OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

A sample on calling WSO2 Identity Server functionalities through the API

This sample demonstrates how to authenticate a user and to allow that user to access authorized resources(services), using the API of WSO2 Identity Server (WSO2IS). Simply this simulates few functions without the GUI of the server.


After authentication, if user is authenticated having the role of 'admin', will have privileges to add or remove XACML policies, and evaluate them against sample requests. Following are the steps to be demonstrated.

  • Log into server after authentication
  • Add a policy from local machine
  • Read the enabled policy of the server
  • Remove a policy
  • Evaluate the enabled policy against a request
  1. Start the Identity Server as explained in user guide. Just extracting the downloaded file, setting up JAVA_HOME environment variable and running .sh or .bat script according to your operating system.
  2. Open the downloaded project in your favorite IDE and add the plugins of the WSO2IS to the project dependencies. The plugins location will look like this at the end, /wso2is-3.2.0/repository/components/plugins. For wso2is-3.0.1 the same path is applied.
  3. If you are using WSO2IS 3.2.0 now you can run the project and see the results. If you are using WSO2IS 3.0.1 you have to generate the stubs the projects needing in a preferred way described as in the post on 'How to convert WSDL to Java' and import them to the project.
  4. When you run the code if it get all the dependencies correct it will ask you to enter the user name, password and remote IP. For the demonstration purposes lets give admin , admin and as the inputs.
  5. Now you will get authenticated in the server and allowed to proceed.
  6. Then it will prompt you to give the path of a policy file to be added to the server, you can read the enabled policy file of the server, remove a policy of your choice and evaluate them against a request of your choice. In the downloaded folder in resources section, few policy files and sample requests are provided and you can use them here. Server will reply you here saying "Permit", "Deny" or "Not applicable".At first I am trying to demonstrate how to see this in action and explaining the code segments in the later part. The code it self is self descriptive too.


All you need is the WSO2IS to test this sample which can be downloaded freely.


All the codes of this sample project can be downloaded for you to try it your own.
To sees what this sample does:
As now we know what is happening there, lets see how that is handled.
In the login method:

This path variable should point to where the keystore file is located. You can locate the WSO2IS keystore file as shown inside the resource folder. 3 and 4 lines are setting up the trust store properties that are needed to authenticated in a server. The axis configuration is set up in line 6, that hold global level run-time information for axis2..

Authenticate method:

The backensServerURL is set up earlier as, 

//URL where the wso2 Identity Server services are running 

backendServerURL = https://localhost:9443/services/;  

It is where the service AuthenticateAdmin is running and we are consuming that service to get authenticated in the server as admin. A newly created object of AuthenticationAdminStub is providing the service and we create a cookie using it. The cookie is to avoid the annoy user will face if he/she has to type userName, password and remoreIP every new thing they try with WSO2IS. After the cookie is created we can use it instead of asking for authentication details again and again. Of course the cookie is alive for a limited time.

EntitlementPolicyAdminServiceStub is used for managing the policies as it is performing the admin tasks that are related to entitlement (eq: adding and removing policies etc.) This involve same background as AuthenticationAdminStub.

In the EntitlementAdminServiceUtilities class it is calling each functions provided by the EntitlementPolicyAdminService class.

All these functionalities you can just experience in the browser tab, this is simulating that functionality in a deeper layer.


  1. Hi Can you give the code for User and role creation also?

  2. Hi Raju,
    You can create users and roles as shown here(http://ubuntuone.com/5aP1gE1CKAEBDhuRSXhTDc) through the GUI. If you explicitly need the code for the purpose let me know.

  3. Yeah..I need to create an User or Role through API not by using GUI and I've found some code at http://blog.facilelogin.com/2010/05/managing-users-and-roles-with-wso2.html
    but it is very old one which is not supported by wso2 identity server 3.2.0. so I need the latest code..Thanks in advance

  4. Hi Pushpalanka,

    I have the same problem like Raju, I need to create users and roles through API and also need to create custom login page. I'm using WSO2 Identity Server 3.2.3.
    Thanks in advance.

  5. Hi Pushpalanka,

    When I tried to run the sample project I get a org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceIdentityException: EntitlementPolicyAdminServiceIdentityException when trying to add/remove policies. Any Idea?

    I have set the plugins folder in the classpath and the program compiles properly



  6. Is there any life span restriction for the authCookie? How long will it live?


  7. I would like to add a policy (written in XACML) per service. Is that possible?

  8. Hi Thomas,
    Yes. That is possible. You can do this with the Resource attribute of XACML policy.

    1. This comment has been removed by the author.

    2. Thank you for your reply.
      I'm looking for a service like https://localhost:9443/services/EntitlementAdminService?wsdl (importPolicyFromRegistry) but not with a file.
      I want to use directly XACML to add a policy.
      Another question, there is a description of all the webservices?

  9. Ubuntu One File Services have been shut down. Could you repost the code to an alternate location?

    1. You can find the sample here at [1]. Please note this written for an older version of WSO2 IS and methods may have changed. But the flow is same that we have to get the cookie first.

      [1] - https://drive.google.com/file/d/0B1njqfOEx3g8SVR2M09HZjZ2MUE/edit?usp=sharing

  10. This comment has been removed by a blog administrator.

  11. HI can you let me know how I can return claims depending upon the service provider?


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

How to send an HTML email in Java (Using Google SMTP Server)

How to convert WSDL to Java