XACML Sample for Health Care Application – Part 1

In this blog post I am going to create XACML sample (sample XACML policies , PIP and PEP) with some real world use case.

Lets assume following use case in a Health care organization

  • There is a health care organization called “Medi”
  • “Medi”  keeps medical records of all the patients in a database repository.
  • This repository  has been exposed as web service in their intranet, which is called as “MediComService”
  • “MediComService” service does not contain any security (authentication and authorization) mechanism except transport level security
  • Medi has deploy a simple web application where patients can view their own medical records by using Internet.
  • Medi Web Application uses user name, password authentication mechanism for authenticating the patients.
  • Medi keeps those patient’s attributes and credentials in a LDAP based user store.
  • Not only the patients, But also physicians and some other administrative persons need to access thse patient data. As an example physicians want to read his/her patient’s data and update them. Administrators want to delete existing data or create new data for patients.
  • Therefore authentication is not enough for the Medi Web application and web service, There is a need for access control or authorization mechanism in to this system
  • The Simplest and the most common way is to implement a role based access control (RBAC).
  • But Medi application developers identify that there would be some requirements for more complex access control logics when this web application is growing in the future. Also they want to build their authorization system as standardized, policy based, externalized and extensible manner. And do not want to hard-coded their authorization logics in to their web applications.
  • Finally Medi hopes to go with XACML based authorization solution.

Current high level architecture diagram of the Medi Com use case would be like following.


1. End User (Patient, Physician and so on) login to the Web Application

2. User is authenticated with LDAP User store.

3. User access Medi Com web service and retrieve the patient data through Web Application

There are two major issue with this.

  • Authentication must be externalized. (We are not going to discuss on this)
  • Access control must be implemented in Web application level and Web service level and also it must be externalized.

Here access control must be added  for the Medi Com web application and the Medi Com web service.  As an example, When user login in to the Medi Com web application, user must see only the items that are authorized to see…  Also It is needed to control the web service calls to Medi Com web service, assuming that we can not do any changes to existing web service. It means that we need to intercept the message between web application and web service to do the access control.

The main tasks for the Medi application developers is to build a XACML based authorization engine. They found that it was not easy to write a XACML engine from the scratch and so try to use an exiting implementation

Medi developers decided to try with WSO2 Identity Server as their XACML engine. due to following reasons

1. It is Open source
2. High performance XACML evaluation with caching and indexing techniques.
3. Fast PDP and PEP communication via thrift protocol (16 time faster than normal web service call)
4. PDP functionality expose as web service (secured web service) in a standard manner. Therefore Web Application can itself act as PEP.
5. Supports for pluggable PIP attribute finders.
6. PDP clustering support for high availability, failover and high performance.

Now high level architecture diagram look like as follows….


1. End User (Patient, Physician and so on) login to the Web Application

2. User is authenticated with WSO2 Identity Server.

3. Identity Server calls to underline user store (LDAP) and checks authentication of end user.

4.  After successful authentication,  Web application calls WSO2 Identity Server to filter out the authorized items for user.

5.  PDP of WSO2 Identity server needs to look for user’s attributes to make authorization decision. Then it calls to LDAP user store using PIP module to retrieve attributes of the users.

6. Login user accesses Medi Com service to retrieve the patient data

7. Above web service calls from Medi Com web application to Medi Com service must be authorized. There must be an interceptor that reads the web service call and extracts the data and calls the WSO2 Identity Server’ s PDP.

To build this scenario,  We need following three sample projects

Sample Web service

Which exposes patient’s data, that is stored in a database repository. SVN of sample project can be found from here.

This service exposes following four operations. Each patient data can be identified by unique id called “patientId” which is actually the user name of the patient,

  • createData (Patient patient) : creates new patient data in the database
  • updateData (Patient patient) : updates existing patient data
  • deleteData (String patientId) : deletes patient data given by the id
  • readData (String patientId) : reads patient data given by the id

This is a Jar service. You can deploy this service using any service hosting server. But i am using WSO2 Application server for this.  Let me go through the setups.

Step 1.  Download WSO2 Application server from here and Extract it in to your file system.

Step 2. If you are running WSO2 Servers in same machine. Please configure port offset values  using  carbon.xml file which can be found at <AS_HOME>/repository/conf directory.  I have configure it as follows


Step 3.  Create database repository  by running this sample script file.  This script has  been tested with MySQL only

Step 4.  Configure datasource to connect to above created database repository.  You need to add new datasource configuration in to master-datasources.xml file which can be found at <AS_HOME>/repository/conf/datasources directory

Sample configuration would be as follows.

Please note : Here JNDI name (jdbc/MEDICOMDB) is important. It has been hard coded in the web service source. Therefore please do not change this name

            &lt;description&gt;The datasource used for registry and user manager&lt;/description&gt;
            &lt;definition type=&quot;RDBMS&quot;&gt;
                    &lt;validationQuery&gt;SELECT 1&lt;/validationQuery&gt;

Step 5 : Copy JDBC driver (MySQL mysql-connector-java-5.1.10-bin.jar)  in to  <AS_HOME>/repository/components/lib directory.

Step 6 : Start WSO2 Application server and Login to the server (default credential is admin, admin)

Step 7 : Upload  Jar file in to Application Server and Create web service,  You can find the proper steps using following screen shots.





Now, you are done with web service deployment.   Actually this is a sample service to build our scenario. Therefore we are not much worry about it. You can access the WSDL of web service using following url.  You can use web service client tool to try out (such as SOAPUI)


Setting up PDP , PIP and User Store (WSO2 Identity Server)

According to the diagram, WSO2 Identity Server is used as PDP and also Authentication server. Here we are only interesting in the  PDP.  You do not want to do any configurations with PDP. You can run with default configuration.  However configuration file (entitlement.properties)  of the PDP engne can be found at <IS_HOME>/repository/conf/security directory.

For this sample,  we are hoping to use LDAP user store which is embedded with the WSO2 Identity Server.  But it can be any LDAP or AD or JDBC user store.  Once user store is connected with Identity Server, You can manage users and roles in the LDAP user store using Identity Server management console.

Lets try to create users and roles.  Following is the sample steps to create  role (LDAP Group) called “Patient” and user called “asela”  and Assign user in to the “Patients” group







In this scenario, There can be three LDAP Groups (Roles)  Patient, Physician and Administrator. We can create them as above and assign desired users to above groups.

WSO2 Identity Server is shipped with default PIP attribute finder which has been connected with its own user store (embedded LDAP server).  Therefore to retrieve attributes of above created users (groups, emails and etc),  We do not want to write new PIP and we can just use default PIP module.

Sample Web Application

Sample project  for Medi Com web application, can be found from here.  You can easily deploy Web Application using Tomcat or else WSO2 Application Server. Here i tried out it with Tomcat 7. Please do necessary changes in web.xml according to your setup.

following are the configuration that is needed be changed in web.xml

  • backEndServerUrl – Web Service url of patient data web service which is “http://localhost:9765/services/MediComPatientService”
  • pdpServerHostName – authorization server host name (WSO2 Identity Server host name i.e localhost)
  • pdpServerPort – authorization server SSL port  (WSO2 Identity Server SSL port i.e 9443)
  • pdpServerUserName – authorization server user name (WSO2 Identity Server default user name i.e admin)
  • pdpServerPassword – authorization server user password (WSO2 Identity Server default user password  i.e admin)
  • trustStoreFile – authorization server’s certificate is contains trust store file (By default you can point to the client-truststore.jks file which can be found at <IS_HOME>/repository/resources/security directory)
  • trustStorePassword –  trust store password (Password of client-truststore.jks file is “wso2carbon”)
  • engagePEPHandler – whether to mention, PEP handler must engage not… (We can know about this property later)

Then Web application contains following dependencies.

  • PEP module to call  the web service API of the WSO2 Identity Server PDP.  This uses the sample PEP agent which can be found at here
  • Service stub module of the Medi Com web service

Any one can go through Web application source code and modify it as you want.

Sample Message interceptor

Here we need to intercept the message going from Web Application to Web Service.  In real use cases, we can use a ESB (such as WSO2 ESB) for this. To demostrator this,  I would like to use axis2 handler.  As we are using axis2 client to send the message from Web application. We can engage axis2 handler in to message sending and receiving path of the axis2 client.

Please find sample axis2 handler from here.  In this handler, SOAP message is extracted and Body part of the SOAP message is send to PDP for authorization with user name and the action (that are received via transport headers).  This is a simple code, and you can understand what is going on there by looking at the code. This axis2 handler also using the sample PEP agent which can be found at here to call PDP APIs

Step 1 Copy  axis2 module (.mar file) in to the  <TOMCAT>/webapps/MediCom/WEB-INF/lib/

Step 2  Enable handler by  setting following parameter in the  web.xml file which can be found at <TOMCAT>/webapps/MediCom/WEB-INF


Defining XACML Policies

Now we are done with the setup. Lets define a  XACML policy according to the requirement. Following are the expected access rules for phase 1.

Policy 1. Lets define a policy to control the static UI  items (home.jsp page) that are shown in the Web Application.  As following

  • Patients can only read patient data and They can only see the UI option for that.
  • Physician can only read and update  patient data and They can only see the UI option for that.
  • Administrator can only create and delete patient data and They can only see the UI option for that.

You can easily define this policy using Identity Server’s XACML editor.  As following. You can find more details about simple policy editor from here


XACML Policy can be found at here.

Policy 2   Lets define a policy to control access for read operation in the web service. Here we are using XPath base policies to extract data from SOAP Body and to do the evaluation

  • Patients can read their own data only and they can not read any other patient data.
  • Physicians can read only the data that is related to his/her own patient.

XACML Policy can be found here.

Please upload these policies in to WSO2 Identity Server’s PDP.  Please find more details on uploading existing policies from here

Important Note :  Due to XPath issue in Identity Server 4.5.0. It would not provide correct result for  Policy 2 . Therefore Please apply following patched jar that is attached in public jira

Now you can play with your web application….  Keep your setup up and running….. Lets enforce more policies later for this scenario.

Discuss this article on Stack Overflow


  1. hello, I am new to xacml and identity server so please be forgiving if this sounds like a simple question, I have been trying to follow the instructions for the application and I come across a problem when trying to compile the web service application into a jar, the problem is that I do not know which is the main class and as a result it will not compile. can you please let me know what am meant to do, am I meant to create my own main function and call the other classes or what? thank you in advance for your help.

    1. Hi Gilbert,

      Thank for trying this out.

      I am not much clear on your problem. But i guess you are talking about the axis2 service (MediComService). You want to compile it to a jar file ? For that you can build the project using maven2 (http://maven.apache.org/). It would create the jar file. How ever you can compile java files and create class files and pack them in to a jar file also. There is no any main class. This is a java project that has been written to create a axis2 service.

      However you can find the build jar file from here [1] , you can use it… 🙂

      [1] https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/medi.com/service/MediComService/target/com.medi.sample.service-1.0.0.jar

      1. Also I found that there is an issue with pom.xml file.. It does not contains the repositories url. I have fixed it and committed…. Please take svn up of pom.xml file

  2. Hello! I am trying also to implement this sample. It would be useful for me to get more familiar with WSO2 servers and XACML. Unfortunately I have locked in step 8, can’t find PIP attribute finder jar. Can you please help me? Thank you in advance 🙂

  3. Not able to find entitlement-config.xml in wso2 identity server. I am using version 4.1.0. Where do I find it ?

  4. In Identity server 4.1.0 you can not find a xml file and it has been changed to properties file…. entitlement.properties file can be found in /repository/conf/security directory

  5. Hi Xacmlinfo,
    I am trying this example project but I got some problems. I think I need some help. First, it seems that there is something wrong with the sample XACML policy?? Because I could’t import it into the Identity Server 4.5.0. No matter importing as an existing policy.xml, or new a policy by using copy and paste. Also, what is the username and password to log in to the medi webapp? Are the names and passwords that are stored in the mysql database?

    Thank you

    1. Yes.. this post has been written for older version of Identity server (3.2.3). I will update the post for new version 4.5.0. However your issue must be that policy is not correct with the schema. there is schema validation in 4.5.0 version. Once i am done the update, i will let you know.

      1. Thanks for your reply. It really help me a lot. Btw, I have another question, since WSO2 is an open source product, where can I get access to the source? I am only interested in Identity Server. I check the svn, but it seems that all the WSO2 products are put together. It is too big to download and hard to tell which part does Identity Server use. Is there any easy way to get the source code of Identity Server?

        Thank you.

  6. Hi,
    It seems that this example does not works on IS 4.1.0 or IS 4.5.0. Not only because the Policy schema, but also gets error at “com.medi.sample.webapp.client.MediComClient.getResults()”
    I think this getResults method doesn’t works well on newer version. Also, I try a JAVA example on IS 4.1.0, it is about a KMarket example. The “decision = stub.getDecision(xacmlRequest)” sentence also doesn’t work on IS 4.5.0.
    So does this part changes every version? Is there anyway to fix this? Or there is no example to play with the new version.


  7. Hi, I follow you from stackoverflow and try to setup the sample. as you mention in this post, we need to set up tomcat7 and configurate the web.xml file. But how can I add the properties to the xml file? in which format? pls help, I don’t know how to modify the xml. 😀

    1. Once you deploy the web app in to tomcat (when you copy .war file to /webapps location), You would fine following file
      /webapps/MediCom/WEB-INF/web.xml. You need to edit it.

      1. OK, I managed to start the service. thank you. I just miss to modify the trust keystore. 😀 Now I can start learning your code. and hope to see the next scenario.

      2. I see the jar sized 207k while the old one is 470k. right? and one thing I missed, I run products under Windows 7.
        here is the log attached:
        TID: [0] [IS] [2013-11-29 15:35:03,950] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Starting WSO2 Carbon… {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,955] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Operating System : Windows 7 6.1, amd64 {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,955] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Java Home : C:Javajdk1.7.0_25jre {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,956] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Java Version : 1.7.0_25 {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,956] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Java VM : Java HotSpot(TM) 64-Bit Server VM 23.25-b01,Oracle Corporation {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,956] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Carbon Home : F:OPENSO~1WSO2PAAS-S~1WSO2IS~1.0bin.. {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,956] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – Java Temp Dir : F:OPENSO~1WSO2PAAS-S~1WSO2IS~1.0bin..tmp {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:03,956] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} – User : wenyunlong, zh-CN, Asia/Shanghai {org.wso2.carbon.core.internal.CarbonCoreActivator}
        TID: [0] [IS] [2013-11-29 15:35:04,043] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} – The default keystore (wso2carbon.jks) is currently being used. To maximize security when deploying to a production environment, configure a new keystore with a unique password in the production server profile. {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter}
        TID: [0] [IS] [2013-11-29 15:35:04,054] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} – Agent created ! {org.wso2.carbon.databridge.agent.thrift.AgentHolder}
        TID: [0] [IS] [2013-11-29 15:35:04,082] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} – Successfully deployed Agent Client {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS}
        TID: [0] [IS] [2013-11-29 15:35:04,401] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} – Integrated Windows Authenticator enabled in the system {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator}
        TID: [0] [IS] [2013-11-29 15:35:04,558] INFO {org.wso2.carbon.ldap.server.configuration.LDAPConfigurationBuilder} – KDC server is disabled. {org.wso2.carbon.ldap.server.configuration.LDAPConfigurationBuilder}
        TID: [0] [IS] [2013-11-29 15:35:04,735] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} – Initializing Directory Server with working directory F:OPENSO~1WSO2PAAS-S~1WSO2IS~1.0bin..repositorydataorg.wso2.carbon.directory and port 10389 {org.wso2.carbon.ldap.server.DirectoryActivator}
        TID: [0] [IS] [2013-11-29 15:35:11,439] WARN {org.wso2.carbon.tomcat.ext.scan.CarbonTomcatJarScanner} – Failed to scan [{0}] from classloader hierarchy {org.wso2.carbon.tomcat.ext.scan.CarbonTomcatJarScanner}
        java.util.zip.ZipException: error in opening zip file
        at java.util.zip.ZipFile.open(Native Method)
        at java.util.zip.ZipFile.(ZipFile.java:215)
        at java.util.zip.ZipFile.(ZipFile.java:145)
        at java.util.jar.JarFile.(JarFile.java:153)
        at java.util.jar.JarFile.(JarFile.java:90)
        at sun.net.www.protocol.jar.URLJarFile.(URLJarFile.java:93)
        at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
        at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:98)
        at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
        at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
        at org.apache.tomcat.util.scan.FileUrlJar.(FileUrlJar.java:41)
        at org.apache.tomcat.util.scan.JarFactory.newInstance(JarFactory.java:34)
        at org.apache.catalina.startup.ContextConfig$FragmentJarScannerCallback.scan(ContextConfig.java:2625)
        at org.wso2.carbon.tomcat.ext.scan.CarbonTomcatJarScanner.process(CarbonTomcatJarScanner.java:262)
        at org.wso2.carbon.tomcat.ext.scan.CarbonTomcatJarScanner.scan(CarbonTomcatJarScanner.java:229)
        at org.apache.catalina.startup.ContextConfig.processJarsForWebFragments(ContextConfig.java:1917)
        at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1268)
        at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:878)
        at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:369)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5173)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:724)
        TID: [0] [IS] [2013-11-29 15:35:11,781] ERROR {org.apache.catalina.startup.ContextConfig} – Failed to process JAR found at URL [jar:file:/F:/OPENSO~1/WSO2/PAAS-S~1/WSO2IS~1.0/bin/../repository/components/plugins/org.wso2.balana_1.0.0.wso2v6.jar!/] for ServletContainerInitializers for context with name [/] {org.apache.catalina.startup.ContextConfig}
        TID: [0] [IS] [2013-11-29 15:35:11,785] ERROR {org.apache.catalina.startup.ContextConfig} – Marking this application unavailable due to previous error(s) {org.apache.catalina.startup.ContextConfig}
        TID: [0] [IS] [2013-11-29 15:35:12,502] INFO {org.apache.catalina.startup.TaglibUriRule} – TLD skipped. URI: http://tiles.apache.org/tags-tiles is already defined {org.apache.catalina.startup.TaglibUriRule}
        TID: [0] [IS] [2013-11-29 15:35:12,530] ERROR {org.apache.catalina.core.StandardContext} – Error getConfigured {org.apache.catalina.core.StandardContext}
        TID: [0] [IS] [2013-11-29 15:35:12,534] ERROR {org.apache.catalina.core.StandardContext} – Context [/] startup failed due to previous errors {org.apache.catalina.core.StandardContext}
        TID: [0] [IS] [2013-11-29 15:35:14,740] INFO {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} – LDAP connection created successfully in read-write mode {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager}
        TID: [0] [IS] [2013-11-29 15:35:14,752] WARN {org.apache.directory.server.ldap.LdapSession} – AbandonableRequest with messageId 2 not found in outstandingRequests. {org.apache.directory.server.ldap.LdapSession}
        TID: [0] [IS] [2013-11-29 15:35:14,757] WARN {org.apache.directory.server.ldap.LdapSession} – AbandonableRequest with messageId 5 not found in outstandingRequests. {org.apache.directory.server.ldap.LdapSession}
        TID: [0] [IS] [2013-11-29 15:35:15,073] INFO {org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService} – Configured Registry in 52ms {org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService}
        TID: [0] [IS] [2013-11-29 15:35:15,146] INFO {org.wso2.carbon.registry.core.internal.RegistryCoreServiceComponent} – Registry Mode : READ-WRITE {org.wso2.carbon.registry.core.internal.RegistryCoreServiceComponent}
        TID: [0] [IS] [2013-11-29 15:35:16,381] INFO {org.wso2.carbon.user.core.internal.UserStoreMgtDSComponent} – Carbon UserStoreMgtDSComponent activated successfully. {org.wso2.carbon.user.core.internal.UserStoreMgtDSComponent}

      3. As I mention the package size, I review it, and find the pack I downloaded is broken. I think that is why.
        then I try add patient, it work. but then view patient and delete patient don’t work. view faied with ‘user is not authorized to perform this action’ in tomcat7;;
        And delete patient failed with
        [2013-11-29 15:50:26,114] ERROR {com.medi.sample.service.DataPersistUtil} – jav
        a.sql.SQLException: Can not issue data manipulation statements with executeQuery
        (). in IS4.5.

    2. I think I make a mistake. but after replace the balana patch, IS4.5 is not able to start up. I can start the IS with the default banala package, but when try login the webapp MediCom, tomcat throw an error: Error while evaluating with PDP. can you point out what’s wrong?

      1. I just tried to start with the jar file in the jira… there is no such issue found.. Is it possible to send the startup error… ? Please check whether file permission to that jar file same as other jar files in the “plugins” directory. Also could you send the error logs in IS… (because this is a generic error)… For more, you can enable debug logs in Identity server to see the request/ response messages. for that please add following entry in to the log4j.properties file which can be found at /repository/conf directory


  8. Hello. Thanks for your update. And I see that issue too and modify the method from executeQuery -> execute, It works. Hah. I create the Patient role with a patient asela (sorry the this 😀 )and the Physician role with a physician ainss. Use the administrator to create a patient profile first, and identify the patient with ID asela, also fill the physician blank with ainss. But when I try to view the record with patientID asela,(both from patient console and physician console) I again see an error like: user is not authorized to perform the acton. I have not check the code cause I am not familiar with axis2 handler right now. Can you look in to this issue? 😀

  9. hi asela i m trying to run ur sample using wso2 identity server version 4.6
    I have deployed ur web application using WSO2 application server but whenever I access URl of sample it is taking any username and password and it authenticates. I followed ur steps

    1. Hi Shahji,

      You mean when you are going to login to the health care sample web application… It allows you to login with any user name / password ? Yes.. because. I do not implemented this web app to authenticate users with Identity Server. If you just check the login- validation JSP, you can see its validates any username/password. Because i want to use this webapp to show how authorization works with XACML (not authentication). However i am hoping to add authentication part as well


      1. Hi asela sir
        Many thanks for the reply.
        now Sir i have problem regarding reading the patient data. identity server shows policy loaded successfully but it is not working . when I try to view the record with patientID (both from patient console and physician console) I again see an error like: user is not authorized to perform the acton. is there any problem regarding Xpath
        in WSO2 identity server 4.6

  10. Hi Shahji.. Actually i have not tested the this with IS 460… But it should work… I will verify as well.. However could you please enable debug logs in the server and could see what as been gone wrong… here you can see the XACML requests and responses.. Add following value in to the log4j.properties file which can be found at “conf” directory…


    1. Sir in HomePageReadpolicy attribute selector path //ns:readDataResponse/ns:return/ax23:patientID()/text here ax23 is fixed or changing bcz in web services it is showing ax:2462

    2. Sir,I enabled logger for debugging
      for the home.jsp whenever I logged in as patient name shahaji then its showing option like view record this is the case whenever the policy for home.jsp is enabled. The xacml response is like permit for read for others deny whenever I submit patientID .Now the obvious response is you r not authorized to do this action bcz I haven’t enabled PatientReadDatapolicy in log I am able to see the xacml request where I m able to see the content like namespace ns:readDataResponse/ns: return/ ax:2466
      then ax:2468. Why two “ax:2466 and ax:2468” values are there in content?
      Now whenever I am enabling PatientDataReadPlicy I am not able to see view record option on the home.jsp page it is showing only “Welcome to Patient Data Service…”
      One more Question what will be policy combining algorithm and do I need to mention order of policy when I m going to publish policy to pdp.


  11. Hi Asela,

    I must say Excellent article on XACML with detailed instructions and samples so far over the web.
    I have just few queries, once the web application is deployed and as we are exposing database calls through web service which is perfectly the scenario i was looking for, Suppose I want to disable a particular web service operation for a particular user, can it be done from User interface without messing up with XACML policies and other configurations?

    For instance, let say i have a web service CustomerQueryService with following Operations:
    a. getCustomerById(..)
    b. getCustomerByName(…)
    c. getCustomerByPhone(…)

    Now I have two users namely userA and userB.
    I want that userA should only be able to access operation a. & b. from above mentioned service. Later on I realize that userA should have access to only operation a.

    Will it be possible to define the authorization over web services operation (let say another client application calling those operations) to have control over the access to service? And the real question is, without changing any policies or configuration file manually for web service user authorization of operations, is it possible to do it from external database level such as MySQL or Oracle?

  12. I’m new to xacml and wso2. Please, I got this error while I’m trying to login after deploying MediCom.war in Tomcat.
    HTTP Status 500 –
    type Exception report
    description The server encountered an internal error () that prevented it from fulfilling this request.
    org.apache.jasper.JasperException: Unable to compile class for JSP:

    An error occurred at line: 6 in the generated java file
    Only a type can be imported. org.xacmlinfo.xacml.pep.agent.PEPAgent resolves to a package

    An error occurred at line: 7 in the generated java file
    Only a type can be imported. com.medi.sample.webapp.client.PEPClient resolves to a package

    An error occurred at line: 13 in the jsp file: /WebContent/medi_home.jsp
    PEPClient cannot be resolved to a type
    11: String[] staticActionsInPage = new String[] {“create”, “read”, “update”, “delete”};
    13: PEPClient client = new PEPClient();
    14: List allowedActions = client.getAllowedResources(userName, staticActionsInPage);
    15: %>

    An error occurred at line: 13 in the jsp file: /WebContent/medi_home.jsp
    PEPClient cannot be resolved to a type
    11: String[] staticActionsInPage = new String[] {“create”, “read”, “update”, “delete”};
    13: PEPClient client = new PEPClient();
    14: List allowedActions = client.getAllowedResources(userName, staticActionsInPage);
    15: %>


Leave a Reply

Your email address will not be published. Required fields are marked *