WSO2 API管理器和XACML集成无法正常工作

Question

I'm trying to integrate the latest version of wso2 API Manager (1.6.0) with the wso2 XACML module . I've found and followed step by step the very useful article . Unfortunately the PDP refuses the authorize my request even if I remove all my policies from the PAP and publish no policy to the PDP.

Is their a configuration somewhere I'm missing ? I'm get the following output

[2014-03-05 19:05:37,052] WARN - RequestCtxFactory No Namespace defined in XACML request and Assume as XACML 3.0 [2014-03-05 19:05:37,058] ERROR - EntitlementMediator org.apache.synapse.SynapseException: User is not authorized to perform the action [2014-03-05 19:05:37,059] INFO - LogMediator STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = User is not authorized to perform the action

Answer 1

If there are no policies in the PDP means that PDP would return Not Applicable decision. Therefore PEP of the API manager would think Not Applicable as a deny decision. In XACML there is concept called Deny based PEP What that means, all result except permit are considered as deny. Therefore to test, you can add some policy with Permit rule and verify. Such as following

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PermitPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Target></Target> <Rule Effect="Permit" RuleId="Permit-Rule"></Rule> </Policy>

Also it would be helpful, if you can enable the debug logs in the entitlement component and check.. Because then you can see the XACML request and response messages.

Add following in to log4j.properties file

log4j.logger.org.wso2.carbon.identity.entitlement=DEBUG

You can check this for more on enabling debug logs

Once you got the request and response. you verify what has gone wrong.. Also you can there is a tryit tool whether you can test the policies.

Answer 2

Thanks very much for your quick and efficient support. I've added your "permit" rules and was able to access my backend system after a successful policy validation. This means that the loop is closed and that my very simple policy of yesterday was the root of the problem. I have to review in detail how these rules are setup & defined. Thanks again for your help Regards Vpl

[2014-03-06 19:03:11,637] DEBUG - EntitlementPolicyInvalidationCache My Hash code of Policy cache is : 1 [2014-03-06 19:03:11,637] DEBUG - EntitlementPolicyInvalidationCache Shared Hash code of Policy cache is : 1 [2014-03-06 19:03:11,638] DEBUG - SimplePolicyCollection Matching XACML policy found PermitPolicy [2014-03-06 19:03:11,638] DEBUG - EntitlementBaseCache Cache : $ local $.PDP_DECISION_CACHE is populated with new entry in tena nt domain : carbon.super [2014-03-06 19:03:11,639] DEBUG - EntitlementEngine XACML Response : Permit [2014-03-06 19:03:11,641] DEBUG - EntitlementMediator Entitlement Decision is : Permit [2014-03-06 19:03:11,643] DEBUG - EntitlementMediator User is authorized to perform the action [2014-03-06 19:03:11,644] DEBUG - EntitlementMediator OnAccept sequence is not defined.