This documentation is for WSO2 API Manager 2.1.0. View documentation for the latest release.

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Let’s take the following requirement in exposing an API via the API manager. 

Image RemovedImage Added

Based on the requirement, a single API is exposed to add or retrieve student and staff information. Each member type (staff or student) is identified from the resource path. The operation (GET or POST) that needs to be performed is distinguished by the HTTP verb. Follow the steps below to implement this kind of role-based access control.

  1. Let’s start by creating the required users. First, you need to link both the API Manager and the Identity Server to the same user store. This can be done by linking the API manager with the LDAP user store within WSO2 Identity Server. For more information, see Configuring Primary User Stores.

    Tip

    In an actual deployment, both these servers can be linked to the user store of your organization.

  2. Start the WSO2 API Manager server and log in to the Management Console. Create user information with the following permission structure.

    User

    Role

    staffapi_userstaff

    webuser

    studentapi_user

    student

    admin_user

    college_admin

  3. Start the WSO2 Identity Server and log in to its Admin Console. 

    Tip

    Since API Manager and Identity Server run on the same server, offset the Identity Server by 1.

  4. Under the Entitlement section, click Policy Administration > Add New Entitlement Policy.
    Image RemovedImage Added Image Added
  5. You are redirected to a page listing all available policy editors. Select Standard Policy Editor from the list and add the values shown below in the policy editor.
    1. Entitlement Policy Name: EDUCollegePolicy PizzaShackPolicy
    2. Rule Combining Algorithm: Deny unless Permit
    When the rule combination algorithm is set to Deny Unless Permit, you need to set the permit criteria as a rule. 
  6. In the Define Entitlement Rule(s) area, set the following 3 rules to define the kind of requests and from which user they should be permitted.
    1. AdminGrant - grants full access to the admin user. Give the information below,
      Rule Name: AdminGrant
      Conditions: Subject is/are at-least-one-member college_ admin
      Click the icon next to END shown below to configure the attribute value and attribute source to retrieve the user roles from the user store. 
      Image RemovedImage Added
      Select the attributes as given below. Note that this needs to be done for all the rules.
      Select Attribute ID: Role
      Select Attribute Data Type: String
      Entitlement Data Module: Carbon Attribute Finder Module
      Image RemovedImage Added
    2. GetStudent - allows staff users to get student information from the API. Give the information below,
      Rule Name: GetStudent GetOrder
      Conditions: Resource  Action is equal /student/info AND 
      Action is equal GET
      Subject is/are at-least-one-member staffwebuser
      Click the icon next to END shown below to configure the attribute value and attribute source to retrieve the user roles from the user store. 
      Image Removed

    3. GetStaff - allows staff and student members to get staff information via the API. Give the information below,
      Rule Name: GetStaff
      Conditions: Resource is equal /staff/info AND 
      Action is equal GET
      Subject is/are at-least-one-member student OR
      Subject is/are at-least-one-member staff
      Click the icon next to END shown below to configure the attribute value and attribute source to retrieve the user roles from the user store.
      Image Removed

    4. Image Added

  7. Click Add once done.
  8.  The rues rules are added to the policy. Click Finish to save the policy. 
    Image RemovedImage Added
  9. In the Policy Administration page, click Publish to My PDP to publish the policy to the PDP. You can test the service by clicking Try.
    Image RemovedImage Added
  10. Add the entitlement-1.0-SNAPSHOT JAR file to the <APIM_HOME>/repository/components/lib directory. This JAR file contains the APIEntitlementCallbackHandler class which passes the username, HTTP verb and the resource path to the XACML entitlement server.
  11. Restart the server once the JAR file is added.
  12. Now, you need to create a sequence containing the entitlement policy mediator that can be attached to each API required to authorize users with the entitlement server. Create an XML file with the following configuration and name it EntitlementMediator.xml.

    Code Block
    languagexml
    <sequence xmlns="http://ws.apache.org/ns/synapse"  name="EntitlementMediator">      
        <entitlementService xmlns="http://ws.apache.org/ns/synapse" remoteServiceUrl="https://localhost:9444/services" remoteServiceUserName="admin" remoteServicePassword="admin" callbackClass="org.wso2.sample.handlers.entitlement.APIEntitlementCallbackHandler"/>
    </sequence>
  13. Log in to the API Publisher and create an API.
  14. Attach the custom sequence to the inflow of the message as shown below.
    Image RemovedImage Added
  15. Save, publish and test the API to make sure that the requests specified in the 3 the 2 rules defined in step 8 are accessible according to the user role specified. For example, the GET/staff/info POST operation is only available to users with the roles student and staffrole admin. If an anonymous user tries to access the GET /staff/info operation, it should fail.

    Note

    If you encounter an error stating "org.apache.axis2.transport.jms.JMSSender cannot be found by axis2_1.6.1.wso2v16" when publishing the API, comment out the following JMSSender configuration in the <APIM_HOME>/repository/conf/axis2/axis2_blocking_client.xml file and restart the server.

    <!--transportSender name="jms" class="org.apache.axis2.transport.jms.JMSSender"/-->

  16. If you want to debug the entitlement mediator, enable debug logs in the Management Console for the org.wso2.sample.handlers.entitlement.APIEntitlementCallbackHandler class.