Friday, April 22, 2011

Fine-grained Authorization with XACML

Thursday, April 21, 2011

XACML Policy Information Point Extensions & Designators with WSO2 Identity Server 3.2.0

WSO2 Identity Server 3.2.0 release provides two types of extensions to it's XACML PIP. [The release is not yet done - you can download a build from the latest trunk from here]

1.PIP Extensions

Once the PIP Extensions got registered with the system - the registered PIP Extension will be invoked for each and every XACML request the PDP receives and this happens before the request been evaluated.

PIP Extensions can be used to modify the incoming request as well as log relavent parameters.

2.PIP Desiginators.

Once the PIP Desiginators got registered with the system - the registered Desiginators will be invoked while a request been evaluated in the PDP and need to find out the value of an attribute which is supported by the Desiginator. The Desiginator will let the system know the attributes it supports at the time of registration.

To register a PIP Extension or a PIP Designator we need to copy the jars with those classes to [CARBON_HOME]\repository\components\lib and create a file called pip-config.xml inside [CARBON_HOME]\repository\conf with the following. Here I assume the PIP Extension class name is org.wso2.carbon.identity.sample.pip.SamplePIPExtension and PIP Designator class name is org.wso2.carbon.identity.sample.pip.SamplePIPDesignator.
  <Designator class="org.wso2.carbon.identity.entitlement.pip.DefaultAttributeFinder" />
  <Designator class="org.wso2.carbon.identity.sample.pip.SamplePIPDesignator" />
     <Extension class="org.wso2.carbon.identity.sample.pip.SamplePIPExtension" />
Also, in the above file, make sure that you keep the entry <Designator class="org.wso2.carbon.identity.entitlement.pip.DefaultAttributeFinder" /> as it is, because it's the default PIP Designator which will by default talk to the underlying user store.

Now, let's see how to write PIP Extensions and Designators. You need to have org.wso2.carbon.identity.entitlement-3.2.0.jar and sun-xacml-2.0.1.wso2v1.jar in the classpath. [You can find those jars inside [IS_HOME]\repository\components\plugins
package org.wso2.carbon.identity.sample.pip;

import java.util.HashSet;
import java.util.Set;

import org.wso2.carbon.identity.entitlement.pip.PIPAttributeFinder;

public class SamplePIPDesignator implements PIPAttributeFinder {

 public Set getAttributeValues(String subjectId, String resourceId,
   String attributeId) throws Exception {
  Set attributeValues = new HashSet();

  System.out.println("SamplePIPDesignator Called");
  System.out.println("SamplePIPDesignator SubjectId " + subjectId);
  System.out.println("SamplePIPDesignator AttributeId " + attributeId);
  System.out.println("SamplePIPDesignator Resource Id " + resourceId);

  return attributeValues;

 public Set getSupportedAttributes() {
  Set attributes = new HashSet();
  return attributes;

package org.wso2.carbon.identity.sample.pip;

import org.wso2.carbon.identity.entitlement.pip.PIPExtension;

import com.sun.xacml.ctx.RequestCtx;

public class SamplePIPExtension implements PIPExtension{

 public void update(RequestCtx request) {
  System.out.println("SamplePIPExtension Called");

Notes :

1. The latest WSO2 Identity Server is running with the embedded ApacheDS LDAP server. The default port is 10389. If you want to change it, open CARBON_HOME\repository\conf\carbon.xml and look for LDAPServerPort and change it.

2. When you create or import a XACML policy to the Identity Server - policy will be in Disabled state - you need to Enable it by clicking the Enable link against the policy in the policy list page.