As we discussed in our previous posts Internet Of Things – IoT and Identity and Access Management – WSO2 Identity Server, securing the application system has the highest priority in moving towards clound and IOT. This article is to provide a demo and understanding of how to provide fine grained authentication/authorization for a user when requesting a particular resource. The products used here are WSO2 ESB v4.8.1 and WSO2 IS v5.2.0.
XACML (eXtensible Access Control Markup Language) based authorization allows us to have flexiblity in defining the policies and rules for accessing resources based on the identity of the user, role, environment and other attributes of an identity.
Any request that comes to ESB will be redirected to IS to check the authorization by generating XACML request, through an entitlement mediator. IS then validates the request against the policy and replies back to ESB whether the user has the right to access or not. This allows ESB to act accordingly.
Change the WSO2 IS port to 9453 by changing the <OFFSET>0</OFFSET> to <OFFSET>0</OFFSET> in the carbon.xml file at the location IDENTITY_SERVER_HOME/repository/conf. Now, start both the servers (ESB and IS) by running wso2server.sh/.bat file in the HOME/bin directory.
Setting up Roles and Users
For our demo, we need two users and two user groups/roles, one being an admin and the other is just a subscriber. The demo is going to deal with only the admin user authorized to access all the service and the subscribed user only to the service the user has subscribed to.
Creating a new Role
Select the option Add under Users and Roles and select Add New Role.
Enter the name for the Role as subscriber1 and click next.
In the permissions page, just select Login as the permission as we don’t want this user to create or manage any identity in the system and click Finish, the role subscriber1 will be created.
Creating a new User
Select the option Add under Users and Roles and select Add New User.
Enter the User name and Password as sample1 and click Next.
In the Select Roles for the user page, select the role as subscriber1 and click Finish, the user sample1 is assigned to the role subscriber1 now.
Setting up XACML Policy
Go to Entitlement > PAP > Policy Administration and select Add New Entitlement Policy.
Select the option Import Existing Policy and load the following policy file policy as .xml to the system.
This request means that the ‘admin’ user from the user group is trying to access the http://localhost:8280/services/echo web service. This will result in a Permit/Deny/Not Applicable output. In this case, it will be permitted.
Setting up ESB with Entitlement mediator
Login to ESB with admin/admin credential, create a sequence by clicking “Sequences” in the left menu and then clicking “Add Sequence” in the Mediation Sequences page and name the sequence FineGrainedAuthSeq.
Add the Entitlement mediator which is in Advanced mediators option.
The Entitlement Server field should be the URI of the Identity server, in this case it will be https://localhost:9453/services. Now add a Header mediator and configure it to remove the Security header. Click on the namespaceas and enter prefix as “wsse” and URI as “http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”. Add a send mediator and drop mediator to the sequence.
Create a new sequence and name it FineGrainedAuthOutSeq. Add a Send and Drop mediator. This will complete both sequences.
Set up the Fine Grained Authorization Proxy Service
Create a Custom Proxy through Add → Proxy Service on the left menu.
Name the proxy FineGrainedAuthorizationService and only allow https as the transport. Unclick the http option and click Next.
Pick the FineGrainedAuthSeq as the In Sequene thorugh the import option click Next. Do the same for FineGrainedAuthOutSeq as the Out Sequence and click Finish to save the proxy.
Now apply Username Token security to the proxy. Click on the proxy service name. Now in the dashboard click Security under QoS configurations.
Enable Security in the drop down menu by setting option Yes. Click on Option 1: username token and click Next.
Give access to all roles. This further demonstrates that although any user will be able to access the proxy service, they will not be allowed to access the echo service due to the XACML based authorization that takes place.
This concludes all the steps necessary to setup XACML based authorization on the WSO2 platform.
Prabakaran Thodithot Sembiyan