node.js + XACML wso2is


cd WSO2IS_HOME
subl wso2is-4.5.0/repository/conf/carbon.xml
HideAdminServiceWSDLs -> false

./bin/wso2server.sh

npm install soap
mkdir wso2is-nodejs
cd wso2is-nodejs/
subl soap-clinet.js

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';

var soap = require('soap');
var url = 'https://localhost:9444/services/EntitlementService?wsdl';
var args = {subject:'admin',
resource:'http://localhost:9766/services/RestService/POST',
action:'POST'
};
soap.createClient(url, function(err, client) {
client.setSecurity(new soap.BasicAuthSecurity('admin', 'admin'));
client.getDecisionByAttributes(args, function(err, result) {
console.log(result.statusCode);
console.log(result.body);
});
});

node soap-clinet.js

200
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Permit</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>

Advertisements

SailsJs Authentication With sails-generate-auth + PassportJs + WSO2 Identity Server

// install sails.js from http://sailsjs.org/#/getStarted

sails generate new MySails
cd MySails/

npm install sails-generate-auth
sails generate auth
npm install git+https://github.com/jasonsims/passport-wso2.git#master
npm install passport
npm install bcryptjs
npm install validator
npm install sails-generate
npm install passport-twitter
npm install passport-github

subl api/controllers/MyController.js

module.exports = {
hi: function (req, res) {
return res.send("Hi there!");
}
};

subl config/passport.js

// delete other strategies and add the following

wso2: {
name: 'wso2',
protocol: 'oauth2',
strategy: require('passport-wso2').Strategy,
options: {
authorizationURL:"https://localhost:9444/oauth2/authorize",
tokenURL:"https://localhost:9444/oauth2/token",
clientID: '',
clientSecret: '',
callbackURL: 'http://localhost:1337/auth/wso2/callback',
userProfileURL:'https://localhost:9444/oauth2/userinfo?schema=openid',
scope:'openid'

}
}

subl config/bootstrap.js

module.exports.bootstrap = function(cb) {
cb();
sails.services.passport.loadStrategies();
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';// a workaround to prevent from Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE]
};

subl config/policies.js

'*': [ 'passport' ]

subl config/routes.js

module.exports.routes = {
'get /login': 'AuthController.login',
'get /logout': 'AuthController.logout',
'get /register': 'AuthController.register',

'post /auth/local': 'AuthController.callback',
'post /auth/local/:action': 'AuthController.callback',

'get /auth/:provider': 'AuthController.provider',
'get /auth/:provider/callback': 'AuthController.callback',

'get /hi': 'MyController.hi',

'/': {
view: 'homepage'
}
};

subl api/policies/passport.js

module.exports = function (req, res, next) {
passport.initialize()(req, res, function () {
passport.session()(req, res, function () {
res.locals.user = req.user;
if(req.options.controller.indexOf('auth')>-1||req.user){
next();
}else{
return res.redirect('/login');
}
});
});
};

// login to https://localhost:9444/carbon/
// Main -> Identity -> Service Provider -> Add

// Service Provider Name:wso2

// Inbound Authentication Configuration -> OAuth/OpenID // Connect Configuration -> Configure

// Callback Url: http://localhost:1337/auth/wso2/callback

// press Add Button

// copy values of OAuth Client Key and OAuth Client Secret to config/passport.js

wso2:{
...
clientID: 'lgfG8KI6GTYz0GSHfFv8W9N6264a',
clientSecret: 'WjFfYGB9GgqV0FBjWFmKjtyWLCMa',
...

subl node_modules/passport-wso2/lib/profile.js

exports.parse = function(json) {
var _json = json;
var profile = {};

profile.id = _json.preferred_username;
profile.name = _json.name;
profile.displayName = _json.given_name + ' ' + _json.family_name;
profile.userName = _json.name;
var emails = [];
emails.push({value: _json.email, primary: true});
profile.emails = emails;

/*profile.id = String(_json.id);
profile.name = _json.name;
profile.displayName = _json.name.givenName + ' ' + _json.name.familyName;
profile.userName = _json.userName
profile.emails = _parseEmails(_json);
profile.groups = _json.groups;
*/

return profile;
};

sails lift

// in firefox, go to http://localhost:1337/hi
// you will see a login page, select wso2 and you will redirected to http://localhost:1337/auth/wso2and then you should be redirected to https://localhost:9444/authenticationendpoint/login.do

// enter admin and admin as username and password in login page, then you should see

// 'You are logged in as admin@carbon.super. wso2 requests access to your profile information '

// press Approve Button

// you will be redirected to http://localhost:1337/auth/wso2/callback to see the home page of the application

// enter http://localhost:1337/hi in firefox. now you can see it without redirecting to login page

A XACML Policy Example In WSO2 Identity Server 5.0


WSO2 Identity Server 5.0

WSO2 Identity Server provides sophisticated security and identity management of enterprise web applications, services, and APIs, and makes life easier for developers and architects with its hassle-free, minimal monitoring and maintenance requirements

for more information see
http://wso2.com/products/identity-server/

A XACML Policy Example

this example shows how a simple XACML Policy in WSO2IS 5.0 can be defined and be tested

start the server with

~/opt/wso2is-5.0.0/bin$ ./wso2server.sh

login to web console

https://localhost:9444/carbon/

Main -> Entitlement -> PAP -> Policy Administrator -> Add New Policy -> Import Existing Policy

copy the following to a file and import it

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="REST_XACML_Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9766/services/RestService</AttributeValue&gt;
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="admin_allow_rule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9766/services/RestService/POST</AttributeValue&gt;
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue&gt;
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue&gt;
<AttributeDesignator AttributeId="http://wso2.org/claims/role&quot; Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="everyone_allow_rule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9766/services/RestService/GET</AttributeValue&gt;
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue&gt;
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">everyone</AttributeValue&gt;
<AttributeDesignator AttributeId="http://wso2.org/claims/role&quot; Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string&quot; MustBePresent="true" />
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule" />
</Policy>

in Available Entitlement Policies list for REST_XACML_Policy, click TryIt link

Resource http://localhost:9766/services/RestService/POST
Subject Name admin
Action Name POST

click Test Evaluate button, you should see a windows with 'Permit' message.

then create a new user with everyone role

Configure -> Configure -> Users and Roles -> Users

come back to TryIt page and enter following data:

Resource http://localhost:9766/services/RestService/POST
Subject Name newuser
Action Name POST

click Test Evaluate button, you should see a windows with 'Deny' message.