Thursday, September 6, 2012

Pin It


Get Gadget

XACML Policy Enforcement Point(PEP) Proxy for WSO2 Identity Server

As you all know The WSO2 Identity Server provides  entitlement management  by XACML fine-grained policy based access control. In  this post I will introduce a Proxy Components for use this functionality in JAVA applications. This will make the users life easy in following ways,
  • User have to invoke a method in the proxy to get a entitlement decision.
  • User don't have to implement XACML request related things to use a XACML policy hosted in IS. The proxy hides those complexity from user.
  • Entitlement requests can be sent either using XACML 3.0 or  XACML 2.0.
  • The proxy provides list of methods which will most of the authorization request scenarios which a user can have.
  • User can use SOAP, Thrift or JSON to PDP PEP communication. User doesn't have to worry about the communication implementation.
  • Several PEPs can use same Proxy to communicate with several PDPs(WSO2 IS instances) at the same time.
Following diagram will show the functionality of the PEP Proxy,


Here XACML PEP can be any JAVA application. I have given a example application in my previous blog posts, http://www.insightforfuture.blogspot.com/2012/07/providing-xacml-fine-grained.html and http://www.insightforfuture.blogspot.com/2012/07/providing-xacml-fine-grained_22.html. In that I have described a Servlet Filter which uses this PEP proxy for give authorization to webapps.

The following list will show the API methods given in PEP Proxy,
  • String getDecision(Attribute[] attributes)
  • String getDecision(Attribute[] attributes, String appId) 
  • String getDecision(String subject, String resource, String action, String environment)
  • String getDecision(String subject, String resource, String action, String environment, String appId)
  • boolean subjectCanActOnResource(String subjectType, String alias, String actionId,
                                               String resourceId, String domainId) 
  • boolean subjectCanActOnResource(String subjectType, String alias, String actionId,
                                               String resourceId, String domainId, String appId)
  • boolean subjectCanActOnResource(String subjectType, String alias, String actionId,
                                               String resourceId, Attribute[] attributes, String domainId)
  • boolean subjectCanActOnResource(String subjectType, String alias, String actionId,
                                               String resourceId, Attribute[] attributes, String domainId, String appId)
  • List<String> getActionableChidResourcesForAlias(String alias, String parentResource,
                                                               String action)
  • List<String> getActionableChidResourcesForAlias(String alias, String parentResource,
                                                               String action, String appId) 
  • List<String> getResourcesForAlias(String alias)
  • List<String> getResourcesForAlias(String alias, String appId)
  • List<String> getActionableResourcesForAlias(String alias)
  • List<String> getActionableResourcesForAlias(String alias, String appId)
  • List<String> getActionsForResource(String alias, String resources)
  • List<String> getActionsForResource(String alias, String resources, String appId)
Here you can see that there are duplicates of same method with "String appId" and without. When the proxy is initialized it will assign a default primary PEP as defaultAppId. That means the PDP mapping for the defaultAppId is used for make the queries. When  we specify a specific PEP configuration by giving "String appId", PEP Proxy will use those configuration to make the quires from WSO2 IS. All the methods which doesn't have "String appId" argument will use the default configuration.

Following JAVA class will give a example to use PEP Proxy. I used a Sample XACML policy hosted in WSO IS. That policy is given below Also,

JAVA Class :

package org.wso2.carbon.identity.entitlement.proxy;

import java.util.HashMap;
import java.util.Map;

public class Test {


    public static void main(String arg[]) throws Exception {

        PEPProxy pepProxy;
        //Initializing the PEP Proxy

        System.setProperty("javax.net.ssl.trustStore", "wso2carbon.jks");
        System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

        Map<String,Map<String,String>> appToPDPClientConfigMap = new HashMap<String, Map<String,String>>();

        //Configuration to Initialize SOAP Client
        Map<String,String> clientConfigMapSOAP = new HashMap<String, String>();
        clientConfigMapSOAP.put("client", "soap");
        clientConfigMapSOAP.put("serverUrl", "https://localhost:9443/services");
        clientConfigMapSOAP.put("userName", "admin");
        clientConfigMapSOAP.put("password", "admin");
        clientConfigMapSOAP.put("reuseSession", "false");

        appToPDPClientConfigMap.put("SOAP_APP", clientConfigMapSOAP);

        //Configuration to Initialize Basic Authentication Client
        Map<String,String> clientConfigMapBasicAuth = new HashMap<String, String>();
        clientConfigMapBasicAuth.put("client", "basicAuth");
        clientConfigMapBasicAuth.put("serverUrl", "https://localhost:9443/services");
        clientConfigMapBasicAuth.put("userName", "admin");
        clientConfigMapBasicAuth.put("password", "admin");

        appToPDPClientConfigMap.put("BasicAuth_APP", clientConfigMapBasicAuth);

        //Configuration to Initialize Thrift Client
        Map<String,String> clientConfigMapThrift = new HashMap<String, String>();
        clientConfigMapThrift.put("client", "soap");
        clientConfigMapThrift.put("serverUrl", "https://localhost:9443/services");
        clientConfigMapThrift.put("userName", "admin");
        clientConfigMapThrift.put("password", "admin");
        clientConfigMapThrift.put("reuseSession", "false");
        clientConfigMapThrift.put("thriftHost", "localhost");
        clientConfigMapThrift.put("thriftPort", "10500");

        appToPDPClientConfigMap.put("Thrift_App", clientConfigMapThrift);


        PEPProxyConfig config = new PEPProxyConfig(appToPDPClientConfigMap,"SOAP_APP", "Simple", 10000, 100);
        pepProxy = new PEPProxy(config);

        String result = pepProxy.getDecision("admin", "/Entitlement_Sample_WebApp/protected.jsp", "GET", "");
        System.out.println(result);
        result = pepProxy.getDecision("admin", "/Entitlement_Sample_WebApp/protected.jsp", "GET", "", "BasicAuth_APP");
        System.out.println(result);
        result = pepProxy.getDecision("admin", "/Entitlement_Sample_WebApp/protected.jsp", "GET", "", "Thrift_App");
        System.out.println(result);
        boolean bResult = pepProxy.subjectCanActOnResource("urn:oasis:names:tc:xacml:1.0:subject:subject-id", "admin", "GET", "/Entitlement_Sample_WebApp/protected.jsp", "");
        System.out.println(bResult);
    }
}
Samples XACML Policy :

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="Entitlement_Filter_Sample_Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
    <Target></Target>
    <Rule Effect="Permit" RuleId="Rule1">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/Entitlement_Sample_WebApp/protected.jsp</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                    </Match>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                    </Match>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
</Policy>         

To test the PEP Proxy, You can do following steps,
  • Run a WSO2 IS Server 
  • Host the given sample policy
  • Run this Java Class with the dependency jar of PEPProxy. You can get that by building the source given below. That will give you the latest jar of PEPProxy. What you have to do is run mvn clean install in the source folder.
You can find the source of the PEP proxy in http://wso2.org/svn/browse/wso2/carbon/platform/trunk/components/identity/org.wso2.carbon.identity.entitlement.proxy/.I think this post helps you a lot to use IS inf future works.Also contact me if you have any problem. this was a Internship project of me at WSO2.  Please read following to have better understanding about WSO2 IS and related stuff.

 

19 comments:

  1. Hi,

    Thanks for the post. I'm a newbie and would like to validate my thoughts with you related to WSO2 entitlement service.

    How do I contact you?

    ReplyDelete
  2. Hi,

    You can ask any question related to WSO2 in Stackoverflow. So the developer community will answer. That will be the appropriate solution. So please put a question there. And give me the link. I will join the discussion.

    Thanks
    AndunSLG

    ReplyDelete
  3. Hi,

    Can you share the dependent jars as well? I'm trying to execute the test class you have shown. I was not able to run maven though.
    It would be nice if you point us to the jars

    Thanks

    ReplyDelete
    Replies
    1. same problem here - did you solve it?

      Delete
  4. Please download http://wso2.org/files/Entitlement_Filter_With_Jars.zip. Extract the zip file and get all the jars except org.wso2.carbon.identity.entitlement.filter_4.0.2.jar. Also please go through http://wso2.org/library/tutorials/2012/12/providing-xacml-fine-grained-authorization-webapps. This is a use case of XACML Policy Enforcement Point(PEP) Proxy for WSO2 Identity Server.

    ReplyDelete
  5. Finally I was able to execute it by setting the components/plugin to the classpath. The response however always is NotApplicable.
    I tried to evaluate my request from TryIt tool and it gives the correct decision PERMIT. But through the Java client it always returns NotApplicable. I'm not sure if anything more has to be configured. In the server logs :
    [2013-04-03 10:58:09,035] WARN {org.wso2.balana.ctx.RequestCtxFactory} - No Namespace defined in XACML request and Assume as XACML 3.0
    [2013-04-03 10:58:09,035] INFO {org.wso2.balana.finder.PolicyFinder} - No applicable policies were found for the request

    Any idea?
    Thanks

    ReplyDelete
  6. What PDPProxy method did you used to send the XACML request ? Please give me the parameters you passed and the XACML policy

    ReplyDelete
    Replies
    1. Its the same sample code and policy you have mentioned above

      Delete
    2. Through TryIt...it evaluates successfully

      Delete
    3. Thanks for your time...It worked.....I had not done Promote to PDP for these policies...What does Promote to PDP do?

      Delete
    4. You mean in Identity Server ? I thin it is for activate polices for making policy decisions.

      Delete
  7. Hi,

    Any idea how to plug JDBCAttribute finder in WSO2 Identity Server 4.0.0? Any reference would also be helpful

    Thanks

    ReplyDelete
    Replies
    1. I think moving this question to StackOverflow will be good. http://stackoverflow.com/questions/tagged/wso2 I don't have knowledge in the specific area you are questioning.

      Thanks

      Delete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Hi,

    I am trying to run your code in a maven project. Where can i get this jar files from? I couldnt find them in any repositroy?

    Greetings,
    Jack

    ReplyDelete
  10. Your this blogs giving us information about subjected topic. Thanks for doing this.
    Mp3Juices UK proxy

    ReplyDelete
  11. I think you made awesome decision the moment when you choose this topic of the blog article here. Very useful information
    Mp3lemon UK proxy

    ReplyDelete
  12. I'm really impressed with your writing skills and also with the format on your weblog.
    Mp3Raid UK proxy

    ReplyDelete
  13. I have web apl implemented using play framework.can we use PEP entitlement filter or what is the best way to enforce PEP. PDP is wso2IS.Do you think wso2 EI is an option.Though preferable option is to use Playscala app as PEP

    ReplyDelete