Hi Asela,
I debug the entitlement mediator and when it send the request to PDP, it
append either HTTP_METHOD or first child element to the Resource ID. For
example if the service name is : http://abimaran:8280/services/echo/, the
Resource ID send to PDP will be
http://abimaran:8280/services/echo//echoString.
Please find the method below
/**
* Get the name of the operation been invoked by the user. If the
property xacml_use_rest
* defined under axis2 scope been found - with the value "true" - the
HTTP_METHOD will be picked
* as the operation name.
*
* @param synCtx
* @return
*/
public String findOperationName(MessageContext synCtx) {
org.apache.axis2.context.MessageContext msgContext;
Axis2MessageContext axis2Msgcontext = null;
axis2Msgcontext = (Axis2MessageContext) synCtx;
msgContext = axis2Msgcontext.getAxis2MessageContext();
String useRest = (String) msgContext.getProperty("xacml_use_rest");
if (useRest == null || "false".equals(useRest.toLowerCase())) {
return msgContext.getEnvelope().getSOAPBodyFirstElementLocalName();
} else {
return (String) msgContext.getProperty("HTTP_METHOD");
}
}
userName = callback.getUserName(synCtx);
serviceName = callback.findServiceName(synCtx);
operationName = callback.findOperationName(synCtx);
action = callback.findAction(synCtx);
otherAttributes = callback.findOtherAttributes(synCtx);
if (userName == null) {
throw new SynapseException(
"User name not provided for the Entitlement mediator -
can't proceed");
}
if (operationName != null) {
resourceName = serviceName + "/" + operationName;
} else {
resourceName = serviceName;
}
What usage of adding this into the Resource ID when sending the request?
Due to this, I'm getting Deny as the response.
On Sun, Jun 21, 2015 at 1:55 PM, Abimaran Kugathasan <[email protected]>
wrote:
> [+Shafreen]
>
> On Sun, Jun 21, 2015 at 1:03 PM, Abimaran Kugathasan <[email protected]>
> wrote:
>
>> Hi Asela,
>>
>> Please find my attached XACML Policy and the sample proxy configuration
>> below. When I tested this Policy through 'TryIt', with Resource :
>> http://abimaran:8280/services/echo/, Subject Name : admin, Action Name :
>> read. It was evaluated to Permit.
>>
>> But, when I tried with a Java client through ESB, the request was Denied.
>> Please find the EntitlementMediator logs below.
>>
>> [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Mediation for
>>> Entitlement started
>>> [2015-06-21 12:54:50,210] DEBUG - EntitlementCallbackHandler Service
>>> name http://abimaran:8280/services/echo/
>>> [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Subject ID is :
>>> admin Resource ID is : http://abimaran:8280/services/echo//echoString
>>> Action ID is : read.
>>> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator Entitlement
>>> Decision is : Deny
>>> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator User is not
>>> authorized to perform the action
>>
>>
>>
>> Can you please let me know what I'm missing there?
>>
>>
>>
>> On Sun, Jun 21, 2015 at 11:08 AM, Asela Pathberiya <[email protected]>
>> wrote:
>>
>>>
>>>
>>> On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]
>>> > wrote:
>>>
>>>> I defined below policy,
>>>>
>>>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>>>>> PolicyId="SimplePolicy"
>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
>>>>> Version="1.0">
>>>>> <Target/>
>>>>> <Rule Effect="Permit" RuleId="primary-group-customer-rule">
>>>>> <Condition>
>>>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>>>>> <Apply
>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>>>>> <Apply
>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>>>> <AttributeValue DataType="
>>>>> http://www.w3.org/2001/XMLSchema#string";>
>>>>> http://localhost:8280/services/echo/</AttributeValue>
>>>>> <AttributeDesignator
>>>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>>>> MustBePresent="true"/>
>>>>> </Apply>
>>>>> <Apply
>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>>>> <AttributeValue DataType="
>>>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
>>>>> <AttributeDesignator
>>>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>>>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
>>>>> DataType="
>>>>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>>>>> </Apply>
>>>>> </Apply>
>>>>> <Apply
>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>>>>> <AttributeValue DataType="
>>>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
>>>>> <AttributeDesignator AttributeId="
>>>>> http://wso2.org/claims/role";
>>>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>>>> MustBePresent="true"/>
>>>>> </Apply>
>>>>> </Apply>
>>>>> </Condition>
>>>>> </Rule>
>>>>> </Policy>
>>>>
>>>>
>>>>
>>>> And, through Entitelment Mediator with ESB, when I send the request
>>>> from a client with resource http://localhost:8280/services/echo/. I
>>>> saw following debug logs in the ESB.
>>>>
>>>>
>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for
>>>> Entitlement started
>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service
>>>> name http://abimaran:8280/services/echo/
>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is :
>>>> admin Resource ID is : http://abimaran:8280/services/echo//POST Action
>>>> ID is : POST.
>>>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement
>>>> Decision is : NotApplicable
>>>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not
>>>> authorized to perform the action
>>>>
>>>> Anyone plese advise me, why XACML engine return NotApplicable? And why
>>>> Resource ID is http://abimaran:8280/services/echo//POST?
>>>>
>>>
>>>
>>> PDP usually can return NotApplicable result when there is no any
>>> policy or no matching policy in its PDP. Above policy is evaluated to
>>> NotApplicable as there are no any matching rules for given request.
>>>
>>> Resource/User/Action are extracted from entitlement mediator using
>>> callback handler [1] It seems to be that "EntitlementMediator" has some
>>> logic to append the action in to it resource name. So, we can change the
>>> policy and see..
>>>
>>> [1]
>>> http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.entitlement.mediator/4.2.2/src/main/java/org/wso2/carbon/identity/entitlement/mediator/callback/EntitlementCallbackHandler.java
>>>
>>> Thanks,
>>> Asela.
>>>
>>>
>>>>
>>>> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <
>>>> [email protected]> wrote:
>>>>
>>>>> [+Thanuja]
>>>>>
>>>>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Applied SP1 for a fresh IS and tested, still same errror.
>>>>>>
>>>>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi Harsha,
>>>>>>>>
>>>>>>>> Please find the policy.
>>>>>>>>
>>>>>>>> <Policy PolicyId="
>>>>>>>> urn:oasis:names:tc:xacml:3.0:example:SimplePolicy"
>>>>>>>> RuleCombiningAlgId=
>>>>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>>>>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
>>>>>>>> <Description>Sample XACML Authorization Policy.</Description>
>>>>>>>> <Target/>
>>>>>>>> <Rule
>>>>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
>>>>>>>> Effect="Permit">
>>>>>>>> <Description>
>>>>>>>> Sample XACML Authorization Policy.
>>>>>>>> </Description>
>>>>>>>> <Target>
>>>>>>>> <AnyOf>
>>>>>>>> <AllOf>
>>>>>>>> <Match
>>>>>>>> MatchId=
>>>>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
>>>>>>>> <AttributeValue DataType="
>>>>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>>>>> <http://www.w3.org/2001/XMLSchema#string>>
>>>>>>>> http://localhost:8280/services/echo/</AttributeValue>
>>>>>>>> <AttributeDesignator
>>>>>>>> MustBePresent="false"
>>>>>>>> Category=
>>>>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>>>>>>>> AttributeId=
>>>>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
>>>>>>>> DataType="
>>>>>>>> http://www.w3.org/2001/XMLSchema#string";
>>>>>>>> <http://www.w3.org/2001/XMLSchema#string>/>
>>>>>>>> </Match>
>>>>>>>> </AllOf>
>>>>>>>> </AnyOf>
>>>>>>>> </Target>
>>>>>>>> </Rule>
>>>>>>>> </Policy>
>>>>>>>>
>>>>>>>> No, I haven't install any patches or SPs.
>>>>>>>>
>>>>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> We don't need to specify the XACML version , because it is already
>>>>>>>>> available in the policy as a name space.
>>>>>>>>> Can you attach policy file ,
>>>>>>>>> Did you try this with IS SP1 ?
>>>>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> When I tried sample policy given as sample in [1], I got
>>>>>>>>>> following error in the UI.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement
>>>>>>>>>>> Policy. Policy is not valid according to XACML schema
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I'm getting same for the sample [2].
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have
>>>>>>>>>> to set which version should support in a configuration file?
>>>>>>>>>>
>>>>>>>>>> [1] :
>>>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1
>>>>>>>>>> [2] :
>>>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Thanks
>>>>>>>>>> Abimaran Kugathasan
>>>>>>>>>>
>>>>>>>>>> Software Engineer | WSO2 Inc
>>>>>>>>>> Data & APIs Technologies Team
>>>>>>>>>> Mobile : +94 773922820
>>>>>>>>>>
>>>>>>>>>> <http://stackoverflow.com/users/515034>
>>>>>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>>>>>> <http://www.lkabimaran.blogspot.com/>
>>>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Dev mailing list
>>>>>>>>>> [email protected]
>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks
>>>>>>>> Abimaran Kugathasan
>>>>>>>>
>>>>>>>> Software Engineer | WSO2 Inc
>>>>>>>> Data & APIs Technologies Team
>>>>>>>> Mobile : +94 773922820
>>>>>>>>
>>>>>>>> <http://stackoverflow.com/users/515034>
>>>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>>>> <http://www.lkabimaran.blogspot.com/>
>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thanks
>>>>>>> Abimaran Kugathasan
>>>>>>>
>>>>>>> Software Engineer | WSO2 Inc
>>>>>>> Data & APIs Technologies Team
>>>>>>> Mobile : +94 773922820
>>>>>>>
>>>>>>> <http://stackoverflow.com/users/515034>
>>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>>> <http://www.lkabimaran.blogspot.com/>
>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks
>>>>>> Abimaran Kugathasan
>>>>>>
>>>>>> Software Engineer | WSO2 Inc
>>>>>> Data & APIs Technologies Team
>>>>>> Mobile : +94 773922820
>>>>>>
>>>>>> <http://stackoverflow.com/users/515034>
>>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>>>> <https://twitter.com/abimaran>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks
>>>>> Abimaran Kugathasan
>>>>>
>>>>> Software Engineer | WSO2 Inc
>>>>> Data & APIs Technologies Team
>>>>> Mobile : +94 773922820
>>>>>
>>>>> <http://stackoverflow.com/users/515034>
>>>>> <http://lk.linkedin.com/in/abimaran>
>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>>> <https://twitter.com/abimaran>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks
>>>> Abimaran Kugathasan
>>>>
>>>> Software Engineer | WSO2 Inc
>>>> Data & APIs Technologies Team
>>>> Mobile : +94 773922820
>>>>
>>>> <http://stackoverflow.com/users/515034>
>>>> <http://lk.linkedin.com/in/abimaran>
>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>>>> <https://twitter.com/abimaran>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>> Asela
>>>
>>> ATL
>>> Mobile : +94 777 625 933
>>> +358 449 228 979
>>>
>>> http://soasecurity.org/
>>> http://xacmlinfo.org/
>>>
>>
>>
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>>
>> Software Engineer | WSO2 Inc
>> Data & APIs Technologies Team
>> Mobile : +94 773922820
>>
>> <http://stackoverflow.com/users/515034>
>> <http://lk.linkedin.com/in/abimaran>
>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
>> <https://twitter.com/abimaran>
>>
>>
>
>
> --
> Thanks
> Abimaran Kugathasan
>
> Software Engineer | WSO2 Inc
> Data & APIs Technologies Team
> Mobile : +94 773922820
>
> <http://stackoverflow.com/users/515034>
> <http://lk.linkedin.com/in/abimaran>
> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank>
> <https://twitter.com/abimaran>
>
>
--
Thanks
Abimaran Kugathasan
Software Engineer | WSO2 Inc
Data & APIs Technologies Team
Mobile : +94 773922820
<http://stackoverflow.com/users/515034>
<http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/>
<https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
