About WSO2• Providing the only complete open source componentized cloudplatform– Dedicated to removing all the stumbling blocks to enterprise agility– Enabling you to focus on business logic and business value• Recognized by leading analyst firms as visionaries and leaders– Gartner cites WSO2 as visionaries in all 3 categories of applicationinfrastructure– Forrester places WSO2 in top 2 for API Management• Global corporation with offices in USA, UK & Sri Lanka– 200+ employees and growing• Business model of selling comprehensive support &maintenance for our products
150+ globally positioned support customers
Agenda} Understanding the policy enforcement in SOA environment} Why does a typical SOA enterprise need policy management} Some terminologies used in policy enforcement} How WSO2 Identity Server plays as XACML policy engine} Run-time policy vs Design-time policy} Demo - Sample usecase where WSO2 Governance Registry canbe used as policy store} Q&A
Understand the policy enforcement in SOA environment} A typical service oriented enterprise will have mainly threeobjects in interaction which are service consumers, services andresources} How can a SOA environment control varies authorization leveldepends on the consumer type such as admin user, publisherlevel user, subscriber level user, login level user..etc.} To address the above complexity SOA environment forced tohave a varies type of policies.} Therefore applying policies for SOA environment to control itsactivities during the service consumption or service design willbe called as policy enforcement.
Why a typical SOA enterprise need policy management} To control authorization level among the users accessing theservices in any typical SOA environment.} Prevent Unauthorized access to the services must beprevented.} Quality of service should be managed by service policy.Therefore SOA enterprise needs a policy management system.} Giving the access to the correct version of the service based onthe consumer type. It can be managed by a versioning policy.} SOA enterprises need to enforce the policy to accept thecontent passed as payload in terms of encoding format.
Some terminologies used in policy enforcement} PEP -it stands for policy enforcement point where the incomingrequest is received and authorization request will be generatedand sent over to authorization engine.} PIP - stands for policy information point where information aboutpolicy elements such as attribute value and meaning, resourceinformation used in policy, environment in which the particularpolicy to be evaluated.} PDP - stands for policy decision point where the authorizationrequest is evaluated which has been sent by the PEP anddecision is made whether to authorize or not. This point in generalcalled as authorization engine since it is the decision maker forauthorization request.
Contd………} PAP - stands for policy administration point where the policy ismanaged.} PRP - stands for policy retrieval point where the policy is storedand retrieved by authorization engine to evaluate against theincoming authorization request.} WSO2 IS can be used as a PAP, PIP and PDP.} WSO2 Governance Registry is used as PRP.} WSO2 ESB can be used as PEP.
How WSO2 Identity Server plays as XACML policy engine} WSO2 IS uses the xacml policy based authorization. XACMLstands for eXtensible access control markup language.} WSO2 IS has the capability to play as a XACML basedauthorization engine.} WSO2 IS makes decision based on the policy relevant to therequest, in other word IS functions as policy decision point.} WSO2 Identity Server (IS) makes authorization decision based onXACML request.} IS returns it authorization response to the policy enforcement pointwith what action to be taken for the client request. Response willbe allow or deny the access.
Run-time policy vs Design-time policy} Design time policies define the behavior of the service at thedesign time while the runtime policies define the behavior of theservice at the runtime.} Design time policies are enforced during the period whendeveloper creates the services. For an example, WS-security tobe used for security mechanisms.} An example of runtime policy would be "Only users with adminrole are allowed to update the resource A between 10 and 12oclock. This policy will be enforced and evaluated at the serviceinvocation.
Demo} Client requests some resource via ESB proxy service.} When the ESB receives the client request “entitlementmediator”[PEP] will generate the xacml request and call theWSO2 IS [PDP] “entitlement admin service” endpoint.} WSO2 IS retrieves the policy stored in the Governance Registryand evaluates xacml request. WSO2 IS functions as xacmlengine} Depends on the decision made by the IS request will beprocessed further and returned the resource to the client orreturned with an unauthorized message.