Use Case:
In addition to authentication, authorization is a mandatory security requirement in most of the cases where users try to access various resources based on their privileges.
Usually the same user identifier is used for both authentication and authorization.
The most common scenario is to authenticate the users with their user names and use that user name to authorize the user based on their roles and privileges.
In this post, we are going to implement a scenario where X.509 certificates are used in authentication and authorization is also performed in the flow, using XACML.
WSO2 ESB will be the point of authentication and policy enforcement while WSO2 Identity Server will be the policy decision point.
Deployment:
1. Proxy service at ESB fronts a back end web service (lets say echo service hosted in the ESB itself) which is the actual resource accessed by the user.
2. Proxy service is secured with WS-Security Sign & Encrypt policy where users are authenticated with their signatures based on X.509 certificates.
3. ESB or the PEP identifies the user identifier as the DN in the certificate and sends the authorization request to the PDP-which is Identity Server.
4. Identity server evaluates the authorization request based on the defined XACML policies and returns the decision.
5. Based on that decision, ESB grants or denies the user the access to the actual web service.
Implementation with WSO2 Enterprise Service Bus and Identity Server:
1. Setting up Identity Server.
- Download Identity Server 4.0.0 from here and unzip it.
- Change the port offset in carbon.xml to 1. (Since we are running both ESB and IS in the same machine)
- Start the server, login to management console and go to Entitlement->Administration to upload the XACML policy.
- Obtain the XACML policy from here and import in to IS.
- Promote the policy to PDP as shown in the below diagram.
2. Setting up ESB
- In ESB, we need to create a proxy, add Entitlement mediator to its in sequence and secure the proxy service with Sign & Encrypt - X.509 policy.
- Download and unzip ESB 4.5.0.
- Obtain the proxy service configuration from here and deploy it in [ESB_Home]/epository/deployment/server/synapse-configs/default/proxy-services folder and start ESB.
- In proxy service configuration, you might notice we have configured the entitlement callback class to org.wso2.carbon.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler which extracts the user identifier from the X.509 certificate.
3. Running the client.
In order to invoke the above created proxy service and run the end to end scenario, obtain the sample secured client from here and run it main class named : SignEncryptClient.
You can try changing the certificates that the client uses and observe the authorization decision.
In addition to authentication, authorization is a mandatory security requirement in most of the cases where users try to access various resources based on their privileges.
Usually the same user identifier is used for both authentication and authorization.
The most common scenario is to authenticate the users with their user names and use that user name to authorize the user based on their roles and privileges.
In this post, we are going to implement a scenario where X.509 certificates are used in authentication and authorization is also performed in the flow, using XACML.
WSO2 ESB will be the point of authentication and policy enforcement while WSO2 Identity Server will be the policy decision point.
Deployment:
1. Proxy service at ESB fronts a back end web service (lets say echo service hosted in the ESB itself) which is the actual resource accessed by the user.
2. Proxy service is secured with WS-Security Sign & Encrypt policy where users are authenticated with their signatures based on X.509 certificates.
3. ESB or the PEP identifies the user identifier as the DN in the certificate and sends the authorization request to the PDP-which is Identity Server.
4. Identity server evaluates the authorization request based on the defined XACML policies and returns the decision.
5. Based on that decision, ESB grants or denies the user the access to the actual web service.
Implementation with WSO2 Enterprise Service Bus and Identity Server:
1. Setting up Identity Server.
- Download Identity Server 4.0.0 from here and unzip it.
- Change the port offset in carbon.xml to 1. (Since we are running both ESB and IS in the same machine)
- Start the server, login to management console and go to Entitlement->Administration to upload the XACML policy.
- Obtain the XACML policy from here and import in to IS.
- Promote the policy to PDP as shown in the below diagram.
2. Setting up ESB
- In ESB, we need to create a proxy, add Entitlement mediator to its in sequence and secure the proxy service with Sign & Encrypt - X.509 policy.
- Download and unzip ESB 4.5.0.
- Obtain the proxy service configuration from here and deploy it in [ESB_Home]/epository/deployment/server/synapse-configs/default/proxy-services folder and start ESB.
- In proxy service configuration, you might notice we have configured the entitlement callback class to org.wso2.carbon.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler which extracts the user identifier from the X.509 certificate.
3. Running the client.
In order to invoke the above created proxy service and run the end to end scenario, obtain the sample secured client from here and run it main class named : SignEncryptClient.
You can try changing the certificates that the client uses and observe the authorization decision.
Hi,
ReplyDeleteI tried to deploy proxy service configuration as you said but I was not able to see this proxy in the listing of all proxies. Moreover when I try to create this proxy from custom proxy option it prompts me to check if this already exist. Not sure whats going wrong