Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 Identity Server supports the JSON format in addition to the default XML format when you work with XACML 3.0 requests and responses. Therefore, you can send XACML Multiple Decision Profile (MDP) requests in JSON format, and can also recieve MDP responses in the JSON format in an authorization flow in WSO2 Identity Server. For a list of key points you need to keep in mind when you work with XACML 3.0 JSON requests and responses, see JSON Support with XACML 3.0.

Let’s take a look at a sample scenario to understand how you can work with MDP requests and responses in JSON format using WSO2 Identity Server.

...

Table of Contents
maxLevel3
minLevel3

Prerequisites

Procedure

Follow the steps below to publish a sample policy to the PDP in WSO2 Identity Server:

  1. Access the WSO2 IS Management Console via https://localhost:9443/carbon/, and sign in using admin/admin as credentials.
  2. Click the Main tab on the Management Console, go to Entitlement -> PAP and then click Policy Administration. The Policy Administration screen appears.
  3. Click Add New Entitlement Policy. This displays the available policy creation methods.
  4. Click Write Policy in XML. This allows you to write a XACML policy based on your requirement using the XML editor.
  5. Add the following sample policy and click Save Policy:

    Code Block
    <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="web-filter-policy-1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
       <Target>
          <AnyOf>
             <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
                   <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                </Match>
             </AllOf>
          </AnyOf>
       </Target>
       <Rule Effect="Permit" RuleId="Rule_for_all_groups">
          <Target>
             <AnyOf>
                <AllOf>
                   <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">publicUser</AttributeValue>
                      <AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                   </Match>
                </AllOf>
             </AnyOf>
          </Target>
          <Condition>
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view-welcome</AttributeValue>
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view-summary</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
             </Apply>
          </Condition>
       </Rule>
       <Rule Effect="Permit" RuleId="Rule_for_all_internal_user_group">
          <Target>
             <AnyOf>
                <AllOf>
                   <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">internalUser</AttributeValue>
                      <AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                   </Match>
                </AllOf>
             </AnyOf>
          </Target>
          <Condition>
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view-status</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
             </Apply>
          </Condition>
       </Rule>
       <Rule Effect="Permit" RuleId="Rule_for_all_admin_user_group">
          <Target>
             <AnyOf>
                <AllOf>
                   <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">adminUser</AttributeValue>
                      <AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                   </Match>
                </AllOf>
             </AnyOf>
          </Target>
          <Condition>
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">modify-welcome</AttributeValue>
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">modify-summary</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
             </Apply>
          </Condition>
       </Rule>
       <Rule Effect="Deny" RuleId="Rule_deny_all"></Rule>
       <ObligationExpressions>
          <ObligationExpression FulfillOn="Deny" ObligationId="fail_to_permit">
             <AttributeAssignmentExpression AttributeId="obligation-id">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">You can not access the resource index.jsp</AttributeValue>
             </AttributeAssignmentExpression>
          </ObligationExpression>
       </ObligationExpressions>
    </Policy>

    This adds the sample policy to the Available Entitlement Policies list.

  6. Click Publish to My PDP applicable to the sample policy that you added. This takes you to the Publish Policy screen. Image Removed
  7. Click Publish. This displays a confirmation message asking whether you want to continue publishing to PDP.
  8. Click Yes. This publishes the policy to the PDP.

Now that you have published the policy, you can send a sample request and see how the policy evaluates the request.

Testing the authorization flow

Tip

You can use any REST client to send a sample request. In this tutorial we are going to use Google Chrome Postman app as the REST client.

...

  • view-welcome
  • view-status
  • view-summary
  • modify-welcome

Analyzing the response

You will see a JSON response similar to the following:

...