What is a standard way to call WSO2 ESB as PEP for XACML Authorization wtih IDP from webapplication?

791 views Asked by At

I am trying to work on Authorization with XACML.

I have successfully communicate with WSO2 Identity server (PDP) from normal Axis2 Interceptor.

Now I am trying to use Wso2 ESB as PEP (mentioned in below sample)

http://wso2.com/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform/

The problem is I am not able to understand how to call ESB From web application? In the above link they are using java client to connect with ESB, by calling ESB's Proxy service with UT Security.

I am not sure if the given Java class in this example is correct way to do it. As its requires knowledge of Proxy service and its security Policy.

Also I have seen that if you want to abstract your PDP, so in future you have open option to replace it with any other new PDP , then you should use WS-XACML standard for PEP to PEP communication.

I haven't found any sample on this one yet,

Is there any other standard way to achieve this? Or any example which can be useful.

1

There are 1 answers

6
Asela On

WSO2 ESB contains the PEP which is called as Entitlement Mediator. ESB can be used as an security gateway for your back end web services. Let me explain some use case of ESB. As an example, you have some legacy services (or standard web services with SOAP and REST) in your system. You have a requirement to apply security (Authentication & Authorization) for that back services. Therefore you can front those services with WSO2 ESB and secure them without changing your existing system. Your existing services can be easily exposed as standard SOAP based web service (Proxy Services) or REST API using the ESB. Then you can use Web Service security (WS-Security, yes UT or any other) or API security (OAuth/Basic Auth) secured them. You can easily manage the authentication with those approaches. If you need fine grain authorization, then you can use Entitlement mediator with the WSO2IS.

OK, I am not sure about your exact scenario. I think, you have a web application and you need to call a web service. You have fronted by it using ESB to achieve authorization How do you authenticated ? You may have some authentication mechanism that have been implemented within web application? Then you can have the username of the authenticated user, that username value can be send to the ESB in HTTP header (assuming Web Application and ESB are in internal network and with SSL). Inside the ESB meditation flow, you can extract that username and set it in to Entitlement mediator (Therefore you do not need to always apply UT). Only requirement is that the username must be available for the entitlement mediator to work (it is simple, user must be authenticated before the authorization)

So, from Web app to ESB, you do not need a java client, it can be an any client that can call a your web services.

WS-XACML is some old and not popular profile. I do not think it is better to use it. Standard way is to communicate with PEP-PDP is the REST/JSON profile. But WSO2IS is not still support it. You can find more detail from here