This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Writing a Custom Policy Info Point - Identity Server 5.0.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This page is currently under construction.

 

This topic provides instructions on how to write a simple PIP attribute finder module to plug in to the WSO2 Identity Server. There are two ways that you can write a PIP attribute finder module.

  1. By implementing the “PIPAttributeFinder” interface. You can find the latest interface here.
  2. By extending the “AbstractPIPAttributeFinder” abstract class You can find the latest abstract class here.

Of the above methods, it would be easier to extend the “AbstractPIPAttributeFinder” abstract class and write a PIP attribute finder module.

Sample scenario

K-Market is an online trading company that has control over online trading based on the customer’s privileges and attributes of the customers. These attributes can be age, email, etc. To achieve Attribute-based Access Control (ABAC); user attributes that are stored in a JDBC-based user store must be retrieved by the PDP of the WSO2 Identity Server. This sample project can be downloaded here.

Step 1. Assume K-Market attribute store is a database. Lets say, in mysql database. you can find sample script from here that i used.

Step 2. Write a PIP module by extending “AbstractPIPAttributeFinder” Please find the “KMarketJDBCAttributeFinder” class from here.

Following are the methods, you need to implement.

a). init (Properties properties) Here you can write the logic to initialize your module. Any properties that are defined in the entitlement.properties file, can be access here.

JNDI name of the datasource can be define as property value in entitlement.properties file. And is read here. Also supported attributes are initialized inside this method.

b). getAttributeValues (String subject, String resource, String action, String environment, String attributeId, URI issuer) Here you can write the logic to find your attribute value

subject –> attribute value which can be identify by the following attribute value in the request.

1
urn:oasis:names:tc:xacml:1.0:subject:subject-id
resource –> attribute value which can be identify by the following attribute value in the request.

1
urn:oasis:names:tc:xacml:1.0:resource:resource-id
action –> attribute value which can be identify by the following attribute value in the request.

1
urn:oasis:names:tc:xacml:1.0:action:action-id
environment –> attribute value which can be identify by the following attribute value in the request.

1
urn:oasis:names:tc:xacml:1.0:environment:environment-id
attributeId –> attribute id which is defined in the policy and that is need to be resolved

issuer –> issuer which is related with the attributeId that is need to be resolved

c). getSupportedAttributes() Here you can write the logic to find all the attribute ids supported by your module

d) getModuleName() name for the module

Step 3. You need to create a jar file from your class. You can build the project using maven 3 and create the jar file.

Step 4. Copy created org.xacmlinfo.xacml.pip.jdbc-1.0.0.jar in to <IS_HOME>/repository/components/lib directory

Step 5. Copy any dependency libraries for PIP module to <IS_HOME>/repository/components/lib directory. Here JDBC driver jar file, which helps to create the JDBC connection (ex- mysql-connector-java-5.1.10-bin.jar) .

Additional Step. Configure new data source configuration using master-datasources.xml file which can be found at <IS_HOME>/repository/conf/datasources directory (Only Applies, If you are defining datasource configuration using master-datasources.xml file) . Sample configuration would be as follows.

  • No labels