Thursday, September 08, 2011

Documentation-patch submission for Apache issues

Submitting a patch for a documentation issue is same as submitting a patch for a code issue. Only thing to be noticed is where the source code for sites resides. Here I am sharing the steps in a very basic level as helpful for a beginner, from identifying an issue to the submission of patch.
Note:The sample commands I am using here are for linux and for other environments the relevant commands should be applied for same functionality.
  • After identifying the issue from Apache issue navigator, check out the relevant files directory from apache SVN.
       eg : svn co  http://svn.apache.org/repos/asf/axis/axis2/java/core/trunk/src/site/xdoc/
  • Navigate to the relevant .xml files and do the improvements or corrections needed and make sure the xml validation is done and the document is presented as it is intended to be.
  • Lets see how the changes are applying. In the top level directory that includes all the changes and improvements enter the following command.
             eg: svn diff -x-p
          You will see something as follows,

                     - lines preceded with - are to be deleted
                     - lines preceded with + are to be added
  • Make sure those are the intended changes and then create the patch with the following command:
            svn diff ><the preferred name for patch file>
            eg: svn diff >AXIS2-4655.patch
  • Now submit the patch at the jira issue page as follows and add any meaningful comments.

Keep in touch for updates on the patch submitted. Keep contributing.

Saturday, August 20, 2011

WSO2Con - 2011

WSO2Con - 2011, the event of the year!

I found it a great a pleasure to have a chance to attend this event, which is to be a huge event in middle-ware industry with participations from Google, IBM and eBay and a perfect pool for technology lovers. Only few lucky students will get the chance to be there at student rates. But the great news is still you can reserve your place for a very low price regrading the value of this three-day conference with two more days in tutorials. Try and see whether you can catch the early bird rates too.

Check out event agenda and the registration page for more information. Here is what Dr. Sanjiva Weerawarna CEO-WSO2 has to say about the event.






MIT-AITI Experience–Part 3 /Demo Day

 
It was our dream day, it was the day we waited to show off the results of the intensive hard work we did in just 6 weeks and got the maximum of out of it. I will be sharing that experience with this post.
We have been finished developing our product to the level to do a live demo by that time and unfortunately with the nature of our product ‘ThenaHari’, we were unable to perform it inside a conference hall. Following were the problems we had and the solutions we found with the help of Samidh, Lisa and Micheal.
  • Simulate an outside journey inside a hall – We developed a simulator that mimics the path of a passenger travelling in a bus route. This simulator was mainly developed by Manoj, one of mobiAssist co-founders, with the contribution of others. This also solved the problem of not having a way to access a the LBS(Location Based Service) of service provider to track passenger location which was great.
  • Making the alert via fake call – As we still did not had access to a service provider’s SMS gateway, this was a big problem. So with the help of few contacts we got, finally a solution came up from bluetooth.
  • How to convince the importance of our application – It was predicted that our audience will not understand the value of our application at once, as most of them were not users of public transport. This was a real challenge and this was the most important objective doing demo in front of them. So we came up with two solutions.
  1. Produced a moFilm that highlights the value and usage of our application ‘ThenaHari’ – Actually two of our co-founders act the main roles there and Dhanika directed it so well. Will be sharing it here soon after releasing for general public.
  2. Conducted a survey and submitted what we found – We did a survey for a week getting into busses and trains and counting down how many people are sleeping. This was a real nice experience and we enjoyed it a lot.
With the dawn of the 3rd of August we were well prepared and waiting for the time to show off our work. The venue for the event was Cinnomon-Grand Hotel and we were so excited with hearing the list of distinguished guests. There were ministers from government, parliament representatives from the opposition, higher  professionals from Dialog, Mobitel and Etisalsat, the main mobile service providers in Sri Lanka, possible investors, leading local entrepreneurs from software industry and Professors and lecturers from University of Moratuwa including the vice-chancellor. Also DailyFT has put an detailed article on the front page encouraging us and we understood that if we try hard on this and continued we can add some value to the economy of the country.
Capture2
We had the confidence that we will rock the demo and after been staged as 5th team to go, we knew we did it great with the comments from judge panel and the audience. That was a great moment I will remind proudly forever.
Then we had the reception where we got whole lot of comments appreciating us, pointing out paths to improve and of course invitations from mobile operators to have business meetings with them. That was a great achievement for us. And there were more waiting for us.
There were three awards waiting for teams to win namely “Outstanding product”, “Best technical innovation” and “Best social impact”. “ThenaHari” was that excellent product to win both the awards “Best technical innovation” and “Best social impact” which were awarded by Dialog and Mobitel. It was not the reward we got with that, it was the strong foundation we got for our start-up to grow up bigger that made us much happier.
DSC01399
The demo day ended up like that having a great positive impact on our company and this is how DailyFT  encouraged us putting a detailed articles on the event.
[1]                                                                 [2]
Capture1StartupsShine
You can read the full article in DailyFT site,
Though the demo day ended it was just the start for us. And Samidh, Lisa and MIcheal were still staying with us to guide us how to continue our companies after they left in two days. They introduced us to the possible people from whom we would be able to have some help and gave more guidance on our future plans. Thank you Samidh, Lisa and Micheal for all the strength and guidance and everything you gave us. We know continuing this with our fullest commitment is the greatest gratitude we can show you all.
DSC01504
Finally I should mention that we are thankful to Prof. Saman Amarasinghe for bringing this program to Sri Lanka, MIT, Staff of UOM, Dialog, Mobitel, Etisalat, Mentors, Investors, Friends and each and every person who encouraged us even by a word. Thank you all for your contributions!!!
Now it is our time to have fun in the industry discovering the world of entrepreneurs!!!
Photo-0130Capture
I will share how our product logo, name and company name came from in a later post.

Sunday, August 14, 2011

MIT-AITI Experience–Part 2

I am writing after completing the whole course and becoming a director and a co-founder of the company mobiAssist, the creator of ‘ThenaHari’. I would like to begin the story from where I stopped at previous post.
 
After having fun at the end of 2nd week with elevator pitch competition we had a week filled with technical stuff with the help and guidance Micheal. Parallel to that Samidh and Lisa introduced us to the marketing principles, entrepreneurship skills and presenting and lot more. Those rest 4 weeks became so intensive with work and of course lot of fun too. Below I will be describing few important events that took place during those 4 weeks.
Our product page product page at MIT site can be found in the given link.
A photo coverage total photo coverage on overall program can be found .
 
Hackathon
This was a really cool and challenging experience. We were given 24 hours to complete as much as we can in our products and the group which create the most progress was to win. Meanwhile Micheal was posting challenging questions randomly time to time and if awake we could submit solutions and earn marks. This was very interesting and our group divide tasks among us and worked together to reach the win. We slept in shift so that we do not miss challenge questions.
 
Though the main objective of this event was to accelerate the implementation of product what I found most valuable was the team spirit we built through this. Anyway we could not win in this competition but the progress we made, make us understand the capacity of us as a team that it is possible to do that much of work within a day.
 
20th July: Critique Day (Get feedback on Business)
This was a very hard day for us and was very useful too. Now I can say this created a strong foundation for us, though we were bit worried. On this day we had to meet up with 6 panels which consisted of 3panels from leading mobile operators of Sri Lanka (Dialog, Mobitel and Etisalat) and three panels from leading local entrepreneurs and senior lecturers and professors. Day before the critique day we had a tuff session with Samidh as a rehearsal and we walked to each and every panel, submit a brief description about product with still improving demo and asked for their comments and how we can improve.
 
We had bit of hard time trying to convince them that we are doing something useful for the society. Actually none of them won’t find our application useful frequently unless they are travelling to an unfamiliar place as they were not users of public transportation. Anyway we got good practice on how we should explain our product to variety of people in various angles and received lot of useful clues to improve our product. Thankful to all of them and our instructors for arranging us that opportunity.
 
27th July: Negotiation Day (Get contracts with Operators)
This was a very exciting day we looked for, from the beginning of implementing our product ‘ThenaHari’. On 26th we had a session on how to negotiate and in the morning Samidh announced us that every team has got at least one opportunity to meet an operator and show off the product. And finally it was Mobitel who was interested on our product with the image they got from our one-pager which our whole team prepared with so much care.
To meet with Mobitel we prepared a pitch deck explaining
  • The problem we are addressing
  • The solution we suggest and how our product address it efficiently
  • The Marketing opportunity
  • Marketing Strategy  
  • Future Plans                                     which was a whole effort of our team.
While we were waiting for our time slot we could have some clues from the previous group and they told us that do not expect the attention of audience and do not worry if they show bored. This was bit disappointing and anyway I thought to do maximum to have the attention of audience and changed my pitch I prepared to be more brief and interesting. After we get introduced it was me who was to start our presentation pitching an overview of the product. I did my maximum to attract and keep the attention of audience with a little story could initiate an interactive discussion which our team continued well.
 
Final effect was a great feed back, we even did not expect and I can still remind the panel saying “superb idea”. They wanted to meet us for a business meeting the very next week and our team celebrated this achievement going to beach and having lunch together. All of us were thrilled that we are going to have do a real business as a company which once was just a dream.
 
It really was a great day we worked hard as a team and achieved our first goal to get a service provider interested in our product. Without that we could not proceed with ‘ThenaHari’.
 
1st August – Meeting with Mobitel
With the feed back we got for last presentation we did, we were so confident and went to Mobitel with our business plan. In this visit all our instructors accompanied us, which was a great strength. With a little introduction now we felt the conditions have changed a bit after going through our business plan. They were not happy with the plan and asked us for a change. Yes, that was really negotiating which we were not much exposed to. We were not used to those kind of business negotiation before and was the where I started to think this as a real business, concerning profits, our future plans, facing competitors and bargaining too.
 
Finally the meeting ended up asking us to come up with a modified business plan. We started to look for experienced people’s advices on the suggested plan by Mobitel and kept on analyzing how that will affect our future growth of company.
3rd of August was the big day and I will be sharing those details in the next post.

Sunday, July 10, 2011

MIT - AITI experience

How I got the chance to join
I got the chance to join the MIT-AITI (which was Massachusetts Institute of Technology, African Internet Technology Initiative and now goes as Asian ) program while I was completing my internship period of 24 weeks. Thank to WSO2, where I was having my internship I could get a release to join the program for 6 weeks and I am writing this just after the 2 week of the AITI program. As I feel that I have used that time effectively, hope to keep a note on what I got. Today was a more challenging and interesting day and it will be worth to have a note on what I have done in the course so far. An overview on the course can be found in the given link.



Very first day
At the very first day we were emphasized on the purpose of the course is not just to teach us mobile technologies, but also to make people use them as real applications. In brief we were at the beginning of becoming entrepreneurs initializing a company based on mobile applications. Honestly I felt whether this can be done, but really had faith that should give my maximum strength for the try. Very first day we were given a bag full of chocolates and toffees and asked to sell them somehow as groups. The group which will make most revenue was to win. This was cool and really was a new experience.


First steps
Then gradually we were guided to discover our own passions, problems we have, what we want to change in world etc. Meanwhile we had lot of group works that helped us to get to know each other and finally we were given the freedom and guidance to select the co-founders of the start-up according to the passions we have. I had passion on giving a solution for the time wasted at travelling due to huge traffic. Dhanika Perera, Shashindra Silva, Amila Paranawithana and Manoj Kumara were my co-founders of the company.
Then we tried to define our problem more precisely and realized that we will not be able to found a mobile solution for traffic congestion in 6 weeks. So we tried develop a solution for a more narrow problem that how a student, or any other traveler use their time efficiently while waiting at traffic congestions. Meanwhile we had a brain storming session with higher officers of leading mobile service providers of Sri Lanka and could have valuable feed backs on our ideas that how they should be refined in order to be effective. Having them in mind we started to keep on brain storming on a solution for this.
IMG_5590



While doing all these we were also given a good introduction to python programming through lab sessions which was a good addition to our technical background.


Solution
After considering lot of solution we came up with, we wanted to select one of them that will be more useful if solved. We had guidance on selecting, with the instructions on what to consider and finally all of us were so confident on one solution that we believed which will be most successful. Then we had a session on business models and again we thought more strategies to follow. We took top three of them and roughly estimated the revenue that can be made by each. Regarding that estimation we selected what business model to be followed.
While working on this we also considered the feasibility of implementing the solution in technical aspects and had few issues that we will not be able to do without the support of service provider. So kept on more ways to implement it, if we do not get service provider's support too.

This was a nice experience and I was starting to feel the responsibilities and difficulties an entrepreneur face in the journey. On the other hand I was enjoying, working with the team according to our decisions and had the proud in mind that we are going to do something of our own.



Elevator Pitch Contest (MIT-AITI Elevator Pitch Olympics)
This was a real challenging competition held today(10/07/2011) and was very exciting given that the reward for the winner is Rs.10 000/=. It was just the second time I heard of elevator pitch and had no idea what needed to be done. Samidh Chakrabarti, our instructor, as usual gave us a good introduction and guided us. What we had to do was to get prepared to talk to our potential investors to make them invest in our startup. In the contest  we had a panel of judges and we were given sharply measured one minute to talk. Had to give an idea on the problem we are addressing, the solution and the estimated revenue in a more attractive way within this 60secs. 


This was an interesting challenge and I really wanted to be a good competitor for this.  Round by round it was made harder and at one round it was made 30 secs which was very challenging. After few rounds I could be among the top three which I am really happy about . It was a real challenge and I enjoyed it a lot.
0cb31ec938febdbba25a3d780163a0b2


I am sure in the coming up weeks their will be more challenging things and I am enjoying the course a lot. Thank you Samidh, Lisa and Micheal.

Saturday, June 11, 2011

A sample on calling WSO2 Identity Server functionalities through the API


This sample demonstrates how to authenticate a user and to allow that user to access authorized resources(services), using the API of WSO2 Identity Server (WSO2IS). Simply this simulates few functions without the GUI of the server.


Scenario: After authentication, if user is authenticated having the role of 'admin', will have privileges to add or remove XACML policies, and evaluate them against sample requests. Following are the steps to be demonstrated.



  • Log into server after authentication
  • Add a policy from local machine
  • Read the enabled policy of the server
  • Remove a policy
  • Evaluate the enabled policy against a request
  1. Start the Identity Server as explained in user guide. Just extracting the downloaded file, setting up JAVA_HOME environment variable and running .sh or .bat script according to your operating system.
  2. Open the downloaded project in your favorite IDE and add the plugins of the WSO2IS to the project dependencies. The plugins location will look like this at the end, /wso2is-3.2.0/repository/components/plugins. For wso2is-3.0.1 the same path is applied.
  3. If you are using WSO2IS 3.2.0 now you can run the project and see the results. If you are using WSO2IS 3.0.1 you have to generate the stubs the projects needing in a preferred way described as in the post on 'How to convert WSDL to Java' and import them to the project.
  4. When you run the code if it get all the dependencies correct it will ask you to enter the user name, password and remote IP. For the demonstration purposes lets give admin , admin and 127.0.0.0 as the inputs.
  5. Now you will get authenticated in the server and allowed to proceed.
  6. Then it will prompt you to give the path of a policy file to be added to the server, you can read the enabled policy file of the server, remove a policy of your choice and evaluate them against a request of your choice. In the downloaded folder in resources section, few policy files and sample requests are provided and you can use them here. Server will reply you here saying "Permit", "Deny" or "Not applicable".At first I am trying to demonstrate how to see this in action and explaining the code segments in the later part. The code it self is self descriptive too.
Prerequisites:
All you need is the WSO2IS to test this sample which can be downloaded freely.
Resources:
All the codes of this sample project can be downloaded for you to try it your own.
To sees what this sample does:
As now we know what is happening there, lets see how that is handled.
In the login method:
/*Path to Java Key Store (JKS) which is a portable repository of X.509 certificates
/*and private keys for encrypting and signing some thing with the private key*/
String path = "/home/pushpalanka/Installations/wso2is-3.0.1/resources/security/" 

+ "wso2carbon.jks";


/*Store of CA certificates to trust. Required to authenticate remote servers*/
System.setProperty("javax.net.ssl.trustStore", path);
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

 try {
 /*Create a configuration context. A configuration context contains information 
for a axis2 environment.*/
 configCtx = ConfigurationContextFactory.createConfigurationContextFromFileSyste
(null, null);
 }catch (AxisFault axisFault) {
  axisFault.printStackTrace();
 }
This path variable should point to where the keystore file is located. You can locate the WSO2IS keystore file as shown inside the resource folder. 3 and 4 lines are setting up the trust store properties that are needed to authenticated in a server. The axis configuration is set up in line 6, that hold global level run-time information for axis2..


Authenticate method:

//hard coded URL of the service
serviceURL = BACKEND_SERVER_URL + "AuthenticationAdmin";
 try {
  authenticationAdminStub = new AuthenticationAdminStub(configCtx,serviceURL);
 } catch (AxisFault af) {
  log.error("Error creating the AuthenticationAdminStub",af)
 } 

//Set session management in enabled state
authenticationAdminStub._getServiceClient().getOptions().setManageSession(true);
 try {
  //try to login to the system with admin information
  isAuthenticated = authenticationAdminStub.login(userName, password, remoteIp);
 } catch (RemoteException re) {
  log.error("Connection with remote server failed!",e)
 } catch (LoginAuthenticationExceptionException e)
  log.error("Authentication failed!",e);
 }    

//create cookie for future usage in the current session
authCookie = (String) authenticationAdminStub._getServiceClient().getServiceContext()
.getProperty(HTTPConstants.COOKIE_STRING);
return isAuthenticated;

The backensServerURL is set up earlier as, 


//URL where the wso2 Identity Server services are running 

backendServerURL = https://localhost:9443/services/;  

It is where the service AuthenticateAdmin is running and we are consuming that service to get authenticated in the server as admin. A newly created object of AuthenticationAdminStub is providing the service and we create a cookie using it. The cookie is to avoid the annoy user will face if he/she has to type userName, password and remoreIP every new thing they try with WSO2IS. After the cookie is created we can use it instead of asking for authentication details again and again. Of course the cookie is alive for a limited time.

EntitlementPolicyAdminServiceStub is used for managing the policies as it is performing the admin tasks that are related to entitlement (eq: adding and removing policies etc.) This involve same background as AuthenticationAdminStub.

In the EntitlementAdminServiceUtilities class it is calling each functions provided by the EntitlementPolicyAdminService class.

All these functionalities you can just experience in the browser tab, this is simulating that functionality in a deeper layer.





Tuesday, May 31, 2011

Using Entitlement Handler in WSO2 AppServer with Identity Server

This article introduces the functionality of ‘entitlement handler’, which provides XACML fine grained authorization in secured service access using ‘username token’ authentication. An end-to-end sample use case of entitlement handler is explained using WSO2 AppServer and WSO2 Identity Server. Also the necessary configuration steps and further possible improvements and flexibilities are included.

Abbreviations used

XACML – Extensible access control markup language
RBAC – Role Based Access Control
ABAC – Attribute Based Access Control
PEP -  Policy Enforcement Point
PDP – Policy Decision Point
IS – Identity Server
AS – AppServer

Introduction

When considering access control on a service, there are two major options to go for as RBAC and ABAC. With ABAC user can be authorized easily, considering even very tiny details like the time period they are trying to invoke the service or the domain of their e-mail address. With ABAC it is not compulsory to consider the particular identity or the role of the user as it allows to provide authorization in a more flexible manner that can be made powerful, considering more other parameters. XACML provides the standard to define policies and requests in order to achieve the above mentioned functionalities. With the 'entitlement handler', a user can be authorized using XACML fine grained authorization, without a single change to the service and without typing a single line of code, if the default configuration is sufficient for the scenario to be used.
As the name implies ‘entitlement handler’ is an Axis2 handler and packaged as  ‘entitlement module’ (entitlement.mar) which can be engaged to any web service which uses ‘username token’ authentication. It can be engaged in any level from service level to the global level as preferred. Also with little modifications in module.xml of the module or service.xml of the service, it can be configured as desired and further improvements can be easily made as explained below at the end.

Applies To

WSO2 Identity Server  3.2.0 or above
WSO2 AppServer 4.1.0 or above

Scenario

 In the scenario there is a client trying to access ‘echo’ service hosted in AS. We are applying ‘username token’ authentication and XACML fine-grained authorization on the service so that a user can call the service only if the email address of the user is from ‘wso2.com’ domain.

High level view

In this scenario the entitlement handler acts as the PEP and is configured to use WSO2 IS as the PDP. The service secured with username token is hosted in AS and the entitlement handler is engaged to the service. So now when a client tries to call a service, the handler will intercept it before the service and check whether that request can be allowed to proceed to the service, according to the PDP.
over


Here you can download the entitlement module source code and build it using maven2. In the target directory you will find the entitlement.mar package. Instead of building from source you can also download the entitlement.mar and directly use it, which is all we need to proceed.

Server Configuration

As we need both WSO2 IS and WSO2 AS to be up and running at the same time, we need to change the ports used by one server, as by default both are set to same port numbers. Let’s change the WSO2 AS port numbers simply by modifying the carbon.xml. It can be found inside CARBON_HOME/repository/conf of the server and modify the file with this <Offset>2</Offset> under the <Ports> tag, which is originally set to be <Offset>0</Offset>. Now just have to remember that when we start the servers being in the relevant bin directories, they will be running on different ports that IS on HTTPS – 9443 and AS on HTTPS – 9445.

Entitlement module configuration


  • As the module is calling the entitlement service of the WSO2 IS to get authenticated in the server, we need its service stub org.wso2.carbon.identity.entitlement.stub-3.2.0.jar. Download it from the given link and place it inside CARBON_HOME /repository/components/lib of the AS where we are going to place the module to give authorization on hosted services.
  • We can define exactly at which phase of which flow, the module should intercept the message from a client, using the axis.xml of the AS. For the entitlement handler it needs to intercept message after the security phase where rampart module put relevant security headers. In order to achieve this modify the CARBON_HOME/repository/conf/axis2.xml as follows, inside InFlow, after the ‘Security’ phase.
<phaseOrder type="InFlow">
     <phase name="Security"/>
    <phase name="Entitlement"/>

  • The following configurations can be done even after the server is up and running and if we wish we can configure them as follows too.

a)  We can engage the module to the service we want to provide fine-grained authorization by simply adding this line in service.xml, ‘<module ref = “entitlement”/>’. If the module is present in the server then you do not have to manually engage the module to the service.

b)    Inside the module.xml of the module there are several parameters that need to be set as following. For this scenario,  setting up the "trustStoreLocation" parameter to point to the wso2carbon.jks is sufficient and others can be kept same.
    <parameter name="remoteServiceUrl">https://localhost:9443/services/</parameter>
    <parameter name="remoteServiceUserName">admin</parameter>
    <parameter name="remoteServicePassword">admin</parameter>
    <parameter name="remoteIp">127.0.0.0</parameter>
    <parameter name="decisionEvaluatorClass"></parameter>
    <parameter name="trustStoreLocation">---path to CARBON_HOME/resources/security/wso2carbon.jks---</parameter>
    <parameter name="trustStorePassword">wso2carbon</parameter>

Engaging the entitlement module

1. Now let’s start the AS and once you hit the URL ‘https://localhost:9445/carbon/’ and logged into the server, you will be on main menu. Then under module hit add and upload the entitlement.mar package to the AS as follows.
a1lanka









2. Once done it will ask to restart the server and hit ok. Wait a little until server get restarted and once done hit list under module. It will show a list as follows including entitlement module. Hit on name ‘entitlement’.


a2lanka


3. It will show the information of the module as follows. Hit ‘Edit Module Parameters'.






4.Now we are directed to another option to do the same configuration we did modifying the module.xml. If there is any change needed, we can do it now.
a4lanka


5. Once we finished configuring the module, now we can engage it to a desired service. This step is not needed if we engaged the module in service.xml in the previous section and just go to next step and check. Once we hit Web Services List it will list down all the services present and whether they are secured or not. In this scenario we will secure echo service and so let’s hit ‘unsecured’ in front of the service.

a5lanka













6. Then you will be directed to apply desired security aspects and as entitlement handler is implemented to support username token authentication let’s apply that as follows and go next.
a6lanka


7. Now it will ask for which user group this security should be concerned and give ‘everyone’ for the moment and finish.
a7lanka


8. Once you finished, it will give a message as ‘Security applied successfully’, click ok for the message and show the following. Note that now the endpoints are shown with https port only and security is active. Hit on the ‘Modules’.
a8lanka


9. Now if you engaged the entitlement module in service.xml you will see it in the currently engaged modules list and if not you can engage it as follows by selecting the module from drop down menu.a9lanka



10. Also now if you list the web services it will be something like follows, showing ‘echo’ service is secured.a10lanka

Now we have finished all the configurations and secured the web service with XACML fine-grained authorization. But still we have not made the PDP ready for the scenario. So let’s look into that.

Configuring the PDP


1. Once the IS is started being at bin directory, you will be guided to the Main menu for the URL ‘https://localhost:9445/carbon/’, after logging in as admin. There under Administration you can import a new policy as follows.
i1lanka



2. Browse for the downloaded policy.xml and upload it to the server.
i2lanka


3. Once the policy is uploaded successfully, it will show as follows and hit 'Enable' which will then change to be 'Disable'.
i3lanka

    Here is the policy we are using and a brief explanation on what it is doing.

    <Policy  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:sample:xacml:2.0:samplepolicy-01" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
    <Description>Sample XACML Authorization Policy</Description>
    <Target>
    <Subjects/>
    <Actions/>
    <Resources>
    <Resource>
    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">https://localhost:9445/services/echo/</AttributeValue>
    <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </ResourceMatch>
    </Resource>
    </Resources>
    <Environments/>
    </Target>
    <Rule Effect="Permit" RuleId="primary-group-rule">
    <Target>
    <Subjects/>
    <Actions>
    <Action>
    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
    <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </ActionMatch>
    </Action>
    </Actions>
    <Resources/>
    <Environments/>
    </Target>
    <Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
    <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"/>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">wso2.com</AttributeValue>
    <SubjectAttributeDesignator AttributeId="http://wso2.org/claims/emailaddress" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Apply>
    </Condition>
    </Rule>
    <Rule Effect="Deny" RuleId="deny-rule"/></Policy>
This policy will be applied for requests coming for the resource resource 'https://localhost:9445/services/echo/' and it says to 'Permit' for the action 'read' under the condition that email address of the user has 'wso2.com' as a regex. Any other request that policy get applied with get 'Deny' as the decision.


4. Lets add few users to the server so that we can check how entitlement handler works. Hit 'Add New User' and give the password and then hit on 'User profile'.
i6lanka


5. Add few users as preferred and for the default client code to work, there need to be a user called Jon, with password '12345' and email address jon@wso2.com. Create another user in the same way whose email address is from some other domain too.
i7lanka


6. We can try the functionality of the policy by just hitting on 'TryIt' and filling the parameters. According to the policy if we put 'https://localhost:9445/services/echo/' as Resource, emailaddress as Subject Attribute Name, read as action and other attributes as preferred with Subject Attribute Value having a wso2.com email address, evaluation will give 'Permit' as follows.
i4lanka



7. To ensure the policy, let's only change the domain to something other than wso2.com and here I am putting wso3.com, which gives 'Deny' as response.
i5lanka

Now let's try out our scenario. Run the client code you have downloaded with user name 'Jon' with his password and you will receive the response. Try the client with some other user name whom you defined in IS previously and do not have a 'wso2.com' email address. It will not allow you to proceed and in the console of AS you will see 'User not authorized to perform the action.', as a result of the duty done by entitlement handler. (To fix the dependencies of the given client, you can simply add CARBON_HOME/lib /api/org.wso2.carbon.securevault-3.2.0.jar and CARBON_HOME/repository/ componenets/plugins of IS as dependencies)
 

Entitlement Handler Inside View

Now if you are curious to know how this is done you can look into the source code and following are the operations done inside the handler. It just read the relevant parameters and if allowing the message to continue to the service, it will be the same message it received without any alteration.
ehandler
The advantage of using a handler for the purpose is we can place it just in front of the service closely and can configure it in multiple levels with different parameters. 

Possible Improvements and Flexibilities

There are possible improvements for the handler that this can be implemented with authentication mechanisms other than 'username token' and to support multiple of them. Also the flexibility is there for the user to come up with a selection of a PDP in own desire and implement a just the way to call the PDP and get response.