This demonstration is done using WSO2 APIM 1.7 there please download it from this location. You might have to download some other files as well and those will be discussed later.
1. Add the custom.authentication.handler-1.0.0.jar to WSO2 API Manager
Before starting the WSO2 API Manager, it is required to add the custom.authentication.handler-1.0.0.jar that contains the callback handler class to WSO2 API Manager. Add the custom.authentication.handler-1.0.0.jar to <APIM_Home>/repository/components/lib folder (the source file and the jar file of the handler are attached in the end of the document).
Note: If you want to do modifications on this please download the project from here.
2. Add the following configuration to the registry.xml of API Manager. Registry.xml can be found in the following folder path <APIM_Home>/repository/conf
<handler class="org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyHandler"> <filter class="org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyMediaTypeMatcher"> <property name="mediaType">application/xacml-policy+xml</property> </filter> </handler>
3. Start WSO2 API Manager
4. Install XACML components to WSO2 API Manager
As all WSO2 products, including the WSO2 API Manager, are built on top of the OSGi componentized architecture, new components can be added to an existing product. In this scenario, we will be adding the XACML features to API Manager. Adding XACML features to WSO2 API Manager would allow the API Manager to act as a XACML entitlement server. XACML features can be installed via the feature manager of the API Manager. The feature manager is accessible from the admin console of the API Manager. The admin console can be accessed through the following URL.
https://localhost:9443/carbon
Once inside the admin console, select the ‘configure’ tab from the tabs available on the left-hand side. Inside the ‘configure’ menu you would find the features icon and click on it.
Inside the features page, select the repository management tab and click on the ‘add repository’ icon
Add the following repository details in the ‘Add Repository’ page.
Name – Turing
Location - http://dist.wso2.org/p2/carbon/releases/turing/
Once the repository is added, click on the ‘Available Features’ tab. Select the newly added repository and un-tick the ‘Group features by category option’ and click on ‘Find features’ button.
Follow the installation flow and install the XACML features. After the installation is completed restart WSO2 API Manager.
NOTE: Since for this demonstration done in APIM 1.7. I'm using feature versions as XACML mediator 4.2.2 and XACML 4.2.1
5. Crete a tenant user and login using respective username and password. Follow this document.
6. Create an API through the API Publisher and publish it.
Once you create the tenant user, log in to the API Publisher using newly created tenant user and create a new API in the APIM-Publisher. for the please follow this documentation.
7. Now login to the admin console and add the below Authentication handler to newly created API.
<handler class="org.wso2.carbon.apimgt.custom.authentication.handler.CustomAPIAuthenticationHandler"/>
Once inside the admin console, click on the ‘source view’ icon available on the left hand navigation bar as shown in the image below.
Source view will give access to the synapse configuration of all APIs that are available in the API Manager. Search for the newly created API from the configuration and add the following configuration related to the Authentication handler.
example:
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
<handler class="org.wso2.carbon.apimgt.custom.authentication.handler.CustomAPIAuthenticationHandler"/>
...
8. Add the entitlement policies to the Entitlement Server
XACML policies need to be added to WSO2 API Manager to evaluate API invocations based on those policies. For this scenario we would create an entitlement policy that would allow subscriber1 to access only the fire related risk rating and deny any other type of risk rating.
Login to the WSO2 API Manager’s administration console. Once inside the administration console you would be able to find the Entitlement Server related features on the left-hand side panel. Select ‘Policy Administration’ and click on the ‘Add New Entitlement Policy’ icon as shown below.
Select Import Exiting Policy from the below list.
Then upload this policy.
Note: This is a blank policy and you need to add your validations to it. For this demonstration you can use just the attached one.
Since this sample policy is empty this policy will not be evaluated and handler output will be "NotApplicable". Please implement XACML policy using that template.
9. Subscribe and invoke the API using rest client.
Note the following in the above UI:
Thats it from here. If you have any questions please create a stackoverflow question and attached it as a comment below.
Reference:
[1] - http://wso2.com/library/articles/2014/02/use-of-wso2-api-manager-to-validate-fine-grained-policy-decisions-using-xacml/
[2] - http://wso2.com/library/articles/2013/11/fine-grained-xacml-authoriation-with-pip-points/
[3] - https://docs.wso2.com/display/AM170/Quick+Start+Guide#QuickStartGuide-CreatinganAPI
5. Crete a tenant user and login using respective username and password. Follow this document.
6. Create an API through the API Publisher and publish it.
Once you create the tenant user, log in to the API Publisher using newly created tenant user and create a new API in the APIM-Publisher. for the please follow this documentation.
7. Now login to the admin console and add the below Authentication handler to newly created API.
<handler class="org.wso2.carbon.apimgt.custom.authentication.handler.CustomAPIAuthenticationHandler"/>
Once inside the admin console, click on the ‘source view’ icon available on the left hand navigation bar as shown in the image below.
Source view will give access to the synapse configuration of all APIs that are available in the API Manager. Search for the newly created API from the configuration and add the following configuration related to the Authentication handler.
example:
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
<handler class="org.wso2.carbon.apimgt.custom.authentication.handler.CustomAPIAuthenticationHandler"/>
...
8. Add the entitlement policies to the Entitlement Server
XACML policies need to be added to WSO2 API Manager to evaluate API invocations based on those policies. For this scenario we would create an entitlement policy that would allow subscriber1 to access only the fire related risk rating and deny any other type of risk rating.
Login to the WSO2 API Manager’s administration console. Once inside the administration console you would be able to find the Entitlement Server related features on the left-hand side panel. Select ‘Policy Administration’ and click on the ‘Add New Entitlement Policy’ icon as shown below.
Then upload this policy.
Note: This is a blank policy and you need to add your validations to it. For this demonstration you can use just the attached one.
Since this sample policy is empty this policy will not be evaluated and handler output will be "NotApplicable". Please implement XACML policy using that template.
9. Subscribe and invoke the API using rest client.
Note the following in the above UI:
Base URL | Appears at the bottom of the console. Using the base URL and the parameters, the system creates the API URL in the form http://host:8280/<context>/<version>/<back end service requirements included as parameters>. For example,http://host:8280/phoneverify/1.1.0/CheckPhoneNumber . |
Query Parameters | Give the API payload as PhoneNumber=18006785432&LicenseKey=0 where /phoneverify is the context and 1.1.0 is the version. The rest of the URL is driven by the backend service requirements. |
Authorization | In the authorization header, pass the application key that was generated at the time a user subscribes to an API. This is prefixed by the string "Bearer". For example, Bearer q6- JeSXxZDDzBnccK3ZZGf5_AZTk.
WSO2 API Manager enforces OAuth security on all the published APIs. Consumers who talk to the API Manager should send their credentials (application key) as per the OAuth bearer token profile. If you don't send an application key or send a wrong key, you will receive a 401 Unauthorised response in return.
|
Thats it from here. If you have any questions please create a stackoverflow question and attached it as a comment below.
Reference:
[1] - http://wso2.com/library/articles/2014/02/use-of-wso2-api-manager-to-validate-fine-grained-policy-decisions-using-xacml/
[2] - http://wso2.com/library/articles/2013/11/fine-grained-xacml-authoriation-with-pip-points/
[3] - https://docs.wso2.com/display/AM170/Quick+Start+Guide#QuickStartGuide-CreatinganAPI
Comments
Post a Comment