Hi Reza, Refer to this[1] documentation to enable the XACML based access control for Service provider. You need to enable "Enable Authorization" under "Local and Outbound Authentication Configuration" of your service provider and configure the XACML policy.
(In the policy, as you want to have the URI and IP as user claims, then create two new claims. Let's say http://wso2.org/claims/uri and http://wso2.org/claims/ip) Then change the policy provided to check for these claims, <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId= "authn_travelocity_for_finance_team_policy" RuleCombiningAlgId= "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId= "urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string>>*APP_NAME*</AttributeValue> <AttributeDesignator AttributeId=" http://wso2.org/identity/sp/sp-name"; <http://wso2.org/identity/sp/sp-name> Category="http://wso2.org/identity/sp"; <http://wso2.org/identity/sp> DataType="http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string> MustBePresent="false"/> </Match> <Match MatchId= "urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string>>authenticate</AttributeValue> <AttributeDesignator AttributeId=" http://wso2.org/identity/identity-action/action-name"; <http://wso2.org/identity/identity-action/action-name> Category=" http://wso2.org/identity/identity-action"; <http://wso2.org/identity/identity-action> DataType=" http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string> MustBePresent="true"></ AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="permit_by_uri_and_ip"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId= "urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string>>*URI*</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/uri"; Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string> MustBePresent="true"/> </Apply> <Apply FunctionId= "urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string>>*IP*</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/ip"; Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string"; <http://www.w3.org/2001/XMLSchema#string> MustBePresent="true"/> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Deny" RuleId="deny_others"/> </Policy> Then publish the policy. You can also refer to [2] to get an understanding about writing the XACML policies. [1] - https://docs.wso2.com/display/IS570/Configuring+Access+Control+Policy+for+a+Service+Provider [2] - https://docs.wso2.com/display/IS570/Writing+XACML3+Policies+in+WSO2+Identity+Server thanks, On Sun, Feb 24, 2019 at 4:28 PM Nirothipan Megalingham <nirothi...@wso2.com> wrote: > + dev > > On Sat, Feb 23, 2019 at 4:19 PM Reza Ameri <rz.am...@gmail.com> wrote: > >> Hi >> Dear All, >> >> We are using WSO2 IS as the Identity Bus for our solutions. We use WSO2 >> ESB and EI to implement our Integration and use OAuth mediator to connect >> an API from EI to IS. >> Everything works fine in the EI, but we want to create an XACML policy to >> do two kinds of restrictions at the same time. First, authorize the user >> against the URI which can be hardcoded in the XACML or saved as a property >> in user claims. Secondly, authorize the user against the origin IP of the >> user, I mean imagine that every user saves its IP in its claims, then we >> check the invoker IP to match the user IP. >> We asked this question in StackOverflow [1] and [2]. I think our question >> was not clear enough. >> It is really appreciated to hearing from you. >> >> Thank you, >> Reza >> >> >> [1] >> https://stackoverflow.com/questions/54674726/securing-rest-api-with-wso2-is-and-xacml-policy >> [2] >> https://stackoverflow.com/questions/54752236/rest-api-with-wso2-is-and-xacml-policy >> >> >> >> >> *Reza Ameri* >> Software Architect >> https://www.linkedin.com/in/rezaameri/ >> > > > -- > > *M.Nirothipan* | Senior Software Engineer | WSO2 Inc. > > (m) +94772172692 | (e) nirothi...@wso2.com > > [image: http://wso2.com/signature] <http://wso2.com/signature> > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- *Senthalan Kanagalingam* *Software Engineer - WSO2 Inc.* *Mobile : +94 (0) 77 18 77 466* <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
