Hi Abimaran,

Can you attach the Entitlement Mediator config as well.

Regards,
Omindu.

On Sat, Jun 20, 2015 at 11:29 AM, Thanuja Jayasinghe <[email protected]>
wrote:

> Hi Abimaran,
>
> Please try following XACML policy,
>
> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>  PolicyId="XACMLSimplePolicy"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides"
> Version="1.0">
>    <Target></Target>
>    <Rule Effect="Permit" RuleId="permit_rule">
>       <Condition>
>          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>             <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>                <AttributeValue DataType="
> http://www.w3.org/2001/XMLSchema#string";>
> http://localhost:8280/services/echo/</AttributeValue>
>                <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
> DataType="http://www.w3.org/2001/XMLSchema#string";
> MustBePresent="true"></AttributeDesignator>
>             </Apply>
>             <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
>                <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
>                   <AttributeValue DataType="
> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
>                </Apply>
>                <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="
> http://www.w3.org/2001/XMLSchema#string";
> MustBePresent="true"></AttributeDesignator>
>             </Apply>
>             <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
>                <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
>                   <AttributeValue DataType="
> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
>                </Apply>
>                <AttributeDesignator AttributeId="
> http://wso2.org/claims/role";
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> DataType="http://www.w3.org/2001/XMLSchema#string";
> MustBePresent="true"></AttributeDesignator>
>             </Apply>
>          </Apply>
>       </Condition>
>    </Rule>
>    <Rule Effect="Deny" RuleId="denyRule"></Rule>
> </Policy>
>
> Note: you need to have Deny rule in your condition and try to use
> "urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of" when
> comparing roles. Then we can add additional roles later.
>
> Thanks,
> Thanuja
>
> On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]>
> wrote:
>
>> I defined below policy,
>>
>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>>> PolicyId="SimplePolicy"
>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
>>> Version="1.0">
>>>    <Target/>
>>>    <Rule Effect="Permit" RuleId="primary-group-customer-rule">
>>>       <Condition>
>>>          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>>>             <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>>>                <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>>                   <AttributeValue DataType="
>>> http://www.w3.org/2001/XMLSchema#string";>
>>> http://localhost:8280/services/echo/</AttributeValue>
>>>                   <AttributeDesignator
>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>> MustBePresent="true"/>
>>>                </Apply>
>>>                <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>>                   <AttributeValue DataType="
>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
>>>                   <AttributeDesignator
>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="
>>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>>>                </Apply>
>>>             </Apply>
>>>             <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>>                <AttributeValue DataType="
>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
>>>                <AttributeDesignator AttributeId="
>>> http://wso2.org/claims/role";
>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>> MustBePresent="true"/>
>>>             </Apply>
>>>          </Apply>
>>>       </Condition>
>>>    </Rule>
>>> </Policy>
>>
>>
>>
>> And, through Entitelment Mediator with ESB, when I send the request from
>> a client with resource http://localhost:8280/services/echo/. I saw
>> following debug logs in the ESB.
>>
>>
>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for
>> Entitlement started
>> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service name
>> http://abimaran:8280/services/echo/
>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is :
>> admin Resource ID is : http://abimaran:8280/services/echo//POST Action
>> ID is : POST.
>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement
>> Decision is : NotApplicable
>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not
>> authorized to perform the action
>>
>> Anyone plese advise me, why XACML engine return NotApplicable? And why
>> Resource ID is http://abimaran:8280/services/echo//POST?
>>
>>
>> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected]>
>> wrote:
>>
>>> [+Thanuja]
>>>
>>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <[email protected]
>>> > wrote:
>>>
>>>> Applied SP1 for a fresh IS and tested, still same errror.
>>>>
>>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <[email protected]
>>>> > wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hi Harsha,
>>>>>>
>>>>>> Please find the policy.
>>>>>>
>>>>>> <Policy PolicyId=" urn:oasis:names:tc:xacml:3.0:example:SimplePolicy"
>>>>>> RuleCombiningAlgId=
>>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
>>>>>>     <Description>Sample XACML Authorization Policy.</Description>
>>>>>>     <Target/>
>>>>>>     <Rule
>>>>>>         RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
>>>>>>         Effect="Permit">
>>>>>>         <Description>
>>>>>>             Sample XACML Authorization Policy.
>>>>>>         </Description>
>>>>>>         <Target>
>>>>>>             <AnyOf>
>>>>>>                 <AllOf>
>>>>>>                     <Match
>>>>>>                         MatchId=
>>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
>>>>>>                         <AttributeValue DataType="
>>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>>> <http://www.w3.org/2001/XMLSchema#string>>
>>>>>> http://localhost:8280/services/echo/</AttributeValue>
>>>>>>                         <AttributeDesignator
>>>>>>                         MustBePresent="false"
>>>>>>                         Category=
>>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>>>>>                         AttributeId=
>>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>>>>>                         DataType="
>>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>>> <http://www.w3.org/2001/XMLSchema#string>/>
>>>>>>                     </Match>
>>>>>>                 </AllOf>
>>>>>>             </AnyOf>
>>>>>>         </Target>
>>>>>>     </Rule>
>>>>>> </Policy>
>>>>>>
>>>>>> No, I haven't install any patches or SPs.
>>>>>>
>>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> We don't need to specify the XACML version , because it is already
>>>>>>> available in the policy as a name space.
>>>>>>> Can you attach policy file ,
>>>>>>> Did you try this with IS SP1 ?
>>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> When I tried sample policy given as sample in [1], I got following
>>>>>>>> error in the UI.
>>>>>>>>
>>>>>>>>
>>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement
>>>>>>>>> Policy. Policy is not valid according to XACML schema
>>>>>>>>
>>>>>>>>
>>>>>>>> I'm getting same for the sample [2].
>>>>>>>>
>>>>>>>>
>>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have
>>>>>>>> to set which version should support in a configuration file?
>>>>>>>>
>>>>>>>> [1] :
>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1
>>>>>>>> [2] :
>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks
>>>>>>>> Abimaran Kugathasan
>>>>>>>>
>>>>>>>> Software Engineer | WSO2 Inc
>>>>>>>> Data & APIs Technologies Team
>>>>>>>> Mobile : +94 773922820
>>>>>>>>
>>>>>>>> <http://stackoverflow.com/users/515034>
>>>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>>>> <http://www.lkabimaran.blogspot.com/>
>>>>>>>> <https://github.com/abimarank>  <https://twitter.com/abimaran>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Dev mailing list
>>>>>>>> [email protected]
>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks
>>>>>> Abimaran Kugathasan
>>>>>>
>>>>>> Software Engineer | WSO2 Inc
>>>>>> Data & APIs Technologies Team
>>>>>> Mobile : +94 773922820
>>>>>>
>>>>>> <http://stackoverflow.com/users/515034>
>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>> <http://www.lkabimaran.blogspot.com/>  <https://github.com/abimarank>
>>>>>>   <https://twitter.com/abimaran>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks
>>>>> Abimaran Kugathasan
>>>>>
>>>>> Software Engineer | WSO2 Inc
>>>>> Data & APIs Technologies Team
>>>>> Mobile : +94 773922820
>>>>>
>>>>> <http://stackoverflow.com/users/515034>
>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>> <http://www.lkabimaran.blogspot.com/>  <https://github.com/abimarank>
>>>>> <https://twitter.com/abimaran>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks
>>>> Abimaran Kugathasan
>>>>
>>>> Software Engineer | WSO2 Inc
>>>> Data & APIs Technologies Team
>>>> Mobile : +94 773922820
>>>>
>>>> <http://stackoverflow.com/users/515034>
>>>> <http://lk.linkedin.com/in/abimaran>
>>>> <http://www.lkabimaran.blogspot.com/>  <https://github.com/abimarank>
>>>> <https://twitter.com/abimaran>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks
>>> Abimaran Kugathasan
>>>
>>> Software Engineer | WSO2 Inc
>>> Data & APIs Technologies Team
>>> Mobile : +94 773922820
>>>
>>> <http://stackoverflow.com/users/515034>
>>> <http://lk.linkedin.com/in/abimaran>
>>> <http://www.lkabimaran.blogspot.com/>  <https://github.com/abimarank>
>>> <https://twitter.com/abimaran>
>>>
>>>
>>
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>>
>> Software Engineer | WSO2 Inc
>> Data & APIs Technologies Team
>> Mobile : +94 773922820
>>
>> <http://stackoverflow.com/users/515034>
>> <http://lk.linkedin.com/in/abimaran>
>> <http://www.lkabimaran.blogspot.com/>  <https://github.com/abimarank>
>> <https://twitter.com/abimaran>
>>
>>
>
>
> --
> *Thanuja Lakmal*
> Senior Software Engineer
> WSO2 Inc. http://wso2.com/
> *lean.enterprise.middleware*
> Mobile: +94715979891 +94758009992
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Omindu Rathnaweera
Software Engineer, WSO2 Inc.
Mobile: +94 771 197 211
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to