[+Shafreen] On Sun, Jun 21, 2015 at 1:03 PM, Abimaran Kugathasan <[email protected]> wrote:
> Hi Asela, > > Please find my attached XACML Policy and the sample proxy configuration > below. When I tested this Policy through 'TryIt', with Resource : > http://abimaran:8280/services/echo/, Subject Name : admin, Action Name : > read. It was evaluated to Permit. > > But, when I tried with a Java client through ESB, the request was Denied. > Please find the EntitlementMediator logs below. > > [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Mediation for >> Entitlement started >> [2015-06-21 12:54:50,210] DEBUG - EntitlementCallbackHandler Service name >> http://abimaran:8280/services/echo/ >> [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Subject ID is : >> admin Resource ID is : http://abimaran:8280/services/echo//echoString >> Action ID is : read. >> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator Entitlement >> Decision is : Deny >> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator User is not >> authorized to perform the action > > > > Can you please let me know what I'm missing there? > > > > On Sun, Jun 21, 2015 at 11:08 AM, Asela Pathberiya <[email protected]> wrote: > >> >> >> On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]> >> wrote: >> >>> I defined below policy, >>> >>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" >>>> PolicyId="SimplePolicy" >>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" >>>> Version="1.0"> >>>> <Target/> >>>> <Rule Effect="Permit" RuleId="primary-group-customer-rule"> >>>> <Condition> >>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string";> >>>> http://localhost:8280/services/echo/</AttributeValue> >>>> <AttributeDesignator >>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>> MustBePresent="true"/> >>>> </Apply> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>>> <AttributeDesignator >>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >>>> DataType=" >>>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >>>> </Apply> >>>> </Apply> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> >>>> <AttributeDesignator AttributeId=" >>>> http://wso2.org/claims/role"; >>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>> MustBePresent="true"/> >>>> </Apply> >>>> </Apply> >>>> </Condition> >>>> </Rule> >>>> </Policy> >>> >>> >>> >>> And, through Entitelment Mediator with ESB, when I send the request from >>> a client with resource http://localhost:8280/services/echo/. I saw >>> following debug logs in the ESB. >>> >>> >>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for >>> Entitlement started >>> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service >>> name http://abimaran:8280/services/echo/ >>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is : >>> admin Resource ID is : http://abimaran:8280/services/echo//POST Action >>> ID is : POST. >>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement >>> Decision is : NotApplicable >>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not >>> authorized to perform the action >>> >>> Anyone plese advise me, why XACML engine return NotApplicable? And why >>> Resource ID is http://abimaran:8280/services/echo//POST? >>> >> >> >> PDP usually can return NotApplicable result when there is no any policy >> or no matching policy in its PDP. Above policy is evaluated to >> NotApplicable as there are no any matching rules for given request. >> >> Resource/User/Action are extracted from entitlement mediator using >> callback handler [1] It seems to be that "EntitlementMediator" has some >> logic to append the action in to it resource name. So, we can change the >> policy and see.. >> >> [1] >> http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.entitlement.mediator/4.2.2/src/main/java/org/wso2/carbon/identity/entitlement/mediator/callback/EntitlementCallbackHandler.java >> >> Thanks, >> Asela. >> >> >>> >>> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected] >>> > wrote: >>> >>>> [+Thanuja] >>>> >>>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan < >>>> [email protected]> wrote: >>>> >>>>> Applied SP1 for a fresh IS and tested, still same errror. >>>>> >>>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Harsha, >>>>>>> >>>>>>> Please find the policy. >>>>>>> >>>>>>> <Policy PolicyId=" >>>>>>> urn:oasis:names:tc:xacml:3.0:example:SimplePolicy" >>>>>>> RuleCombiningAlgId= >>>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> >>>>>>> <Description>Sample XACML Authorization Policy.</Description> >>>>>>> <Target/> >>>>>>> <Rule >>>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" >>>>>>> Effect="Permit"> >>>>>>> <Description> >>>>>>> Sample XACML Authorization Policy. >>>>>>> </Description> >>>>>>> <Target> >>>>>>> <AnyOf> >>>>>>> <AllOf> >>>>>>> <Match >>>>>>> MatchId= >>>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> >>>>>>> <AttributeValue DataType=" >>>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>>> <http://www.w3.org/2001/XMLSchema#string>> >>>>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>>>> <AttributeDesignator >>>>>>> MustBePresent="false" >>>>>>> Category= >>>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>>>> AttributeId= >>>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>>>> DataType=" >>>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>>> <http://www.w3.org/2001/XMLSchema#string>/> >>>>>>> </Match> >>>>>>> </AllOf> >>>>>>> </AnyOf> >>>>>>> </Target> >>>>>>> </Rule> >>>>>>> </Policy> >>>>>>> >>>>>>> No, I haven't install any patches or SPs. >>>>>>> >>>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> We don't need to specify the XACML version , because it is already >>>>>>>> available in the policy as a name space. >>>>>>>> Can you attach policy file , >>>>>>>> Did you try this with IS SP1 ? >>>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> When I tried sample policy given as sample in [1], I got following >>>>>>>>> error in the UI. >>>>>>>>> >>>>>>>>> >>>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement >>>>>>>>>> Policy. Policy is not valid according to XACML schema >>>>>>>>> >>>>>>>>> >>>>>>>>> I'm getting same for the sample [2]. >>>>>>>>> >>>>>>>>> >>>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have >>>>>>>>> to set which version should support in a configuration file? >>>>>>>>> >>>>>>>>> [1] : >>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1 >>>>>>>>> [2] : >>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1 >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks >>>>>>>>> Abimaran Kugathasan >>>>>>>>> >>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>> Data & APIs Technologies Team >>>>>>>>> Mobile : +94 773922820 >>>>>>>>> >>>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks >>>>>>> Abimaran Kugathasan >>>>>>> >>>>>>> Software Engineer | WSO2 Inc >>>>>>> Data & APIs Technologies Team >>>>>>> Mobile : +94 773922820 >>>>>>> >>>>>>> <http://stackoverflow.com/users/515034> >>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks >>>>>> Abimaran Kugathasan >>>>>> >>>>>> Software Engineer | WSO2 Inc >>>>>> Data & APIs Technologies Team >>>>>> Mobile : +94 773922820 >>>>>> >>>>>> <http://stackoverflow.com/users/515034> >>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>>> <https://twitter.com/abimaran> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks >>>>> Abimaran Kugathasan >>>>> >>>>> Software Engineer | WSO2 Inc >>>>> Data & APIs Technologies Team >>>>> Mobile : +94 773922820 >>>>> >>>>> <http://stackoverflow.com/users/515034> >>>>> <http://lk.linkedin.com/in/abimaran> >>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>> <https://twitter.com/abimaran> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks >>>> Abimaran Kugathasan >>>> >>>> Software Engineer | WSO2 Inc >>>> Data & APIs Technologies Team >>>> Mobile : +94 773922820 >>>> >>>> <http://stackoverflow.com/users/515034> >>>> <http://lk.linkedin.com/in/abimaran> >>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>> <https://twitter.com/abimaran> >>>> >>>> >>> >>> >>> -- >>> Thanks >>> Abimaran Kugathasan >>> >>> Software Engineer | WSO2 Inc >>> Data & APIs Technologies Team >>> Mobile : +94 773922820 >>> >>> <http://stackoverflow.com/users/515034> >>> <http://lk.linkedin.com/in/abimaran> >>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>> <https://twitter.com/abimaran> >>> >>> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> > > > > -- > Thanks > Abimaran Kugathasan > > Software Engineer | WSO2 Inc > Data & APIs Technologies Team > Mobile : +94 773922820 > > <http://stackoverflow.com/users/515034> > <http://lk.linkedin.com/in/abimaran> > <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> > <https://twitter.com/abimaran> > > -- Thanks Abimaran Kugathasan Software Engineer | WSO2 Inc Data & APIs Technologies Team Mobile : +94 773922820 <http://stackoverflow.com/users/515034> <http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
