App Manager supports both database driven simple roles based resource authorization and XACML based authorization.
After reviewing the existing XACML based solution, the following changes are proposed. Concepts ======= 1) Policy Partials 'Target' section of a XACML policy in App Manager can be auto generated, since the use defines the URL pattern and the action (HTTP verb) for the resources to be restricted. So only the 'rules' are the dynamic parts. So in this proposal, users are able to save the conditions of the rules (or may be the rules) against the app. These are called policy partials. 2) Applying policy partials to URL templates In App Manager publisher there is UI to add url patterns which should be applied throttling, role restrictions etc.. There will be option for the user to apply one or more policy partials which are defined in step 1, to these URL templates. 3) Policy generation Actual XACML policies will be generated, taking the policy template, applied policy partials and URL template info. There generate policies will be persistent and published via identity admin services. Please see the attached illustration for more details. -- *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware email : rush...@wso2.com mobile : +94772310855
xacml_based_authorization.pdf
Description: Adobe PDF document
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
