Hi Abimaran, If I'm not wrong, adding the operation to Resource ID gives us the option to control access per operation.
Regards, Omindu. On Sun, Jun 21, 2015 at 5:46 PM, Abimaran Kugathasan <[email protected]> wrote: > Hi Asela, > > I debug the entitlement mediator and when it send the request to PDP, it > append either HTTP_METHOD or first child element to the Resource ID. For > example if the service name is : http://abimaran:8280/services/echo/, the > Resource ID send to PDP will be > http://abimaran:8280/services/echo//echoString. > > Please find the method below > > /** > * Get the name of the operation been invoked by the user. If the property > xacml_use_rest > * defined under axis2 scope been found - with the value "true" - the > HTTP_METHOD will be picked > * as the operation name. > * > * @param synCtx > * @return > */ > public String findOperationName(MessageContext synCtx) { > org.apache.axis2.context.MessageContext msgContext; > Axis2MessageContext axis2Msgcontext = null; > axis2Msgcontext = (Axis2MessageContext) synCtx; > msgContext = axis2Msgcontext.getAxis2MessageContext(); > String useRest = (String) msgContext.getProperty("xacml_use_rest"); > if (useRest == null || "false".equals(useRest.toLowerCase())) { > return msgContext.getEnvelope().getSOAPBodyFirstElementLocalName(); > } else { > return (String) msgContext.getProperty("HTTP_METHOD"); > } > } > > userName = callback.getUserName(synCtx); > serviceName = callback.findServiceName(synCtx); > operationName = callback.findOperationName(synCtx); > action = callback.findAction(synCtx); > otherAttributes = callback.findOtherAttributes(synCtx); > > if (userName == null) { > throw new SynapseException( > "User name not provided for the Entitlement mediator - can't > proceed"); > } > > if (operationName != null) { > resourceName = serviceName + "/" + operationName; > } else { > resourceName = serviceName; > } > > What usage of adding this into the Resource ID when sending the request? > Due to this, I'm getting Deny as the response. > > On Sun, Jun 21, 2015 at 1:55 PM, Abimaran Kugathasan <[email protected]> > wrote: > >> [+Shafreen] >> >> On Sun, Jun 21, 2015 at 1:03 PM, Abimaran Kugathasan <[email protected]> >> wrote: >> >>> Hi Asela, >>> >>> Please find my attached XACML Policy and the sample proxy configuration >>> below. When I tested this Policy through 'TryIt', with Resource : >>> http://abimaran:8280/services/echo/, Subject Name : admin, Action Name >>> : read. It was evaluated to Permit. >>> >>> But, when I tried with a Java client through ESB, the request was >>> Denied. Please find the EntitlementMediator logs below. >>> >>> [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Mediation for >>>> Entitlement started >>>> [2015-06-21 12:54:50,210] DEBUG - EntitlementCallbackHandler Service >>>> name http://abimaran:8280/services/echo/ >>>> [2015-06-21 12:54:50,210] DEBUG - EntitlementMediator Subject ID is : >>>> admin Resource ID is : http://abimaran:8280/services/echo//echoString >>>> Action ID is : read. >>>> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator Entitlement >>>> Decision is : Deny >>>> [2015-06-21 12:54:50,228] DEBUG - EntitlementMediator User is not >>>> authorized to perform the action >>> >>> >>> >>> Can you please let me know what I'm missing there? >>> >>> >>> >>> On Sun, Jun 21, 2015 at 11:08 AM, Asela Pathberiya <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan < >>>> [email protected]> wrote: >>>> >>>>> I defined below policy, >>>>> >>>>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" >>>>>> PolicyId="SimplePolicy" >>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" >>>>>> Version="1.0"> >>>>>> <Target/> >>>>>> <Rule Effect="Permit" RuleId="primary-group-customer-rule"> >>>>>> <Condition> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string";> >>>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>>> <AttributeDesignator >>>>>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>>>> MustBePresent="true"/> >>>>>> </Apply> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>>>>> <AttributeDesignator >>>>>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >>>>>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >>>>>> DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >>>>>> </Apply> >>>>>> </Apply> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >>>>>> <AttributeValue DataType=" >>>>>> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> >>>>>> <AttributeDesignator AttributeId=" >>>>>> http://wso2.org/claims/role"; >>>>>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>>>> MustBePresent="true"/> >>>>>> </Apply> >>>>>> </Apply> >>>>>> </Condition> >>>>>> </Rule> >>>>>> </Policy> >>>>> >>>>> >>>>> >>>>> And, through Entitelment Mediator with ESB, when I send the request >>>>> from a client with resource http://localhost:8280/services/echo/. I >>>>> saw following debug logs in the ESB. >>>>> >>>>> >>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for >>>>> Entitlement started >>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service >>>>> name http://abimaran:8280/services/echo/ >>>>> [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is : >>>>> admin Resource ID is : http://abimaran:8280/services/echo//POST >>>>> Action ID is : POST. >>>>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement >>>>> Decision is : NotApplicable >>>>> [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not >>>>> authorized to perform the action >>>>> >>>>> Anyone plese advise me, why XACML engine return NotApplicable? And why >>>>> Resource ID is http://abimaran:8280/services/echo//POST? >>>>> >>>> >>>> >>>> PDP usually can return NotApplicable result when there is no any >>>> policy or no matching policy in its PDP. Above policy is evaluated to >>>> NotApplicable as there are no any matching rules for given request. >>>> >>>> Resource/User/Action are extracted from entitlement mediator using >>>> callback handler [1] It seems to be that "EntitlementMediator" has some >>>> logic to append the action in to it resource name. So, we can change the >>>> policy and see.. >>>> >>>> [1] >>>> http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.entitlement.mediator/4.2.2/src/main/java/org/wso2/carbon/identity/entitlement/mediator/callback/EntitlementCallbackHandler.java >>>> >>>> Thanks, >>>> Asela. >>>> >>>> >>>>> >>>>> On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan < >>>>> [email protected]> wrote: >>>>> >>>>>> [+Thanuja] >>>>>> >>>>>> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Applied SP1 for a fresh IS and tested, still same errror. >>>>>>> >>>>>>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Harsha, >>>>>>>>> >>>>>>>>> Please find the policy. >>>>>>>>> >>>>>>>>> <Policy PolicyId=" >>>>>>>>> urn:oasis:names:tc:xacml:3.0:example:SimplePolicy" >>>>>>>>> RuleCombiningAlgId= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>>>>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> >>>>>>>>> <Description>Sample XACML Authorization Policy.</Description> >>>>>>>>> <Target/> >>>>>>>>> <Rule >>>>>>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" >>>>>>>>> Effect="Permit"> >>>>>>>>> <Description> >>>>>>>>> Sample XACML Authorization Policy. >>>>>>>>> </Description> >>>>>>>>> <Target> >>>>>>>>> <AnyOf> >>>>>>>>> <AllOf> >>>>>>>>> <Match >>>>>>>>> MatchId= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> >>>>>>>>> <AttributeValue DataType=" >>>>>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>>>>> <http://www.w3.org/2001/XMLSchema#string>> >>>>>>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>>>>>> <AttributeDesignator >>>>>>>>> MustBePresent="false" >>>>>>>>> Category= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>>>>>> AttributeId= >>>>>>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>>>>>> DataType=" >>>>>>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>>>>>> <http://www.w3.org/2001/XMLSchema#string>/> >>>>>>>>> </Match> >>>>>>>>> </AllOf> >>>>>>>>> </AnyOf> >>>>>>>>> </Target> >>>>>>>>> </Rule> >>>>>>>>> </Policy> >>>>>>>>> >>>>>>>>> No, I haven't install any patches or SPs. >>>>>>>>> >>>>>>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> We don't need to specify the XACML version , because it is >>>>>>>>>> already available in the policy as a name space. >>>>>>>>>> Can you attach policy file , >>>>>>>>>> Did you try this with IS SP1 ? >>>>>>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> When I tried sample policy given as sample in [1], I got >>>>>>>>>>> following error in the UI. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement >>>>>>>>>>>> Policy. Policy is not valid according to XACML schema >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I'm getting same for the sample [2]. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I >>>>>>>>>>> have to set which version should support in a configuration file? >>>>>>>>>>> >>>>>>>>>>> [1] : >>>>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1 >>>>>>>>>>> [2] : >>>>>>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1 >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks >>>>>>>>>>> Abimaran Kugathasan >>>>>>>>>>> >>>>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>>>> Data & APIs Technologies Team >>>>>>>>>>> Mobile : +94 773922820 >>>>>>>>>>> >>>>>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks >>>>>>>>> Abimaran Kugathasan >>>>>>>>> >>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>> Data & APIs Technologies Team >>>>>>>>> Mobile : +94 773922820 >>>>>>>>> >>>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks >>>>>>>> Abimaran Kugathasan >>>>>>>> >>>>>>>> Software Engineer | WSO2 Inc >>>>>>>> Data & APIs Technologies Team >>>>>>>> Mobile : +94 773922820 >>>>>>>> >>>>>>>> <http://stackoverflow.com/users/515034> >>>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks >>>>>>> Abimaran Kugathasan >>>>>>> >>>>>>> Software Engineer | WSO2 Inc >>>>>>> Data & APIs Technologies Team >>>>>>> Mobile : +94 773922820 >>>>>>> >>>>>>> <http://stackoverflow.com/users/515034> >>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks >>>>>> Abimaran Kugathasan >>>>>> >>>>>> Software Engineer | WSO2 Inc >>>>>> Data & APIs Technologies Team >>>>>> Mobile : +94 773922820 >>>>>> >>>>>> <http://stackoverflow.com/users/515034> >>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>>> <https://twitter.com/abimaran> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks >>>>> Abimaran Kugathasan >>>>> >>>>> Software Engineer | WSO2 Inc >>>>> Data & APIs Technologies Team >>>>> Mobile : +94 773922820 >>>>> >>>>> <http://stackoverflow.com/users/515034> >>>>> >>>> ... > > [Message clipped] > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
