This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Working with XACML

Owned by Former user (Deleted)
Jan 11, 2018
1 min read

XACML is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is very popular as a fine grained authorization method among the community.  Fine-grained authorization specifies the requirements and variables in an access control policy that is used to authorize access to a resource. However, there are plenty of other aspects of XACML other than it being just a fine grained authorization mechanism.

For more information about XACML, see Access Control and Entitlement Management.

We generally uses the HTTPS transport for calling the Web Service API that has been exposed by the PDP.  With WSO2 Identity Server, we can also use Thrift protocal to communicate with PDP.  It is said that thrift is more faster than the HTTP.  Therefore we hope that we can get more performance and less response time by using thrift protocol with WSO2 Identity Server.


Using thrift in XACML calls

In order to use thrift in XACML calls, you must first enable the thrift service in the <IS_HOME>/repository/conf/identity/identity.xml file. Set this to true.

<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
	...
	<EntitlementSettings>
		...
		<ThirftBasedEntitlementConfig>
			<EnableThriftService>true</EnableThriftService>
			...
		</ThirftBasedEntitlementConfig>
	</EntitlementSettings>
</Server>

The following topics provide information and instructions on how to use XACML to perform various access control related functions.