How to using client_ip and request_uri in XACML po

2019-08-17 17:59发布

问题:

We are using WSO2 IS as the Identity Bus for our solutions. We make REST API in WSO2 ESB to implement our Integration and use OAuth mediator in that to securing our API. in WSO2 IS we create a service provider as sp1 and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx and request URI is http://wso2ESB.uri/sampleApi/app and method is GET.

please help me to make this XACML policy in WSO2 IS.

回答1:

Currently WSO2 Identity Server support only scope based XACML policy evaluation for oauth2/oidc service providers, where there is no out of the box capability to evaluate policy against client_ip, request URI, HTTP method. One way to handle this situation is irrespective of oauth mediator you can write custom class mediator to intercept the request (PEP) and invoke EntitlementService to evaluate request against XACML PDP in Identity Server. Inside custom class mediator you can write necessary logic to extract necessary information for XACML request client_ip, request URI, HTTP method ...etc

[1] https://docs.wso2.com/display/IS570/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies