This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Identity Server as an XACML Engine

The following information relates to Identity Server 2.0.

XACML support for fine-grained authorization comes with WSO2 Identity Server for the first time as an experimental feature. It includes full support for policies based on XACML 2.0.

  1. Log in to the Identity Sever Management Console with an account having login and "manage configuration" permissions (you can simply log in with admin/admin).
  2. Go to "Policies," listed under the "Entitlement" menu.
  3. Add a new policy or import external policy files to the system.
  4. Once you click "Add," a template policy will be added. You can edit it to suit your requirements, or you may add a completely new policy.
  5. Evaluate the template policy with no changes. Click on the "Evaluate Entitlement Policies" link.

Here you can build your own XACML request to evaluate the policy you just added. Copy and paste the following on the above screen and click "Evaluate."

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <Subject>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
    <Attribute AttributeId="group"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
    </Subject>
    <Resource>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue>
    </Attribute>
    </Resource>
    <Action>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>read</AttributeValue>
    </Attribute>
    </Action>
    <Environment/>
    </Request>

The above request means that the "admin" user who belongs to the group "admin" is trying to access the echoString operation of the http://localhost:8280/services/echo service.

The template policy evaluates the above in the following manner:

Find the following section of the template policy:

<Resources>
    <Resource>
    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/
    <ResourceAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </ResourceMatch>
    </Resource>
    </Resources>

In this policy, we use function:string-regexp-match to validate the service name and operation name combination. You can modify it to suit your own requirements.

For example, if you want to allow users to access all of the services deployed on a certain server, then simply change it to http://localhost:8280/. Or, if you want a user to access only a certain set of operations, you can simply change regex to http://localhost:8280/services/echo/(echoString|echoInt).

The following code is used to evaluate the user name and the user's group:

<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    <SubjectAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
    </Apply>
    </Condition>
<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Apply>
    </Condition>

Here we validate the "admin" user and any user in the "admin" group.