Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To get an entitlement decision, we need some parameters like UserName, ResourceName, Action and Environment. We can map the resource name to the servlet to which the request is sent. Environment will be the WebApp. Action will be the HTTP action GET, POST etc. In order to get the user name of the person who sent the Web App request, the following Java EE authentication mechanisms are used:

  Basic Authentication

  Client Cert Authentication

  Digest Authentication

  Form Authentication

To grant authority, we have to authenticate the person. After the authentication, we can obtain the username in the servlet filter using the above mentioned methods. All the parameters can be obtained to get an entitlement decision. As shown in the diagram, when a request comes to a particular Web App which has the engaged Entitlement Servlet Filter, the following parameters are obtained: UserName, ResourceName, Action and Environment. Then the PDP Proxy is initialised to is initialized to communicate with WSO2 IS. After that, the parameters are sent as an XACML request and the entitlement decision is received. Depending on the entitlement decision received, the request which has came to the Web App is either stopped or passed. 

The next critical step in this process is for the user to engage the Entitlement Servlet Filter. For that, we use the web.xml. From this file, the Servlet Filter servlet filter will read necessary parameters in order to initialize the communication with WSO2 IS. The following shows an example web.xml which configures the Entitlement Servlet Filter.

 

Code Block
languagehtml/xml
titleExample web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         id="WebApp_ID" version="2.5">
    <display-name>Entitlement_Sample_WebApp</display-name>

    <!-- The scope in which the subject would be available.  Legal values are basicAuth, request-param, request-attribute, session -->
    <!-- This param is optional. If not provided would be set to default value -->
    <context-param>
        <param-name>subjectScope</param-name>
        <param-value>basicAuth</param-value>
    </context-param>

    <!-- The name of the identifier by which to identify the subject -->
    <!-- This param is Mandatory. Should be provided -->
    <context-param>
        <param-name>subjectAttributeName</param-name>
        <param-value>username</param-value>
    </context-param>

    <!-- The username to perform EntitlementService query-->
    <!-- This param is Mandatory. Should be provided -->
    <context-param>
        <param-name>userName</param-name>
        <param-value>admin</param-value>
    </context-param>

    <!-- The password to perform EntitlementService query -->
    <!-- This param is Mandatory. Should be provided -->
    <context-param>
        <param-name>password</param-name>
        <param-value>admin</param-value>
    </context-param>

    <!-- The URL to perform EntitlementService query-->
    <!-- This param is Mandatory. Should be provided in this format -->
    <!--If the transport type is SOAP give the url like https://localhost:9443/services/-->
    <!--If the transport type is Thrift give the url like https://localhost:9443/-->
    <context-param>
        <param-name>remoteServiceUrl</param-name>
        <param-value>https://localhost:9443/services/</param-value>
    </context-param>

    <!-- EntitlementFilter Settings -->
    <filter>
        <filter-name>EntitlementFilter</filter-name>
        <filter-class>org.wso2.carbon.identity.entitlement.filter.EntitlementFilter</filter-class>

        <!--Client Class that extends AbstractEntitlementServiceClient. Legal values are basicAuth, soap and thrift.Default is 'thrift'.-->
        <init-param>
            <param-name>client</param-name>
            <param-value>basicAuth</param-value>
        </init-param>

        <!--Decision caching at PEPProxy. Legal values are simple and carbon.This parameter is optional.
        If not specified no caching is done.-->
        <init-param>
            <param-name>cacheType</param-name>
            <param-value>simple</param-value>
        </init-param>

        <!--Maximum number of cached entries. Legal values are between 0 and 10000 .Only works with caching.-->
        <init-param>
            <param-name>maxCacheEntries</param-name>
            <param-value>1000</param-value>
        </init-param>

        <!-- Time interval for which cached entry is valid. Only works with simple cache type. -->
        <init-param>
            <param-name>invalidationInterval</param-name>
            <param-value>100000</param-value>
        </init-param>

        <!-- URL ro redirect to if authorization fails -->
        <!-- This param is Mandatory. Should be provided -->
        <init-param>
            <param-name>authRedirectUrl</param-name>
            <param-value>/index.jsp</param-value>
        </init-param>

	    <!-- This will be used if the transport type is thrift. This is mandatory -->
        <init-param>
            <param-name>thriftHost</param-name>
            <param-value>localhost</param-value>
        </init-param>

        <!-- This will be used if the transport type is thrift. This is optional. If not provided would be set to default value -->
        <init-param>
            <param-name>thriftPort</param-name>
            <param-value>10500</param-value>
        </init-param>

    </filter>

    <!-- Filter mappings used to configure URLs that need to be authorized  -->
    <filter-mapping>
        <filter-name>EntitlementFilter</filter-name>
        <url-pattern>/protected.jsp</url-pattern>
    </filter-mapping>
    <!-- Filter mappings used to configure URLs that need to be authorized  -->
    <filter-mapping>
        <filter-name>EntitlementFilter</filter-name>
        <url-pattern>/other.jsp</url-pattern>
    </filter-mapping>
    <!-- Mandatory mapping that needs to be present to work with PEP cache update authorization-->
    <filter-mapping>
        <filter-name>EntitlementFilter</filter-name>
        <url-pattern>/updateCacheAuth.do</url-pattern>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
    <servlet>
        <servlet-name>EntitlementCacheUpdateServlet</servlet-name>
        <servlet-class>org.wso2.carbon.identity.entitlement.filter.EntitlementCacheUpdateServlet
        </servlet-class>

        <!-- HTTPS port of the web container used when redirecting request to come over https port for cache update authentication -->
        <init-param>
            <param-name>httpsPort</param-name>
            <param-value>9453</param-value>
        </init-param>

        <!-- Authentication mode for cache update. Legal values are webapp and wso2is -->
        <init-param>
            <param-name>authentication</param-name>
            <param-value>webapp</param-value>
        </init-param>

        <!-- Authentication page used for cache update authentication. Legal values are default and custom -->
        <init-param>
            <param-name>authenticationPage</param-name>
            <param-value>default</param-value>
        </init-param>

        <!-- Authentication page URL used for cache update authentication. Works only with custom for authenticationPage -->
        <init-param>
            <param-name>authenticationPageUrl</param-name>
            <param-value>/updateCache.html</param-value>
        </init-param>
    </servlet>
    <!-- Servlet mapping needed for cache update authentication -->
    <servlet-mapping>
        <servlet-name>EntitlementCacheUpdateServlet</servlet-name>
        <url-pattern>/updateCache.do</url-pattern>
    </servlet-mapping>
</web-app>

Running The Entitlement Servlet Filter Sample

Pre Requests
 
Start
Prerequests

  1. Before you start an instance of WSO2 IS

.
  • Import the sample XACML policy to the IS, which is given in sample directory's src/main/resources.
    • Please see

    1. , be sure that the port offset is given as "1" in the carbon.xml file.

      Info

      The configurations in the web.xml file

    given in the sample directory's

    1. of the sample web app should match the configurations in your running IS instance. For example, if you have changed the remoteServiceUrl value in the web.xml of the sample (stored in sample directory's <AS_HOME>/samples/EntitlementFilter/src/main/webapp/WEB-INF

    /web.xml .
  • If you are running WSO2 IS in a configuration other than default please edit the web.xml as needed.
    • Apache Ant is

    1. folder), you must change the IS portoffset accordingly.

    2. Start an instance of WSO2 Identity Server.
    3. Import the sample XACML policy stored in the <AS_HOME>/samples/EntitlementFilter/src/main/resources directory to IS using the management console.
    4. Apache Ant should be installed in your system.
    Running the Sample

    The base directory of this sample has the build.xml file which is used to build the necessary Web App and to deploy it in WSO2 App Server.

    • To build and deploy the sample, type "ant"
    • Start the App Server and access the Management Console. Go to the webapp service listing page. You will see the deployed service.
    • You have to run the run-client.sh or run-client.bat script. It has all the arguments and classpaths configured to run the sample.
    • In the console it will show the result for several Entitlement Decision Scenarios.
    Output Of the Sample 

    Following output will be shown in the console if you run the sample correctly: 
    Code Block
    ***********Starting the Entitlement Servlet Filter Sample************
 

Sending Request For a Web Page Which Requires Authorization
Subject : admin
Resource : /Entitlement_Sample_WebApp/protected.jsp
Action : GET
Environment : Not Specified
***Response BEGIN ***
<html>
<head><title>Protected Page</title></head>
<body>Only Authorized Users Can View This</body>
</html>
***Response END ***
 

Sending Request For a Web Page Which Not Requires Authorization
Subject : admin
Resource : /Entitlement_Sample_WebApp/index.jsp
Action : GET
Environment : Not Specified
***Response BEGIN ***
<html>
<head><title>Index Page</title></head>
<body>Anybody Can Access This Page....</body>
</html>



***Response END ***



Sending Request For a Web Page Which Requires Authorization with False Subject NAME
Subject : andunslg
Resource : /Entitlement_Sample_WebApp/protected.jsp
Action : GET
Environment : Not Specified
***Response BEGIN ***
<html>Server <head><title>Index Page</title></head>
<body>Anybody Can Access This Page....</body>
</html>
 
returned HTTP response code: 401 for URL: http://localhost:9763/Entitlement_Sample_WebApp/protected.jsp
***Response END ***
 

Sending Request For a Web Page Which Requires Authorization with False Action
Subject : admin
Resource : /Entitlement_Sample_WebApp/protected.jsp
Action : POST
Environment : Not Specified
***Response BEGIN ***
<html>
<head><title>Index<head><title>Protected Page</title></head>
<body>Only Authorized <body>AnybodyUsers Can Access This Page....<View This</body>
</html>
 

***Response END ***
 

Sending Request For a Web Page Which Requires Authorization But Policy is not defined
Subject : admin
Resource : /Entitlement_Sample_WebApp/other.jsp
Action : GET
Environment : Not Specified
***Response BEGIN ***
<html>
<head><title>Index Page</title></head>
<body>Anybody Can Access This Page....</body>
</html>


***Response END ***


***********Ending the Entitlement Servlet Filter Sample************

     

     
     Info
    In this sample we create a WebApp Web App with Entitlement Servlet Filter engaged. All the dependencies are packed in to the lib. So this sample can be run in any other webapp container. You have to simply host the webapp Web App in the container and edit the pom.xml , to give the URL of the web application; thereafter. Thereafter, you can check the functionality.