...
To get an entitlement decision, we need some parameters like UserName, ResourceName, Action and Environment. We can map the resource name to the servlet to which the request is sent. Environment will be the WebApp. Action will be the HTTP action GET, POST etc. In order to get the user name of the person who sent the Web App request, the following Java EE authentication mechanisms are used:
• Basic Authentication
• Client Cert Authentication
• Digest Authentication
• Form Authentication
To grant authority, we have to authenticate the person. After the authentication, we can obtain the username in the servlet filter using the above mentioned methods. All the parameters can be obtained to get an entitlement decision. As shown in the diagram, when a request comes to a particular Web App which has the engaged Entitlement Servlet Filter, the following parameters are obtained: UserName, ResourceName, Action and Environment. Then the PDP Proxy is initialised to is initialized to communicate with WSO2 IS. After that, the parameters are sent as an XACML request and the entitlement decision is received. Depending on the entitlement decision received, the request which has came to the Web App is either stopped or passed.
The next critical step in this process is for the user to engage the Entitlement Servlet Filter. For that, we use the web.xml. From this file, the servlet filter will read necessary parameters in order to initialize the communication with WSO2 IS. The following shows an example web.xml which configures the Entitlement Servlet Filter.
...