无法在wso2is上访问EntitlementService Web服务

Question

I am trying to access the EntitlementService running on a WSO2 IdentityServer on localhost. I want to evaluate IS for use as XACML engine. This is all just Proof-Of-Concept code and tests.

I tried both with a Java client and a php client.

The java code which can be downloaded here: https://sites.google.com/site/securedecentralizedblog/is/EntitlementClient.java?attredirects=0&d=1

I only changed the directory for the wso2is related stuff. Running it gives me these error in the wso2is console:

[2014-05-05 01:36:00,058] ERROR {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} -  Authentication Failed : Invalid remote address passed - https://localhost:9443/
[2014-05-05 01:36:29,127]  WARN {org.wso2.carbon.core.services.authentication.AuthenticationUtil} -  Could not find IP address for domain name : https://localhost:9443/

Which seems really weird as localhost normally always resolves...

Also tried with a hand made php script:

<?php
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => false,
        'allow_self_signed' => true
    )
));

$auth = array(
        'trace' => true,
        'login'=>'admin',
        'password'=>'admin',
        'stream_context'=>$context
        );

$login_client = new SoapClient('https://localhost:9443/services/AuthenticationAdmin?wsdl',$auth);
$client = new SoapClient('https://localhost:9443/services/EntitlementService?wsdl',$auth);


$request = file_get_contents('../xacml_get_users.xml');


echo "\n\nGoing to start login call...\n\n";
try {
  $login_response = $login_client->login($auth);
  $response_headers = $login_client-> __getLastResponseHeaders();
  $request_cookie = $login_client->_cookies;
  $a_jsessionid = $request_cookie['JSESSIONID'];
  $jsessionid = $a_jsessionid[0];
  $cutstr = substr($response_headers,strpos($response_headers,'Set-Cookie: '));
  $cookie = substr($cutstr,strlen('Set-Cookie: '));
  $cookie = substr($cookie, 0, strpos($cookie,';'));

  echo "\n\nGoing to start decision call...\n\n";

  $cookie_name="JSESSIONID";
  $cookie_value=$jsessionid;
  $client->__setCookie($cookie_name, $cookie_value);
  $client->getDecision($request);
} catch (Exception $e) {
  echo $e->getMessage();
}
?>

I get past the login call, but then after the "start decision call" I get this error message in the client:

Error occurred while evaluating XACML request

And in the wso2is console:

[2014-05-05 01:33:03,733] ERROR {org.wso2.carbon.identity.entitlement.EntitlementService} -  Error occurred while evaluating XACML request
java.lang.NullPointerException
    at org.wso2.carbon.identity.entitlement.cache.IdentityCacheKey.hashCode(IdentityCacheKey.java:62)
    at java.util.concurrent.ConcurrentHashMap.hash(ConcurrentHashMap.java:333)
    at java.util.concurrent.ConcurrentHashMap.containsKey(ConcurrentHashMap.java:1016)
    at org.wso2.carbon.caching.impl.CacheImpl.containsKey(CacheImpl.java:260)
    at org.wso2.carbon.identity.entitlement.cache.EntitlementBaseCache.getValueFromCache(EntitlementBaseCache.java:144)
    at org.wso2.carbon.identity.entitlement.cache.DecisionCache.getFromCache(DecisionCache.java:49)
    at org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine.getFromCache(EntitlementEngine.java:384)
    at org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine.evaluate(EntitlementEngine.java:229)
    at org.wso2.carbon.identity.entitlement.EntitlementService.getDecision(EntitlementService.java:51)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

What could be going wrong? I need this to work otherwise we won't be able to choose wso2is for our project.

Also, is there any REST API for this planned? If yes, for when?

Answer 1

This is how I finally seem to have solved it. I used the other available WSDL function, getDecisionByAttributes.

It still generates some weird exception in the wso2 IS server, but I actually get the return value "Permit" or "Deny" (or "Indeterminate").

$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => false,
        'allow_self_signed' => true
    )
));

$http_auth = array(
        'trace' => true,
        'login'=>'admin',
        'password'=>'admin',
        'stream_context'=>$context
        );

$client = new SoapClient('https://localhost:9443/services/EntitlementService?wsdl',$http_auth);

try {
  $res = $client->getDecisionByAttributes(array("subject"=>"okuser","resource"=>"https://api.example.org/api/v1/users","action"=>"GET"));
  $xml = simplexml_load_string($res->return);
  $decision = $xml->Result->Decision;;
  echo $decision;
} catch (Exception $e) {
  echo $e->getMessage();
}

Answer 2

TryIt also using the web service method... It means, when you are sending the request from web service API, it also must work.. According to the null pointer , it seems to be that XACML request is not coming in your SOAP message. I suppose to tract the message that is going from your PHP client... Also the for debug purpose, you can enable the debug logs in WSO2IS, which helps you to see XACML request/response messages.

Answer 3

In your PHP script, try replacing the line

$client->getDecision($request);

by:

$client->getDecision(["request" => $request]);

This should take care of your NullPointerException.

This is because according the WSDL, the SOAP method getDecision need a named parameter called "request", containing the actual XACML request:

<xs:element name="getDecision">
  <xs:complexType>
    <xs:sequence>
      <xs:element minOccurs="0" name="request" nillable="true" type="xs:string"/>
    </xs:sequence>
  </xs:complexType>
</xs:element>