Hi Abimaran, Can you attach the Entitlement Mediator config as well.
Regards, Omindu. On Sat, Jun 20, 2015 at 11:29 AM, Thanuja Jayasinghe <[email protected]> wrote: > Hi Abimaran, > > Please try following XACML policy, > > <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" > PolicyId="XACMLSimplePolicy" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" > Version="1.0"> > <Target></Target> > <Rule Effect="Permit" RuleId="permit_rule"> > <Condition> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";> > http://localhost:8280/services/echo/</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > DataType="http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="true"></AttributeDesignator> > </Apply> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> > </Apply> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType=" > http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="true"></AttributeDesignator> > </Apply> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> > </Apply> > <AttributeDesignator AttributeId=" > http://wso2.org/claims/role"; > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > DataType="http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="true"></AttributeDesignator> > </Apply> > </Apply> > </Condition> > </Rule> > <Rule Effect="Deny" RuleId="denyRule"></Rule> > </Policy> > > Note: you need to have Deny rule in your condition and try to use > "urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of" when > comparing roles. Then we can add additional roles later. > > Thanks, > Thanuja > > On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]> > wrote: > >> I defined below policy, >> >> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" >>> PolicyId="SimplePolicy" >>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" >>> Version="1.0"> >>> <Target/> >>> <Rule Effect="Permit" RuleId="primary-group-customer-rule"> >>> <Condition> >>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>> <Apply >>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>> <Apply >>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>> <AttributeValue DataType=" >>> http://www.w3.org/2001/XMLSchema#string";> >>> http://localhost:8280/services/echo/</AttributeValue> >>> <AttributeDesignator >>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>> MustBePresent="true"/> >>> </Apply> >>> <Apply >>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>> <AttributeValue DataType=" >>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>> <AttributeDesignator >>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType=" >>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >>> </Apply> >>> </Apply> >>> <Apply >>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>> <AttributeValue DataType=" >>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> >>> <AttributeDesignator AttributeId=" >>> http://wso2.org/claims/role"; >>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>> MustBePresent="true"/> >>> </Apply> >>> </Apply> >>> </Condition> >>> </Rule> >>> </Policy> >> >> >> >> And, through Entitelment Mediator with ESB, when I send the request from >> a client with resource http://localhost:8280/services/echo/. I saw >> following debug logs in the ESB. >> >> >> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for >> Entitlement started >> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service name >> http://abimaran:8280/services/echo/ >> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is : >> admin Resource ID is : http://abimaran:8280/services/echo//POST Action >> ID is : POST. >> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement >> Decision is : NotApplicable >> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not >> authorized to perform the action >> >> Anyone plese advise me, why XACML engine return NotApplicable? And why >> Resource ID is http://abimaran:8280/services/echo//POST? >> >> >> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected]> >> wrote: >> >>> [+Thanuja] >>> >>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <[email protected] >>> > wrote: >>> >>>> Applied SP1 for a fresh IS and tested, still same errror. >>>> >>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <[email protected] >>>> > wrote: >>>> >>>>> >>>>> >>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Harsha, >>>>>> >>>>>> Please find the policy. >>>>>> >>>>>> <Policy PolicyId=" urn:oasis:names:tc:xacml:3.0:example:SimplePolicy" >>>>>> RuleCombiningAlgId= >>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> >>>>>> <Description>Sample XACML Authorization Policy.</Description> >>>>>> <Target/> >>>>>> <Rule >>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" >>>>>> Effect="Permit"> >>>>>> <Description> >>>>>> Sample XACML Authorization Policy. >>>>>> </Description> >>>>>> <Target> >>>>>> <AnyOf> >>>>>> <AllOf> >>>>>> <Match >>>>>> MatchId= >>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>> <http://www.w3.org/2001/XMLSchema#string>> >>>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>>> <AttributeDesignator >>>>>> MustBePresent="false" >>>>>> Category= >>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>>> AttributeId= >>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>>> DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>> <http://www.w3.org/2001/XMLSchema#string>/> >>>>>> </Match> >>>>>> </AllOf> >>>>>> </AnyOf> >>>>>> </Target> >>>>>> </Rule> >>>>>> </Policy> >>>>>> >>>>>> No, I haven't install any patches or SPs. >>>>>> >>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> We don't need to specify the XACML version , because it is already >>>>>>> available in the policy as a name space. >>>>>>> Can you attach policy file , >>>>>>> Did you try this with IS SP1 ? >>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> When I tried sample policy given as sample in [1], I got following >>>>>>>> error in the UI. >>>>>>>> >>>>>>>> >>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement >>>>>>>>> Policy. Policy is not valid according to XACML schema >>>>>>>> >>>>>>>> >>>>>>>> I'm getting same for the sample [2]. >>>>>>>> >>>>>>>> >>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have >>>>>>>> to set which version should support in a configuration file? >>>>>>>> >>>>>>>> [1] : >>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1 >>>>>>>> [2] : >>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1 >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks >>>>>>>> Abimaran Kugathasan >>>>>>>> >>>>>>>> Software Engineer | WSO2 Inc >>>>>>>> Data & APIs Technologies Team >>>>>>>> Mobile : +94 773922820 >>>>>>>> >>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks >>>>>> Abimaran Kugathasan >>>>>> >>>>>> Software Engineer | WSO2 Inc >>>>>> Data & APIs Technologies Team >>>>>> Mobile : +94 773922820 >>>>>> >>>>>> <http://stackoverflow.com/users/515034> >>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>>> <https://twitter.com/abimaran> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks >>>>> Abimaran Kugathasan >>>>> >>>>> Software Engineer | WSO2 Inc >>>>> Data & APIs Technologies Team >>>>> Mobile : +94 773922820 >>>>> >>>>> <http://stackoverflow.com/users/515034> >>>>> <http://lk.linkedin.com/in/abimaran> >>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>> <https://twitter.com/abimaran> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks >>>> Abimaran Kugathasan >>>> >>>> Software Engineer | WSO2 Inc >>>> Data & APIs Technologies Team >>>> Mobile : +94 773922820 >>>> >>>> <http://stackoverflow.com/users/515034> >>>> <http://lk.linkedin.com/in/abimaran> >>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>> <https://twitter.com/abimaran> >>>> >>>> >>> >>> >>> -- >>> Thanks >>> Abimaran Kugathasan >>> >>> Software Engineer | WSO2 Inc >>> Data & APIs Technologies Team >>> Mobile : +94 773922820 >>> >>> <http://stackoverflow.com/users/515034> >>> <http://lk.linkedin.com/in/abimaran> >>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>> <https://twitter.com/abimaran> >>> >>> >> >> >> -- >> Thanks >> Abimaran Kugathasan >> >> Software Engineer | WSO2 Inc >> Data & APIs Technologies Team >> Mobile : +94 773922820 >> >> <http://stackoverflow.com/users/515034> >> <http://lk.linkedin.com/in/abimaran> >> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >> <https://twitter.com/abimaran> >> >> > > > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
