WSO2 Identity Server - Extension Points - Part 3 - XACML


This is the third of a series of posts on extension points available in WSO2 Identity Server, with relevance to separate protocols.

Previous posts can be found at,
With the XACML architecture there are 4 main separate components as,
  • PIP (Policy Information Point) - serves information required for policy evaluation.
  • PAP (Policy Administration Point) - serves capabilities to govern the policies.
  • PDP (Policy Decision Point) - make decision on incoming requests whether to permit or deny based on the defined policies and information collected from PIP.
  • PEP (Policy Enforcement Point) - the interception point which checks and honors the policy decision.

WSO2 Identity Server can act as all these 4 components. In this post we will check on the extendability of these components and their usages.

Policy Information Point(PIP) modules

Usage:
When the information available locally is not enough to evaluate a XACML request

eg: We need to authorize the user depending on their age, which is not directly available in current user store.

1. PIP Attribute Finder ()

Usage:

The ‘DefaultAttributeFinder’ talks to the underlying user store to read user attributes. It is by default registered for all the claims defined under ‘http://wso2.org/claims dialect’. If the user attributes needs to be read in from another location or some other deviation is required for default claim retrieval process this extension should be used (by specifying the full qualified custom class name, under "PIP.AttributeDesignators.Designator.1") which can be found at [IS_HOME]/repository/conf/identity/entitlement.properties file. You can also add more attribute finders keeping the default one as well.

Sample:

https://docs.wso2.com/display/IS510/Writing+a+Custom+Policy+Info+Point
 
Abstract Class / Default Implementation:

org.wso2.carbon.identity.entitlement.pip.DefaultAttributeFinder

2. PIP Resource Finder

Usage:
To register a PIP resource finder with the PDP. The default resource finder finds the resources of the underlying registry. We need to implement this interface and add an entry to file (by specifying the full qualified class name, under "PIP.ResourceFinders.Finder.1") which can be found at [IS_HOME]/repository/conf/identity/entitlement.properties file in case of a different logic required at resource finding. 

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.pip.DefaultResourceFinder

3. PIP Extension

Usage:
PIPExtensions will be fired for each and every XACML request - which will give a handle to the incoming request. Can be used to carry out custom checks or updates for XACML request, before sending to the PDP. Configured at specifying the full qualified class name, under "PDP.Extensions.Extension.1") which can be found at [IS_HOME]/repository/conf/identity/entitlement.properties file

Interface:
org.wso2.carbon.identity.entitlement.pip.PIPExtension

Policy Administration Point(PAP) modules

1. Entitlement Data Finder

This is the implementation of the policy meta data finder module which finds the resource in the under-line registry by default. Any deviation to policy meta data finding can be written as an extension at this point,

PAP.Entitlement.Data.Finder.1 

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.pap.CarbonEntitlementDataFinder

2. Policy Publisher Module

policy publisher module that is used to publish policies to external PDPs. External PDP can be identity server or else can be anything. Therefore this interface provide an extension to publish policies to different PDPs.

PAP.Policy.Publisher.Module.1

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.policy.publisher.CarbonBasicPolicyPublisherModule

3. Policy Version Manager

This manages the versions of XACML policies. If a deviation is required for supported maximum version etc. this can be used.

PAP.Policy.Version.Module 

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.policy.version.DefaultPolicyVersionManager

4. PAPStatusDataHandler

A handler that would be fired after an entitlement policy admin action is done. If any action is required to be done in relevance to this admin action, this extension can be used.

PAP.Status.Data.Handler.1 

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.SimplePAPStatusDataHandler

Policy Decision Point(PDP) modules

1. Policy Finder

Policy manage module is an extension point where XACML policies can be stored and loaded into the PDP from different sources. There can be more than one policy finder modules configure in the file [IS_HOME]/repository/conf/identity/entitlement.properties as below.

PDP.Policy.Finder.1= 

Interface:
org.wso2.carbon.identity.entitlement.policy.finder.PolicyFinderModule 

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.policy.store.RegistryPolicyStoreManageModule

2. Policy Store Module

Handles the add, update, delete operations of the policies. Any modification to these operations can be done via this extension.

Interface: org.wso2.carbon.identity.entitlement.policy.store.PolicyStoreManageModule
Config parameter key should look like,
PDP.Policy.Store.Module= 

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.policy.store.RegistryPolicyStoreManageModule (by default this is acting as the policy finder as well.)

3. Policy Data Store Module

This is the entitlement policy data store that is used to persist metadata of the policies such as global policy combining algorithm and perform operations such as get, set, remove policy data stored in carbon registry. Any deviations to this can be made via this extension using below config.

PDP.Policy.Data.Store.Module=

Abstract Class / Default Implementation:
org.wso2.carbon.identity.entitlement.policy.store.DefaultPolicyDataStore

Policy Enforcement Point (PEP) modules

When providing fine grained authorization for service providers WSO2 Identity Server act as a PEP itself and calls the own PDP to get authorization decisions. This is an extension point exposed by Identity Application Authentication Framework to customize authorization logic. By default the implementation is done based on XACML, which can be extended to cater for any deviations here acting as PEP.

 Interface:
org.wso2.carbon.identity.application.authentication.framework.handler.authz.AuthorizationHandler

 Abstract Class / Default Implementation:
org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler

Config:
At IS_HOME/repository/conf/identity/application-authentication.xml,
Under, <Extensions>,
                       <AuthorizationHandler>...</AuthorizationHandler>

Hope this will help in extending the functionalities to have your freedom in have the exact requiements catered. Cheers!

Comments

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

How to send an HTML email in Java (Using Google SMTP Server)

Adding Custom Claims to the SAML Response - (How to Write a Custom Claim Handler for WSO2 Identity Server)