The concept behind usage of Entitlement to a proxy service is explained in the blog post Authentication and Authorization with WSO2 EBS & WSO2 IS.
Here is a step by step guide, how this can be done using WSO2 ESB 4.8.1 and WSO2 IS 5.0.0
General Settings
Ideally user-stores must be shared in between IS and ESB. But if you are testing this to the admin user, and since admin user resides in default in both servers with same permissions, you may not need to share the user stores.
Configuring WSO2 IS
Configuring WSO2 ESB
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="echoProxy"
transports="https"
startOnLoad="true"
trace="disable">
<description/>
<target>
<inSequence>
<log level="full">
<property name="echoProxy" value="in Seq called"/>
</log>
<log level="full">
<property name="EntitlementSequence" value="going to call entitlement service"/>
</log>
<entitlementService remoteServiceUrl="https://localhost:9444/services/"
remoteServiceUserName="admin"
remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="
callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler"
client="basicAuth">
<onReject>
<makefault version="soap12">
<code xmlns:soap12Env="http://www.w3.org/2003/05/soap-envelope"
value="soap12Env:Receiver"/>
<reason value="UNAUTHORIZED"/>
<node>node</node>
<role>role</role>
<detail>XACML Authorization Failed</detail>
</makefault>
<respond/>
</onReject>
<onAccept>
<log level="full" separator=",">
<property name="EntitlementSequence************" value="OnAccept"/>
</log>
<send>
<endpoint>
<address uri="https://localhost:8243/services/echo">
<timeout>
<duration>30000</duration>
<responseAction>discard</responseAction>
</timeout>
</address>
</endpoint>
</send>
<log level="full" separator=",">
<property name="EntitlementSequence**************"
value="OnAccept after call to echo"/>
</log>
</onAccept>
<obligations/>
<advice/>
</entitlementService>
<log level="full">
<property name="after entitlement" value="after entitlement"/>
</log>
</inSequence>
<outSequence>
<send/>
</outSequence>
</target>
<policy key="conf:/repository/axis2/service-groups/testp/services/testp/policies/UTOverTransport"/>
<parameter name="ScenarioID">scenario1</parameter>
<enableSec/>
</proxy>
Trying out the Proxy Service
Here is a step by step guide, how this can be done using WSO2 ESB 4.8.1 and WSO2 IS 5.0.0
General Settings
Ideally user-stores must be shared in between IS and ESB. But if you are testing this to the admin user, and since admin user resides in default in both servers with same permissions, you may not need to share the user stores.
Configuring WSO2 IS
- Start the WSO2 IS with port offset 1
- Login to the Management Console
- In Main menu, go to Entitlement --> PAP --> Policy Administration
- Click on the "Add New Entitlement Policy" link
- Select "Basic Policy Editor"
- Configure the policy as below: (Note that we have given the proxy name that we will create in ESB, as the Resource Name )
- Click on Finish
- After creating click on the created policy as below.
- This will open up the policy in an XML editor. Change the rule effect to Permit and click on "Save Policy"
- Publish the policy to PDP as below:
Configuring WSO2 ESB
- Start the ESB and log in to the Management console
- Create a proxy service
- Inside the inSequence, add an entitlement Mediator with username and password, 'admin' and 'admin' and the IS services URL(Configuration steps for entitlement mediator can be found in Entitlement Mediator documentation)
- In the <onAccept> rule, add a send mediator and specify the address URI of echoService.
- Secure the proxy service with Username Token policy
- The final config will look like below.
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="echoProxy"
transports="https"
startOnLoad="true"
trace="disable">
<description/>
<target>
<inSequence>
<log level="full">
<property name="echoProxy" value="in Seq called"/>
</log>
<log level="full">
<property name="EntitlementSequence" value="going to call entitlement service"/>
</log>
<entitlementService remoteServiceUrl="https://localhost:9444/services/"
remoteServiceUserName="admin"
remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="
callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler"
client="basicAuth">
<onReject>
<makefault version="soap12">
<code xmlns:soap12Env="http://www.w3.org/2003/05/soap-envelope"
value="soap12Env:Receiver"/>
<reason value="UNAUTHORIZED"/>
<node>node</node>
<role>role</role>
<detail>XACML Authorization Failed</detail>
</makefault>
<respond/>
</onReject>
<onAccept>
<log level="full" separator=",">
<property name="EntitlementSequence************" value="OnAccept"/>
</log>
<send>
<endpoint>
<address uri="https://localhost:8243/services/echo">
<timeout>
<duration>30000</duration>
<responseAction>discard</responseAction>
</timeout>
</address>
</endpoint>
</send>
<log level="full" separator=",">
<property name="EntitlementSequence**************"
value="OnAccept after call to echo"/>
</log>
</onAccept>
<obligations/>
<advice/>
</entitlementService>
<log level="full">
<property name="after entitlement" value="after entitlement"/>
</log>
</inSequence>
<outSequence>
<send/>
</outSequence>
</target>
<policy key="conf:/repository/axis2/service-groups/testp/services/testp/policies/UTOverTransport"/>
<parameter name="ScenarioID">scenario1</parameter>
<enableSec/>
</proxy>
Trying out the Proxy Service
- You can use the TryIt tool of the WSO2 ESB and invoke the proxy by providing username and password as 'admin' and 'admin'
- You will get the echoed response