With the latest WSO2 Enterprise Integrator (EI), you can add fine-grained XACML authorization for proxy services, using the entitlement mediator. XACML-based authorization allows you to have an extremely flexible way of defining the rules of accessing resources based on the user, the user's role, the environment, time and date, etc. Now, the WSO2 product platform allows you to incorporate XACML based authorization into your SOA deployment with the WSO2 Identity Server.
The problem in most security schemes is that it does not give you the ability to fine-grain your authorization scheme unless a substantial amount of work goes into implementing such a scheme from scratch. The WSO2 product platform relieves this burden on the system architect and allows you to integrate XACML-based authorization into a deployment and have a full blown authorization scheme in place with minimum effort.
For more information about the WSO2 EI, please visit the WSO2 Enterprise Integrator Documentation.
The following sections provide more information on how to configure this.
Configure Identity Server as an XACML Engine
The first step is to configure the WSO2 Identity Server to act as a XACML engine. XACML support for fine-grained authorization comes with WSO2 Identity Server. For this, configure your Identity Server as a XACML engine as explained in Identity Server as an XACML Engine.
Configuring the EI entitlement mediator
The next step is to configure the entitlement mediator in the WSO2 EI.
- Create a Proxy Service. Under "In Sequence," create an Anonymous sequence to include the Entitlement, Header, and Send mediators. Add the Advanced/Entitlement Mediator to
InSequence. See Adding a Proxy Service. The Entitlement Server should be the endpoint for the Identity Server where the entitlement engine is running
https://IDENTITY_SERVER:PORT/services/. Additionally, the user should have the login and "manage configuration" permissions in the Identity Server.
- Add the Transform/Header mediator. See Adding a Mediator to a Sequence and Mediators. Remove the "Security" header. Click on the "Namespaces" link to set the namespace as "
- Prefix - wsse.
- URI - http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.
- Create a Core/Send mediator, and save to return to the main flow.
- Add a Core/Send mediator to the "Out Sequence" as an "Anonymous" sequence, and save to return to the main flow to complete the creation of the Proxy Service.
- Apply the
UsernameTokensecurity policy to the Proxy Service you just created as mentioned here. The security policy is applied to the binding by the policy editor causes an issue with Proxy Services that must be resolved. To overcome the Proxy Services issue, from the service listing, select the Proxy Service, and then select "Policies." Remove the applied policies from the Binding Hierarchy, and add the security policy to the Service Hierarchy.
- You are ready to use the Proxy Service. Write a client to invoke the secured Proxy Service.
The client in the following example has tried to invoke the echo service deployed in WSO2 EI through the previously created Proxy Service.