This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Identity Server as an XACML Engine

The following information relates to Identity Server 2.0.

XACML support for fine-grained authorization comes with WSO2 Identity Server. It includes full support for policies based on XACML 2.0.

  1. Sign in. Enter your user name and password to log on to the Management Console.
  2. Navigate to the Main menu to access the Entitlement menu. Click Policy Administration under PAP.
  3. Add a new policy or import external policy files to the system. Once you click "Add," a template policy will be added. You can edit it to suit your requirements, or you may add a completely new policy.
  4. Evaluate the template policy with no changes. Click on the "Evaluate Entitlement Policies" link.

Here you can build your own XACML request to evaluate the policy you just added. Copy and paste the following on the above screen and click "Evaluate."

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <Subject>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
    <Attribute AttributeId="group"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
    </Subject>
    <Resource>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue>
    </Attribute>
    </Resource>
    <Action>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>read</AttributeValue>
    </Attribute>
    </Action>
    <Environment/>
    </Request>

The above request means that the "admin" user who belongs to the group "admin" is trying to access the echoString operation of the http://localhost:8280/services/echo service.

The template policy evaluates the above in the following manner:

Find the following section of the template policy:

<Resources>
    <Resource>
    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/
    <ResourceAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </ResourceMatch>
    </Resource>
    </Resources>

In this policy, we use function:string-regexp-match to validate the service name and operation name combination. You can modify it to suit your own requirements.

For example, if you want to allow users to access all of the services deployed on a certain server, then simply change it to http://localhost:8280/. Or, if you want a user to access only a certain set of operations, you can simply change regex to http://localhost:8280/services/echo/(echoString|echoInt).

The following code is used to evaluate the user name and the user's group:

<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    <SubjectAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
    </Apply>
    </Condition>
<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Apply>
    </Condition>

Here we validate the "admin" user and any user in the "admin" group.