This documentation is for WSO2 Identity Server 4.1.0. View documentation for the latest release.
Adding Fine-grained Authorization for Proxy Services in ESB - Identity Server 4.1.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

With the latest WSO2 ESB, you can add fine-grained XACML authorization for proxy services, using the Entitlement mediator.


For more information about the WSO2 ESB, please visit the Enterprise Service Bus Documentation.

1. Configure the WSO2 Identity Server as the XACML engine.

2. Configure the Entitlement mediator in the WSO2 ESB.

2.1. Create a Proxy Service. Under "In Sequence," create an Anonymous sequence to include the Entitlement, Header, and Send mediators. Add the Advanced/Entitlement Mediator to InSequence. See Adding a Proxy Service.

The Entitlement Server should be the endpoint for the Identity Server where the entitlement engine is running https://IDENTITY_SERVER:PORT/services/ . Additionally, the user should have login and "manage configuration" permissions in the Identity Server.

2.2. Add the Transform/Header mediator. See Adding a Mediator to a Sequence and Mediators. Remove the "Security" header. Click on the "Namespaces" link to set the wsse namespace.

2.3. Create a Core/Send mediator, and save to return to the main flow.

2.4. Add a Core/Send mediator to the "Out Sequence" as an "Anonymous" sequence, and save to return to the main flow to complete the creation of the Proxy Service.

2.5. Apply the UsernameToken security policy to the Proxy Service you just created, as explained here.

The security policy being applied to the binding by the policy editor causes an issue with Proxy Services that must be resolved.

To overcome the Proxy Services issue, from the service listing, select the Proxy Service, and then select "Policies." Remove the applied policies from the Binding Hierarchy, and add the security policy to the Service Hierarchy.

3. You are ready for the Proxy Service.

4. Write a client to invoke the secured Proxy Service.

The client in the following example has tried to invoke the echo service deployed in ESB through the previously created Proxy Service.


    import org.apache.axis2.Constants;
    import org.apache.axis2.addressing.EndpointReference;
    import org.apache.axis2.client.Options;
    import org.apache.axis2.client.ServiceClient;
    import org.apache.axis2.context.ConfigurationContext;
    import org.apache.axis2.context.ConfigurationContextFactory;
    import org.apache.neethi.Policy;
    import org.apache.neethi.PolicyEngine;
    import org.apache.rampart.RampartMessageData;

    public class TestClient {

    final static String ADDR_URL = "";
    final static String TRANS_URL = "";

    public static void main(String[] args) throws Exception {
    ServiceClient client = null;
    Options options = null;
    OMElement response = null;
    ConfigurationContext context = null;
    String trustStore = null;

    // You need to import the ESBs public certificate to this key store.
    trustStore = "mykeystore.jks";
    // We are accessing ESB over HTTPS - so need to set trustStore parameters.
    System.setProperty("", trustStore);
    // Password of mykeystore.jks
    System.setProperty("", "wso2carbon");

    // Create configuration context - you will have Rampart module engaged in the client.axis2.xml
    context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/client.axis2.xml");

    // This is the security policy of the proxy service applied UT.
    StAXOMBuilder builder = new StAXOMBuilder("policy.xml");
    Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());

    context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/client.axis2.xml");
    client = new ServiceClient(context, null);
    options = new Options();
    // This is the addressing URL pointing to the echo service deployed in ESB
    options.setTo(new EndpointReference(ADDR_URL));
    // To the ESB, the proxy service
    // TRANS_URL points to proxy service
    options.setProperty(Constants.Configuration.TRANSPORT_URL, TRANS_URL);
    options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
    response = client.sendReceive(getPayload("Hello world"));

    private static OMElement getPayload(String value) {
    OMFactory factory = null;
    OMNamespace ns = null;
    OMElement elem = null;
    OMElement childElem = null;

    factory = OMAbstractFactory.getOMFactory();
    ns = factory.createOMNamespace("", "ns1");
    elem = factory.createOMElement("echoString", ns);
    childElem = factory.createOMElement("in", null);
    return elem;
  • No labels