Authorization based on XACML

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Authorization based on XACML

yanherrera
Hello everyone,

  I'm trying to include authorization based on XACML in ServiceMix.

  We have some web service through a CXF-BC and we want to carry out the authorization through XACML. Is it possible? Is their any tutorial to help me do it?

Thanks in advance

Juan José
Reply | Threaded
Open this post in threaded view
|

Re: Authorization based on XACML

Freeman-2
Hi,

I don't know so much about XACML, but if it's element stored in soap  
message, then you can always extract it  and write a custom  
interceptor to save it in JBI MessageExchange as property, which could  
be used later anywhere in JBI container.

We have several threads  on this maillinglist to discuss how to do it  
with ws-security headers, you may need search and see if it helps for  
your scenario,

Freeman
On 2010-11-18, at 下午5:09, yanherrera wrote:

>
> Hello everyone,
>
>  I'm trying to include authorization based on XACML in ServiceMix.
>
>  We have some web service through a CXF-BC and we want to carry out  
> the
> authorization through XACML. Is it possible? Is their any tutorial  
> to help
> me do it?
>
> Thanks in advance
>
> Juan José
> --
> View this message in context: http://servicemix.396122.n5.nabble.com/Authorization-based-on-XACML-tp3270448p3270448.html
> Sent from the ServiceMix - User mailing list archive at Nabble.com.


--
Freeman Fang

------------------------

FuseSource: http://fusesource.com
blog: http://freemanfang.blogspot.com
twitter: http://twitter.com/freemanfang
Apache Servicemix:http://servicemix.apache.org
Apache Cxf: http://cxf.apache.org
Apache Karaf: http://karaf.apache.org
Apache Felix: http://felix.apache.org

Reply | Threaded
Open this post in threaded view
|

Re: Authorization based on XACML

david.brossard
You can create your own Policy Enforcement Point (PEP) for ServiceMix which will look at the JBI object, extract any value (as Freeman points out) you need in and map them to XACML attributes. You then need to create a XACML request and send it to your external authorization service.

Using the same pattern I've written a simple PEP for Apache CXF using Axiomatics's XACML API.

For instance, in the CXF PEP I wrote, I focus on the org.apache.cxf.message.Message object. The Authorization call is built as a handler class which extends org.apache.cxf.phase.AbstractPhaseInterceptor<Message>.

In the handleMessage(Message message) method, I then start inspecting the Message object and extracting value I am interested in.

Example:

        // 2. about the resource
        String address = message.getDestination().getAddress().getAddress().getValue();
        AttributeValue aValue = new StringAttribute(address);
        Attribute resourceAddress = new com.axiomatics.xacml.ctx.Attribute(URI.create("com.apache.cxf:address"), issuer, aValue);
        resourceAttributes.add(resourceAddress);

Once you've collected all the XACML attributes you are interested in, you can create the request to the AuthZ service.

David. [http://www.webfarmr.eu]