Friday, January 4, 2013

Authorization with XACML when authenticated with X.509 certificates

Use Case:

In addition to authentication, authorization is a mandatory security requirement in most of the cases where users try to access various resources based on their privileges.
Usually the same user identifier is used for both authentication and authorization.

The most common scenario is to authenticate the users with their user names and use that user name to authorize the user based on their roles and privileges.

In this post, we are going to implement a scenario where X.509 certificates are used in authentication and authorization is also performed in the flow, using XACML.

WSO2 ESB will be the point of authentication and policy enforcement while WSO2 Identity Server will be the policy decision point.


1. Proxy service at ESB fronts a back end web service (lets say echo service hosted in the ESB itself) which is the actual resource accessed by the user.
2. Proxy service is secured with WS-Security Sign & Encrypt policy where users are authenticated with their signatures based on X.509 certificates.
3. ESB or the PEP identifies the user identifier as the DN in the certificate and sends the authorization request to the PDP-which is Identity Server.
4. Identity server evaluates the authorization request based on the defined XACML policies and returns the decision.
5. Based on that decision, ESB grants or denies the user the access to the actual web service.

Implementation with WSO2 Enterprise Service Bus and Identity Server:

1. Setting up Identity Server.

- Download Identity Server 4.0.0 from here and unzip it.
- Change the port offset in carbon.xml to 1. (Since we are running both ESB and IS in the same machine)
- Start the server, login to management console and go to Entitlement->Administration to upload the XACML policy.
- Obtain the XACML policy from here and import in to IS.
- Promote the policy to PDP as shown in the below diagram.

2. Setting up ESB

- In ESB, we need to create a proxy, add Entitlement mediator to its in sequence and secure the proxy service with Sign & Encrypt - X.509 policy.
- Download and unzip ESB 4.5.0.
- Obtain the proxy service configuration from here and deploy it in [ESB_Home]/epository/deployment/server/synapse-configs/default/proxy-services folder and start ESB.
- In proxy service configuration, you might notice we have configured the entitlement callback class to org.wso2.carbon.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler which extracts the user identifier from the X.509 certificate.

3. Running the client.

In order to invoke the above created proxy service and run the end to end scenario, obtain the sample secured client from here and run it main class named : SignEncryptClient.

You can try changing the certificates that the client uses and observe the authorization decision.