform the action
>
> Anyone plese advise me, why XACML engine return NotApplicable? And why
> Resource ID is http://abimaran:8280/services/echo//POST?
>
>
> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected]>
> wrote:
>
>> [+Thanuja]
>>
>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <[email protected]>
>> wrote:
>>
>>> Applied SP1 for a fresh IS and tested, still same errror.
>>>
>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <[email protected]>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan <[email protected]
>>>> > wrote:
>>>>
>>>>> Hi Harsha,
>>>>>
>>>>> Please find the policy.
>>>>>
>>>>> <Policy PolicyId=" urn:oasis:names:tc:xacml:3.0:example:SimplePolicy"
>>>>> RuleCombiningAlgId=
>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
>>>>> <Description>Sample XACML Authorization Policy.</Description>
>>>>> <Target/>
>>>>> <Rule
>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
>>>>> Effect="Permit">
>>>>> <Description>
>>>>> Sample XACML Authorization Policy.
>>>>> </Description>
>>>>> <Target>
>>>>> <AnyOf>
>>>>> <AllOf>
>>>>> <Match
>>>>> MatchId=
>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
>>>>> <AttributeValue DataType="
>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>> <http://www.w3.org/2001/XMLSchema#string>>
>>>>> http://localhost:8280/services/echo/</AttributeValue>
>>>>> <AttributeDesignator
>>>>> MustBePresent="false"
>>>>> Category=
>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>>>> AttributeId=
>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>>>> DataType="
>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>> <http://www.w3.org/2001/XMLSchema#string>/>
>>>>> </Match>
>>>>> </AllOf>
>>>>> </AnyOf>
>>>>> </Target>
>>>>> </Rule>
>>>>> </Policy>
>>>>>
>>>>> No, I haven't install any patches or SPs.
>>>>>
>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> We don't need to specify the XACML version , because it is already
>>>>>> available in the policy as a name space.
>>>>>> Can you attach policy file ,
>>>>>> Did you try this with IS SP1 ?
>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> When I tried sample policy given as sample in [1], I got following
>>>>>>> error in the UI.
>>>>>>>
>>>>>>>
>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement
>>>>>>>> Policy. Policy is not valid according to XACML schema
>>>>>>>
>>>>>>>
>>>>>>> I'm getting same for the sample [2].
>>>>>>>
>>>>>>>
>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have to
>>>>>>> set which version should support in a configuration file?
>>>>>>>
>>>>>>> [1] :
>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1
>>>>>>> [2] :
>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1
>>>>>>>
>>>>>>> --
>>>>>>> Thanks
>>>>>>> Abimaran Kugathasan
>>>>>>>
>>>>>>> Software Engineer | WSO2 Inc
>>>>>>> Data & APIs Technologies Team
>>>>>>> Mobile : +94 773922820
>>>>>>>
>>>>>>> <http://stackoverflow.com/users/515034>
>>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>>> <http://www.lkabimaran.blogspot.com/>
>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Dev mailing list
>>>>>>> [email protected]
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks
>>>>> Abimaran Kugathasan
>>>>>
>>>>> Software Engineer | WSO2 Inc
>>>>> Data & APIs Technologies Team
>>>>> Mobile : +94 773922820
>>>>>
>>>>> <http://stackoverflow.com/users/515034>
>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>>> <https://twitter.com/abimaran>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks
>>>> Abimaran Kugathasan
>>>>
>>>> Software Engineer | WSO2 Inc
>>>> Data & APIs Technologies Team
>>>> Mobile : +94 773922820
>>>>
>>>> <http://stackoverflow.com/users/515034>
>>>> <http://lk.linkedin.com/in/abimaran>
>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>> <https://twitter.com/abimaran>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks
>>> Abimaran Kugathasan
>>>
>>> Software Engineer | WSO2 Inc
>>> Data & APIs Technologies Team
>>> Mobile : +94 773922820
>>>
>>> <http://stackoverflow.com/users/515034>
>>> <http://lk.linkedin.com/in/abimaran>
>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>> <https://twitter.com/abimaran>
>>>
>>>
>>
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>>
>> Software Engineer | WSO2 Inc
>> Data & APIs Technologies Team
>> Mobile : +94 773922820
>>
>> <http://stackoverflow.com/users/515034>
>> <http://lk.linkedin.com/in/abimaran>
>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>> <https://twitter.com/abimaran>
>>
>>
>
>
> --
> Thanks
> Abimaran Kugathasan
>
> Software Engineer | WSO2 Inc
> Data & APIs Technologies Team
> Mobile : +94 773922820
>
> <http://stackoverflow.com/users/515034>
> <http://lk.linkedin.com/in/abimaran>
> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
> <https://twitter.com/abimaran>
>
>
--
*Thanuja Lakmal*
Senior Software Engineer
WSO2 Inc. http://wso2.com/
*lean.enterprise.middleware*
Mobile: +94715979891 +94758009992
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
