Ping!
On Sat, Jun 20, 2015 at 12:20 PM, Abimaran Kugathasan <[email protected]> wrote: > > > On Sat, Jun 20, 2015 at 11:51 AM, Abimaran Kugathasan <[email protected]> > wrote: > >> Hi Omindu, >> >> Please find it below >> >> <sequence xmlns="http://ws.apache.org/ns/synapse"; >> name="EntitlementInSequence"> >> <property name="xacml_use_rest" value="true" scope="axis2" >> type="STRING"></property> >> <entitlementService remoteServiceUrl="https://localhost:9444/services/"; >> remoteServiceUserName="admin" >> remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg=" >> callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler" >> client="basicAuth"> >> <onReject> >> <makefault version="soap12"> >> <code xmlns:soap12Env=" >> http://www.w3.org/2003/05/soap-envelope"; >> value="soap12Env:Receiver"></code> >> <reason value="UNAUTHORIZED"></reason> >> <node></node> >> <role></role> >> <detail>XACML Authorization Failed</detail> >> </makefault> >> <property name="RESPONSE" value="true"></property> >> <header name="To" action="remove"></header> >> <send></send> >> </onReject> >> <onAccept> >> <send> >> <endpoint> >> <address uri="http://localhost:8281/services/echo >> "></address> >> </endpoint> >> </send> >> </onAccept> >> <advice></advice> >> <obligations></obligations> >> </entitlementService> >> <header xmlns:wsse=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >> name="wsse:Security" scope="default" value=""></header> >> <send></send> >> </sequence> >> >> >> I need this urgent help. >> >> On Sat, Jun 20, 2015 at 11:47 AM, Omindu Rathnaweera <[email protected]> >> wrote: >> >>> Hi Abimaran, >>> >>> Can you attach the Entitlement Mediator config as well. >>> >>> Regards, >>> Omindu. >>> >>> On Sat, Jun 20, 2015 at 11:29 AM, Thanuja Jayasinghe <[email protected]> >>> wrote: >>> >>>> Hi Abimaran, >>>> >>>> Please try following XACML policy, >>>> >>>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" >>>> PolicyId="XACMLSimplePolicy" >>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" >>>> Version="1.0"> >>>> <Target></Target> >>>> <Rule Effect="Permit" RuleId="permit_rule"> >>>> <Condition> >>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string";> >>>> http://localhost:8280/services/echo/</AttributeValue> >>>> <AttributeDesignator >>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>> MustBePresent="true"></AttributeDesignator> >>>> </Apply> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>>> </Apply> >>>> <AttributeDesignator >>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >>>> DataType=" >>>> http://www.w3.org/2001/XMLSchema#string"; >>>> MustBePresent="true"></AttributeDesignator> >>>> </Apply> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> >>>> </Apply> >>>> <AttributeDesignator AttributeId=" >>>> http://wso2.org/claims/role"; >>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>> MustBePresent="true"></AttributeDesignator> >>>> </Apply> >>>> </Apply> >>>> </Condition> >>>> </Rule> >>>> <Rule Effect="Deny" RuleId="denyRule"></Rule> >>>> </Policy> >>>> >>>> Note: you need to have Deny rule in your condition and try to use >>>> "urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of" when >>>> comparing roles. Then we can add additional roles later. >>>> >>>> Thanks, >>>> Thanuja >>>> >>>> On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan < >>>> [email protected]> wrote: >>>> >>>>> I defined below policy, >>>>> >>>>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" >>>>>> PolicyId="SimplePolicy" >>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" >>>>>> Version="1.0"> >>>>>> <Target/> >>>>>> <Rule Effect="Permit" RuleId="primary-group-customer-rule"> >>>>>> <Condition> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string";> >>>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>>> <AttributeDesignator >>>>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>>>> MustBePresent="true"/> >>>>>> </Apply> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>>>>> <AttributeDesignator >>>>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >>>>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >>>>>> DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >>>>>> </Apply> >>>>>> </Apply> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> >>>>>> <AttributeDesignator AttributeId=" >>>>>> http://wso2.org/claims/role"; >>>>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>>>> MustBePresent="true"/> >>>>>> </Apply> >>>>>> </Apply> >>>>>> </Condition> >>>>>> </Rule> >>>>>> </Policy> >>>>> >>>>> >>>>> >>>>> And, through Entitelment Mediator with ESB, when I send the request >>>>> from a client with resource http://localhost:8280/services/echo/. I >>>>> saw following debug logs in the ESB. >>>>> >>>>> >>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for >>>>> Entitlement started >>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service >>>>> name http://abimaran:8280/services/echo/ >>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is : >>>>> admin Resource ID is : http://abimaran:8280/services/echo//POST >>>>> Action ID is : POST. >>>>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement >>>>> Decision is : NotApplicable >>>>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not >>>>> authorized to perform the action >>>>> >>>>> Anyone plese advise me, why XACML engine return NotApplicable? And why >>>>> Resource ID is http://abimaran:8280/services/echo//POST? >>>>> >>>>> >>>>> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan < >>>>> [email protected]> wrote: >>>>> >>>>>> [+Thanuja] >>>>>> >>>>>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Applied SP1 for a fresh IS and tested, still same errror. >>>>>>> >>>>>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Harsha, >>>>>>>>> >>>>>>>>> Please find the policy. >>>>>>>>> >>>>>>>>> <Policy PolicyId=" >>>>>>>>> urn:oasis:names:tc:xacml:3.0:example:SimplePolicy" >>>>>>>>> RuleCombiningAlgId= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>>>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> >>>>>>>>> <Description>Sample XACML Authorization Policy.</Description> >>>>>>>>> <Target/> >>>>>>>>> <Rule >>>>>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" >>>>>>>>> Effect="Permit"> >>>>>>>>> <Description> >>>>>>>>> Sample XACML Authorization Policy. >>>>>>>>> </Description> >>>>>>>>> <Target> >>>>>>>>> <AnyOf> >>>>>>>>> <AllOf> >>>>>>>>> <Match >>>>>>>>> MatchId= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> >>>>>>>>> <AttributeValue DataType=" >>>>>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>>>>> <http://www.w3.org/2001/XMLSchema#string>> >>>>>>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>>>>>> <AttributeDesignator >>>>>>>>> MustBePresent="false" >>>>>>>>> Category= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>>>>>> AttributeId= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>>>>>> DataType=" >>>>>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>>>>> <http://www.w3.org/2001/XMLSchema#string>/> >>>>>>>>> </Match> >>>>>>>>> </AllOf> >>>>>>>>> </AnyOf> >>>>>>>>> </Target> >>>>>>>>> </Rule> >>>>>>>>> </Policy> >>>>>>>>> >>>>>>>>> No, I haven't install any patches or SPs. >>>>>>>>> >>>>>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> We don't need to specify the XACML version , because it is >>>>>>>>>> already available in the policy as a name space. >>>>>>>>>> Can you attach policy file , >>>>>>>>>> Did you try this with IS SP1 ? >>>>>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> When I tried sample policy given as sample in [1], I got >>>>>>>>>>> following error in the UI. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement >>>>>>>>>>>> Policy. Policy is not valid according to XACML schema >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I'm getting same for the sample [2]. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I >>>>>>>>>>> have to set which version should support in a configuration file? >>>>>>>>>>> >>>>>>>>>>> [1] : >>>>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1 >>>>>>>>>>> [2] : >>>>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1 >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks >>>>>>>>>>> Abimaran Kugathasan >>>>>>>>>>> >>>>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>>>> Data & APIs Technologies Team >>>>>>>>>>> Mobile : +94 773922820 >>>>>>>>>>> >>>>>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks >>>>>>>>> Abimaran Kugathasan >>>>>>>>> >>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>> Data & APIs Technologies Team >>>>>>>>> Mobile : +94 773922820 >>>>>>>>> >>>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks >>>>>>>> Abimaran Kugathasan >>>>>>>> >>>>>>>> Software Engineer | WSO2 Inc >>>>>>>> Data & APIs Technologies Team >>>>>>>> Mobile : +94 773922820 >>>>>>>> >>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks >>>>>>> Abimaran Kugathasan >>>>>>> >>>>>>> Software Engineer | WSO2 Inc >>>>>>> Data & APIs Technologies Team >>>>>>> Mobile : +94 773922820 >>>>>>> >>>>>>> <http://stackoverflow.com/users/515034> >>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks >>>>>> Abimaran Kugathasan >>>>>> >>>>>> Software Engineer | WSO2 Inc >>>>>> Data & APIs Technologies Team >>>>>> Mobile : +94 773922820 >>>>>> >>>>>> <http://stackoverflow.com/users/515034> >>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>>> <https://twitter.com/abimaran> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks >>>>> Abimaran Kugathasan >>>>> >>>>> Software Engineer | WSO2 Inc >>>>> Data & APIs Technologies Team >>>>> Mobile : +94 773922820 >>>>> >>>>> <http://stackoverflow.com/users/515034> >>>>> <http://lk.linkedin.com/in/abimaran> >>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>> <https://twitter.com/abimaran> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Thanuja Lakmal* >>>> Senior Software Engineer >>>> WSO2 Inc. http://wso2.com/ >>>> *lean.enterprise.middleware* >>>> Mobile: +94715979891 +94758009992 >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Omindu Rathnaweera >>> Software Engineer, WSO2 Inc. >>> Mobile: +94 771 197 211 >>> >> >> >> >> -- >> Thanks >> Abimaran Kugathasan >> >> Software Engineer | WSO2 Inc >> Data & APIs Technologies Team >> Mobile : +94 773922820 >> >> <http://stackoverflow.com/users/515034> >> <http://lk.linkedin.com/in/abimaran> >> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >> <https://twitter.com/abimaran> >> >> > > > -- > Thanks > Abimaran Kugathasan > > Software Engineer | WSO2 Inc > Data & APIs Technologies Team > Mobile : +94 773922820 > > <http://stackoverflow.com/users/515034> > <http://lk.linkedin.com/in/abimaran> > <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> > <https://twitter.com/abimaran> > > -- Thanks Abimaran Kugathasan Software Engineer | WSO2 Inc Data & APIs Technologies Team Mobile : +94 773922820 <http://stackoverflow.com/users/515034> <http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
