Writing simple PIP module for WSO2 Identity Server

One of my previous post, I have discussed about the PIP implementation of the WSO2 Identity Server. Now lets try to write a simple PIP attribute finder module to plug in to the WSO2 Identity Server.

There are two ways that you can write a PIP attribute finder module

  •  By implementing the “PIPAttributeFinder” Interface. You can find the latest interface from here
  •  By extending the “AbstractPIPAttributeFinder” abstract class You can find the latest abstract class  from here

It would much easy for us to extend the “AbstractPIPAttributeFinder” and write a PIP attribute finder module. Lets take following simple example use case.

Think, K-Market is an online trading company. K-Market does some control over online trading based on the customer’s privilege and attribute of customers such as age, email and so on. Therefore to achieve the attribute base access control (ABAC);  user attributes that have been stored in JDBC based user store,  must be retrieved by the PDP of WSO2 Identity Server.

Lets go with step by steps …. Please note this sample project can be found at this svn location

Step 1. Assume K-Market attribute store is a database. Lets say, in mysql database. you can find sample script from here that i used.

Step 2. Write a PIP module by extending “AbstractPIPAttributeFinder”  Please find the “KMarketJDBCAttributeFinder” class from here.

Following are the methods,  you need to implement.

a).  init (Properties properties)   Here you can write the logic to initialize your module. Any properties that are defined in the entitlement.properties file,  can be access here.

JNDI name of the datasource  can be define as property value in entitlement.properties file. And is read here.  Also supported attributes are initialized inside this method.

b).  getAttributeValues (String subject, String resource, String action, String environment, String attributeId, URI issuer)    Here you can write the logic to find your attribute value

subject –> attribute value which can be identify by the following attribute value in the request.


resource –> attribute value which can be identify by the following attribute value in the request.


action –> attribute value which can be identify by the following attribute value in the request.


environment –> attribute value which can be identify by the following attribute value in the request.


attributeId  –> attribute id which is defined in the policy  and that is need to be resolved

issuer –> issuer which is related with the attributeId that is need to be resolved

c).   getSupportedAttributes()    Here you can write the logic to find all the attribute ids supported by your module

d)   getModuleName()  name for the module

Step 3. You need to create a jar file from your class. You can build the project using maven 3 and create the jar file.

Step 4. Copy created  org.xacmlinfo.xacml.pip.jdbc-1.0.0.jar in to <IS_HOME>/repository/components/lib directory

Step 5. Copy any dependency libraries for PIP module to <IS_HOME>/repository/components/lib directory.  Here JDBC driver jar file, which helps to create the JDBC connection  (ex- mysql-connector-java-5.1.10-bin.jar) .

Additional Step. Configure new data source configuration using master-datasources.xml file which can be found at <IS_HOME>/repository/conf/datasources directory (Only Applies, If you are defining datasource configuration using  master-datasources.xml file) . Sample configuration would be as follows.

<description>The datasource used for K-Market user store</description>
<definition type="RDBMS">
<validationQuery>SELECT 1</validationQuery>

Step 6. Open the entitlement.properties file which can be found at <IS_HOME>/repository/conf/security  directory  and register your PIP module. Here is my sample configuration

#Define JNDI datasource name as property value

Step 7. Restart the Server if already has been started.

Now You have successfully registered a PIP attribute finder with WSO2 Identity Server…!!!

Once you login in to the management console,  you can see that PIP attribute finder has been registered successfully.  You can re-initialize it in run time.


To test this attribute finder,  you can use this policy and this request.  Please upload the policy in to the WSO2 Identity Server,  then  publish it to PDP and enable it.  You can then try out policy with TryIt PEP.

You can actually debug this sample code by starting the WSO2 Identity Server in the debug mode as follows

wso2server.sh –debug 5005 (UNIX) or wso2server.bat –debug 5005 (Windows)

Then you can clearly see how methods in “KMarketJDBCAttributeFinder” are called by the PDP.

Discuss this article on Stack Overflow


  1. hello, i have been trying to do this example but i do not have the the necessary jars in order for the program to compile, i was wondering if you could tell me were i could download the
    org.apache.commons.dbcp.BasicDataSource; org.wso2.carbon.identity.entitlement.pip.AbstractPIPAttributeFinder jars in order to be able to compile the program. knowing were to download the wso2 jars would also help me with other programs, thank you.

  2. thank you for posting the jar, but could you tell me were the repository containing the wso2 jars is located so i can download them? I have adjusted my pom.xml and i still cannot compile my projects without getting errors. thank you

    1. I have updated the pom.xml with repository location. Please find it from here [1]


  3. Hi xacmlinfo,
    i have been trying to do this example but i got an error when i test the policy using XACML request.
    INFO {org.wso2.carbon.identity.entitlement.pip.Carbon
    AttributeFinder} – No attribute designators defined for the attribute AgeOfUser.
    I need you help. thank you

  4. Hi Geek,

    It seems to be that your module has not been picked by WSO2 Identity Server correctly. Can you please double check configurations and setup? Also Please check whether there are any errors or warnings in server startup.

    Best way to debug your module in startup. you can put a debug pointer to init() method and see whether it is properly called and so on.

    BTW i guess you are using WSO2IS V3.2.3 ?

  5. hello, xacmlinfo
    I’m trying to make a attributeFinder to connect to an LDAP but I have an error when testing policy using XACML request.
    INFO {org.wso2.carbon.identity.entitlement.pip.Carbon
    AttributeFinder} – No designators attributes defined for the attribute LogonCount.
    I have many doubts in the implementation of it, is not that just as this example and also donot like enduring attributes, and whether the attribute designator settings right. help me

  6. Best way is to debug your attribute finder source and see…. you can start in debug mode by using wso2server.sh –debug 5005 (UNIX) …. According to the error PDP can not find any supported attribute id with “LogonCount” by PIPs

  7. I want to create PIP in WSO2IS 4.1 and this should be different. I have my PIP in WSO2IS V3.2.3 and it works nicely. Now I am migrating to XACMl 3.0 which is not supported by 3.2.3 (using XPath, Obligationes and urn:oasis:names:tc:xacml:3.0:attribute-category:…) and there is no forums how to create PIP in newer versions of WSO2IS. May someone help me. Thank you a lot !

  8. Hello xacmlinfo,
    I get an error loading the policy:
    ERROR {org.wso2.carbon.identity.entitlement.EntitlementUtil}
    XACML policy is not valid according to the schema :cvc-complex-type.2.4.a:
    Invalid content was found starting with element ‘Rule’.
    One of ‘{“urn:oasis:names:tc:xacml:2.0:policy:schema:os”:Description, “urn:oasis:names:tc:xacml:2.0:policy:schema:os”:PolicyDefaults, “urn:oasis:names:tc:xacml:2.0:policy:schema:os”:CombinerParameters,
    is expected.
    Could be related to xacml version? Could you please give me a hint?

  9. Fantástica Página.Sigue adelante con este excelente trabajo.
    Contiene un punto de vista impresionante sobre el tema y tus comentarios son realmente acertados.
    Simplemente mencionar que estoy sorprendido por haber encontrado esta Página web
    Tienes el mejor sitio

    web sobre el tema.

  10. It can be found in org.wso2.carbon.utils package. You can find this jar file in the /repository/components/plugins directory of WSO2IS. So in runtime, you do not want add this jar file as it is there.

  11. I’m trying to implement the attribute finder sample with WSO2 IS 4.6.

    Is this the correct source:



    I am getting:

    TID: [0] [IS] [2014-05-27 18:00:09,532] INFO {org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder} – Initializing of policy store is finished at : Tue May 27 18:00:09 EDT 2014 {org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder}
    TID: [0] [IS] [2014-05-27 18:00:09,550] INFO {org.wso2.carbon.identity.entitlement.pip.CarbonAttributeFinder} – No attribute designators defined for the attribute email {org.wso2.carbon.identity.entitlement.pip.CarbonAttributeFinder}
    TID: [0] [IS] [2014-05-27 18:00:09,550] INFO {org.wso2.balana.finder.AttributeFinder} – Failed to resolve any values for email {org.wso2.balana.finder.AttributeFinder}


Leave a Reply

Your email address will not be published. Required fields are marked *