Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 App Manager facilitates Web application authorization for reliability and security of Web applications. Users can enable  different different levels of access rights and authorization for a single Web application resource. When authorization is enabled, users can access that resource based on the authorization policies or granted permissions. WSO2 App Manager has two types of authorization mechanisms as follows.

Table of Contents
maxLevel3

Role-based resource authorization

In WSO2 App Manager, the Web application invocation requests are authorized and access is granted based on the role assigned to the user. This is called role-based resource authorization.  While In the Step 2 - Policies of creating a Web application in the App Publisher, you can associate roles for each Web application resourceresources, by defining Accessible User Roles in the Web Application Resource section.  You can associate user roles with resource policy as shown below.

new resource policyImage Added

After defining the accessible user roles in the resource policy as shown above, you can associate that policy to the HTTP verbs of URL patterns in either default resources or newly added resources as shown below. 

role based resource auhtorizationImage Removed

For the Step 3 - Web Application Resources section. For example, if you are adding a adding the resource to a Web application with the value policy created above to the GET HTTP verb of the /{context}/{version}/timeTables as the URL pattern and GET as the HTTP verb, associating roleA as the user role to it, as shown below, then a HTTP GET request sent to to /{context}/{version}/timeTables is  is authorized only for a user with roleA.users of member and admin roles.

add defined policy to Web app resourceImage Added

XACML policy based resource authorization

XACML is a widely used authorization mechanism for Web resources. It  XACML provides fine grained policy-based access control. WSO2 App Manager provides Web application resource authorization facility with the use of XACML policies associated with resources.

Defining the XACML policy conditions

Follow the below steps to define the conditions of a XACML-based entitlement policy.For instructions on defining XACML policies, see Step 2 - XACML Policies

  1. Log in to the admin dashboard of WSO2 App Manager using admin/admin credentials and the following URL: https://localhost:9443/admin-dashboard
  2. Click Entitlement Policies, and then click Add New.
  3. Enter a name for the entitlement policy.
  4. Enter a description for the entitlement policy.
  5.  Define the conditions of the entitlement policy in the provided editor as shown below.

    Info

    For more information on defining XACML policies, see OASIS XACML Version 3.0 documentation.

    add a new entitlement policyImage Added

  6. Select Permit or Deny under Effect section to create a new resource policy by enabling the defined XACML policy. If you select Permit, the user will be permitted to access, and if you select Deny, the Web app resource access will be denied.
  7. Click Validate to check the validity of the policy. It checks for syntax errors and verifies whether the condition adheres to XACML policy language specifications. 
  8. Click Save to save the policy condition details. 

    Info

    Only the author of the policy can edit shared policies.

  9. Click Entitlement Policies in the left menu, and then click View All. You view the saved policy under the list of XACML policies as shown below.
    available XACML policies listImage Added
    You can edit and delete defined XACML policies using the provided buttons under the Action column as shown above.

Associating XACML policies with Web application resources

When creating a Web application, you can Follow the steps below to associate the defined XACML policies with the HTTP verbs of the URL Pattern of it in the Web Application Resource section. In the Access Policy section of a Web URL pattern, select the policy, and then select Permit or Deny as shown below. If you select Permit, the user will be permitted to access, and if you select Deny, the Web app resource access will be denied.XACML based authorizationImage RemovedWeb application resources when creating a Web application.

  1. In the Step 2 - Policies of creating a Web application, select the Entitlement Policy as shown below.

    select entitlement policyImage Added

  2. Associate the XACML policy defined above to a HTTP Verb of a specific URL Pattern of a Web app resource in Step 3 - Web Application Resources section as shown below.
    add defined XACML policy to Web app resourceImage Added