Reputation: 105
WSO2 API Manager and XACML integration not working
I'm trying to integrate the latest version of wso2 API Manager (1.6.0) with the wso2 XACML module. I've found and followed step by step the very useful article.
Unfortunately the PDP refuses the authorize my request even if I remove all my policies from the PAP and publish no policy to the PDP.
Is their a configuration somewhere I'm missing ? I'm get the following output
[2014-03-05 19:05:37,052] WARN - RequestCtxFactory No Namespace defined in XACML request and Assume as XACML 3.0
[2014-03-05 19:05:37,058] ERROR - EntitlementMediator org.apache.synapse.SynapseException: User is not authorized to perform the action
[2014-03-05 19:05:37,059] INFO - LogMediator STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = User is not authorized to perform the action
Upvotes: 2
Views: 492
Answers (2)
Reputation: 105
Thanks very much for your quick and efficient support. I've added your "permit" rules and was able to access my backend system after a successful policy validation. This means that the loop is closed and that my very simple policy of yesterday was the root of the problem. I have to review in detail how these rules are setup & defined. Thanks again for your help Regards Vpl
[2014-03-06 19:03:11,637] DEBUG - EntitlementPolicyInvalidationCache My Hash code of Policy cache is : 1 [2014-03-06 19:03:11,637] DEBUG - EntitlementPolicyInvalidationCache Shared Hash code of Policy cache is : 1 [2014-03-06 19:03:11,638] DEBUG - SimplePolicyCollection Matching XACML policy found PermitPolicy [2014-03-06 19:03:11,638] DEBUG - EntitlementBaseCache Cache : $local$.PDP_DECISION_CACHE is populated with new entry in tena nt domain : carbon.super [2014-03-06 19:03:11,639] DEBUG - EntitlementEngine XACML Response : Permit [2014-03-06 19:03:11,641] DEBUG - EntitlementMediator Entitlement Decision is : Permit [2014-03-06 19:03:11,643] DEBUG - EntitlementMediator User is authorized to perform the action [2014-03-06 19:03:11,644] DEBUG - EntitlementMediator OnAccept sequence is not defined.
Upvotes: 0
Reputation: 5821
If there are no policies in the PDP means that PDP would return Not Applicable decision. Therefore PEP of the API manager would think Not Applicable as a deny decision. In XACML there is concept called Deny based PEP What that means, all result except permit are considered as deny. Therefore to test, you can add some policy with Permit rule and verify. Such as following
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PermitPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target></Target>
<Rule Effect="Permit" RuleId="Permit-Rule"></Rule>
</Policy>
Also it would be helpful, if you can enable the debug logs in the entitlement component and check.. Because then you can see the XACML request and response messages.
Add following in to log4j.properties file
log4j.logger.org.wso2.carbon.identity.entitlement=DEBUG
You can check this for more on enabling debug logs
Once you got the request and response. you verify what has gone wrong.. Also you can there is a tryit tool whether you can test the policies.
Upvotes: 1
Related Questions
- WSO2is XACML API
- How to access XACML policy from WSO2IS in API using WSO2API manager(How to create APIs using WSO2APIM to access XACML policy)
- Why APIs of WSO2 APIManager can not be called successfully?
- WSO2 API Manager "error": "no response from server"
- WSO2 APIM API invocation error
- WSO2 API Manager 2.0.0: Enabling XACML mediator
- wso2 api manager have xss issue
- WSO2 API Manager and XACML Entitlement
- WSO2 API Manager 1.8 - Trying out XACML - Error creating the policy
- xacml with wso2 pdp