PEP client for WSO2 Identity Server PDP

In my previous post, I explained some important things about “EntitlementService“. According to them; when we are writing a PEP client, we need to consider about followings.

Before,  Please note that EntitlementService is admin service according the WSO2 Carbon platform. Therefore WSDL of admin service can not be seen by default and you can not access the admin service without authentication and authorization. More details about WSO2 admin services can be find from here


1. As HTTPS  (SSL over HTTP) is used for communication, your client (PEP)  needs to trust the EntitlementService.  Therefore WSO2 Identity Server’s SSL certificate must be in your PEP’s trust store.

2. PEP must be authenticated and authorized to access the “EntitlementService” .  Authentication can be done using username/password by default. You can create a new user in the WSO2 Identity server by providing user name/password or else any existing user (“admin” user) can be used.  However user must have Manage permission (Admin Permissions -> Manage) to authorized for “EntitlementService”  (Or you can assign the created user in to a role that contains Manage permission).

3. If  username/password is used, PEP can authenticate to Identity Server  using “AuthenticationAdmin” Service or Basic Authentication.  If “AuthenticationAdmin” is used, PEP would receive a cookie for sub sequence communication. You can reuse cookie till it is expired.
4. PEP must send the actual XACML request to EntitlementService with Cookie or Basic Authentication credentials.

Till WSO2 Identity Server 3.2.3, AuthenticationAdmin was the default authenticator. It means, you need to authenticate “AuthenticationAdmin” service and then use the Cookie for sub subsequent communication.  But after 4.0.0 release  default authenticator is the Basic Auth authenticator where you can send PEP’s credentials using Basic Authentication header. Then you need send to actual XACML request to EntitlementService with Basic Auth security header or  received Cookie. Please find the PEP client source from here.

5. If you are using thrift protocol for communication,  There is separate authenticator and thrift server for that. Therefore, First PEP must need to call thrift authentication service and then call the thrift server with actual XACML request. Session id that is received from authentication service, can be used for XACML request.  You can find Thrift based PEP client from here.   However,  with new version of Identity Server,  PEP can send username/password directly instead of session id.

Discuss this article on Stack Overflow


  1. Hi,
    I am try to run the pep client example here, but I got the following error:

    [2013-07-10 13:08:05,346] INFO {org.apache.axis2.transport.http.HTTPSender} – Unable to sendViaPost to url[https://localhost:9443/carbon/services/AuthenticationAdmin]
    org.apache.axis2.AxisFault: Transport error: 302 Error: Moved Temporarily
    at org.apache.axis2.transport.http.HTTPSender.handleResponse(
    at org.apache.axis2.transport.http.HTTPSender.sendViaPost(
    at org.apache.axis2.transport.http.HTTPSender.send(
    at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(
    at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(
    at org.apache.axis2.engine.AxisEngine.send(
    at org.apache.axis2.description.OutInAxisOperationClient.send(
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
    at org.apache.axis2.client.OperationClient.execute(
    at org.wso2.carbon.authenticator.stub.AuthenticationAdminStub.login(
    at example.EntitlementServiceClient.authenticate(
    at example.EntitlementServiceClient.getDecision(
    at example.EntitlementServiceClient.isUserAuthorize(
    at example.PEPClient.main(

    Anyone has idea why this happens and how to solve this?


  2. Hi Nshen,

    It seems to be server url that you have used, is not valid. Please configure it as following in your code and try out it…. Basically in server url… there is no “carbon” it must be following format …

    https://{ip adress}: {port}/services/

    properties.setProperty(Constants.SERVER_URL, “https://localhost:9443/services/”);

    1. Thanks for you reply. Now I have a new problem. I want to try the Kmarket example by using this client. Here is the XACML response:


      Couldn’t find AttributeDesignator attribute

      Is this because of the AttributeFinder? Could you please tell me what should I do?

      Thank you!

    2. Indeterminate

      Couldn’t find AttributeDesignator attribute

      MissingAttributeDetail AttributeId=”” DataType=”” Category=”urn:oasis:names:tc:xacml:1.0:subject-category:access-subject”

    3. Hi xacmlinfo:
      I follow the guide you give, use maven to generate a jar file “org.wso2.carbon.identity.samples.entitlement.pip-4.0.0” and copy this jar file to /repository/components/lib directory. In the file in /repository/conf/security directory, I register attribute as “PIP.AttributeDesignators.Designator.2=org.wso2.carbon.identity.samples.entitlement.pip-4.0.0.KmarketPIPAttributeFinder”. But when I start the wso2server, I notice an error:
      Failed to initialize Entitlement Service
      And I run the kmarket client, it return the xacml response like:
      “Response xmlns=”urn:oasis:names:tc:xacml:3.0:core:schema:wd-17″
      Decision NotApplicable /Decision
      StatusCode Value=”urn:oasis:names:tc:xacml:1.0:status:ok”
      Do you have any idea what’s wrong here? I guess the step of register attribute? Or maybe I actually failed creating the jar file(I am not familiar with Maven)

      Thank you!

      1. Hi Nshen,

        I guess class name that you have configured it not valid…. Class name means not the jar file name… it must be the fully qualified class name… (Package name + Class name) which is “org.wso2.carbon.identity.samples.entitlement.pip.KmarketPIPAttributeFinder”


    4. Hi xacmlinfo:
      Thanks for your continuous help first. It really helps me a lot.
      I double check the class name and I think it is Okay. So I go back to the jar generation step. I found that there is a warning in maven: “[WARNING] JAR will be empty – no content was marked for inclusion!”. Is this expected or not? So how to generate the jar file? I download the java file and pom.xml. In command line, go to the files location, run “mvn package”.


    5. Hi xacmlinfo:
      The problem is solved now. This example runs well. Thanks for all your help again.
      Btw, in the pom.xml, the version “4.2.0-SNAPSHOT” is not available on now, I tried 4.0.0, but it seems does not work??? It works well on 4.1.0 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *