Hi Asela,
Please find my attached XACML Policy and the sample proxy configuration
below. When I tested this Policy through 'TryIt', with Resource :
http://abimaran:8280/services/echo/, Subject Name : admin, Action Name :
read. It was evaluated to Permit.
But, when I tried with a Java client through ESB, the request was Denied.
Please find the EntitlementMediator logs below.
[2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Mediation for
> Entitlement started
> [2015-06-21 12:54:50,210] DEBUG - EntitlementCallbackHandler Service name
> http://abimaran:8280/services/echo/
> [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Subject ID is :
> admin Resource ID is : http://abimaran:8280/services/echo//echoString
> Action ID is : read.
> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator Entitlement Decision
> is : Deny
> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator User is not
> authorized to perform the action
Can you please let me know what I'm missing there?
On Sun, Jun 21, 2015 at 11:08 AM, Asela Pathberiya <[email protected]> wrote:
>
>
> On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]>
> wrote:
>
>> I defined below policy,
>>
>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>>> PolicyId="SimplePolicy"
>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
>>> Version="1.0">
>>> <Target/>
>>> <Rule Effect="Permit" RuleId="primary-group-customer-rule">
>>> <Condition>
>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>>> <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>>> <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>> <AttributeValue DataType="
>>> http://www.w3.org/2001/XMLSchema#string";>
>>> http://localhost:8280/services/echo/</AttributeValue>
>>> <AttributeDesignator
>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>> MustBePresent="true"/>
>>> </Apply>
>>> <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>> <AttributeValue DataType="
>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
>>> <AttributeDesignator
>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="
>>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>>> </Apply>
>>> </Apply>
>>> <Apply
>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>> <AttributeValue DataType="
>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
>>> <AttributeDesignator AttributeId="
>>> http://wso2.org/claims/role";
>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>> MustBePresent="true"/>
>>> </Apply>
>>> </Apply>
>>> </Condition>
>>> </Rule>
>>> </Policy>
>>
>>
>>
>> And, through Entitelment Mediator with ESB, when I send the request from
>> a client with resource http://localhost:8280/services/echo/. I saw
>> following debug logs in the ESB.
>>
>>
>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for
>> Entitlement started
>> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service name
>> http://abimaran:8280/services/echo/
>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is :
>> admin Resource ID is : http://abimaran:8280/services/echo//POST Action
>> ID is : POST.
>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement
>> Decision is : NotApplicable
>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not
>> authorized to perform the action
>>
>> Anyone plese advise me, why XACML engine return NotApplicable? And why
>> Resource ID is http://abimaran:8280/services/echo//POST?
>>
>
>
> PDP usually can return NotApplicable result when there is no any policy
> or no matching policy in its PDP. Above policy is evaluated to
> NotApplicable as there are no any matching rules for given request.
>
> Resource/User/Action are extracted from entitlement mediator using
> callback handler [1] It seems to be that "EntitlementMediator" has some
> logic to append the action in to it resource name. So, we can change the
> policy and see..
>
> [1]
> http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.entitlement.mediator/4.2.2/src/main/java/org/wso2/carbon/identity/entitlement/mediator/callback/EntitlementCallbackHandler.java
>
> Thanks,
> Asela.
>
>
>>
>> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected]>
>> wrote:
>>
>>> [+Thanuja]
>>>
>>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <[email protected]
>>> > wrote:
>>>
>>>> Applied SP1 for a fresh IS and tested, still same errror.
>>>>
>>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <[email protected]
>>>> > wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hi Harsha,
>>>>>>
>>>>>> Please find the policy.
>>>>>>
>>>>>> <Policy PolicyId=" urn:oasis:names:tc:xacml:3.0:example:SimplePolicy"
>>>>>> RuleCombiningAlgId=
>>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
>>>>>> <Description>Sample XACML Authorization Policy.</Description>
>>>>>> <Target/>
>>>>>> <Rule
>>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
>>>>>> Effect="Permit">
>>>>>> <Description>
>>>>>> Sample XACML Authorization Policy.
>>>>>> </Description>
>>>>>> <Target>
>>>>>> <AnyOf>
>>>>>> <AllOf>
>>>>>> <Match
>>>>>> MatchId=
>>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
>>>>>> <AttributeValue DataType="
>>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>>> <http://www.w3.org/2001/XMLSchema#string>>
>>>>>> http://localhost:8280/services/echo/</AttributeValue>
>>>>>> <AttributeDesignator
>>>>>> MustBePresent="false"
>>>>>> Category=
>>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>>>>> AttributeId=
>>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>>>>> DataType="
>>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>>> <http://www.w3.org/2001/XMLSchema#string>/>
>>>>>> </Match>
>>>>>> </AllOf>
>>>>>> </AnyOf>
>>>>>> </Target>
>>>>>> </Rule>
>>>>>> </Policy>
>>>>>>
>>>>>> No, I haven't install any patches or SPs.
>>>>>>
>>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> We don't need to specify the XACML version , because it is already
>>>>>>> available in the policy as a name space.
>>>>>>> Can you attach policy file ,
>>>>>>> Did you try this with IS SP1 ?
>>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> When I tried sample policy given as sample in [1], I got following
>>>>>>>> error in the UI.
>>>>>>>>
>>>>>>>>
>>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement
>>>>>>>>> Policy. Policy is not valid according to XACML schema
>>>>>>>>
>>>>>>>>
>>>>>>>> I'm getting same for the sample [2].
>>>>>>>>
>>>>>>>>
>>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have
>>>>>>>> to set which version should support in a configuration file?
>>>>>>>>
>>>>>>>> [1] :
>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1
>>>>>>>> [2] :
>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks
>>>>>>>> Abimaran Kugathasan
>>>>>>>>
>>>>>>>> Software Engineer | WSO2 Inc
>>>>>>>> Data & APIs Technologies Team
>>>>>>>> Mobile : +94 773922820
>>>>>>>>
>>>>>>>> <http://stackoverflow.com/users/515034>
>>>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>>>> <http://www.lkabimaran.blogspot.com/>
>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Dev mailing list
>>>>>>>> [email protected]
>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks
>>>>>> Abimaran Kugathasan
>>>>>>
>>>>>> Software Engineer | WSO2 Inc
>>>>>> Data & APIs Technologies Team
>>>>>> Mobile : +94 773922820
>>>>>>
>>>>>> <http://stackoverflow.com/users/515034>
>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>>>> <https://twitter.com/abimaran>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks
>>>>> Abimaran Kugathasan
>>>>>
>>>>> Software Engineer | WSO2 Inc
>>>>> Data & APIs Technologies Team
>>>>> Mobile : +94 773922820
>>>>>
>>>>> <http://stackoverflow.com/users/515034>
>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>>> <https://twitter.com/abimaran>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks
>>>> Abimaran Kugathasan
>>>>
>>>> Software Engineer | WSO2 Inc
>>>> Data & APIs Technologies Team
>>>> Mobile : +94 773922820
>>>>
>>>> <http://stackoverflow.com/users/515034>
>>>> <http://lk.linkedin.com/in/abimaran>
>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>> <https://twitter.com/abimaran>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks
>>> Abimaran Kugathasan
>>>
>>> Software Engineer | WSO2 Inc
>>> Data & APIs Technologies Team
>>> Mobile : +94 773922820
>>>
>>> <http://stackoverflow.com/users/515034>
>>> <http://lk.linkedin.com/in/abimaran>
>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>> <https://twitter.com/abimaran>
>>>
>>>
>>
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>>
>> Software Engineer | WSO2 Inc
>> Data & APIs Technologies Team
>> Mobile : +94 773922820
>>
>> <http://stackoverflow.com/users/515034>
>> <http://lk.linkedin.com/in/abimaran>
>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>> <https://twitter.com/abimaran>
>>
>>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933
> +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>
--
Thanks
Abimaran Kugathasan
Software Engineer | WSO2 Inc
Data & APIs Technologies Team
Mobile : +94 773922820
<http://stackoverflow.com/users/515034>
<http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/>
<https://github.com/abimarank> <https://twitter.com/abimaran>
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse";
name="EntitlementServiceProxy"
transports="https"
statistics="disable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<entitlementService remoteServiceUrl="https://localhost:9444/services/";
remoteServiceUserName="admin"
remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="
callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler"
client="basicAuth">
<onReject>
<makefault version="soap12">
<code xmlns:soap12Env="http://www.w3.org/2003/05/soap-envelope";
value="soap12Env:Receiver"/>
<reason value="UNAUTHORIZED"/>
<node/>
<role/>
<detail>XACML Authorization Failed</detail>
</makefault>
<respond/>
</onReject>
<onAccept>
<send>
<endpoint>
<address uri="https://localhost:9443/services/echo"/>
</endpoint>
</send>
</onAccept>
<obligations/>
<advice/>
</entitlementService>
</inSequence>
<outSequence>
<send/>
</outSequence>
</target>
<publishWSDL uri="http://abimaran:8280/services/echo?wsdl"/>
<parameter name="ScenarioID">scenario1</parameter>
<enableSec/>
<policy key="conf:/repository/axis2/service-groups/EntitlementServiceProxy/services/EntitlementServiceProxy/policies/UTOverTransport"/>
<description/>
</proxy>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="XACMLSimplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target></Target>
<Rule Effect="Permit" RuleId="permit_rule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>http://abimaran:8280/services/echo/</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="http://wso2.org/claims/role"; Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="denyRule"></Rule>
</Policy>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
