XACML PIP for finding hierarchical resources

If you are working with XACML.  You surely have heard about the PIP (Policy information Point). PIPs help to PDP by finding things that are needed for policy evaluation. PIPs are mostly extension points that can be implemented and plugged with PDP according to the your use case. Identity Server supports several PIP extension points. In my previous post,  I discussed on implementing PIP attribute finder. Today i am going to write PIP resource finder. PIP resource finder is an extension to feed the child resources in to the PDP for an given root resource. This is useful when we are using the hierarchical resource profile. Implementation PIP resource find is same as the PIP attribute finder. Therefore please go through my previous post for more details.  Child resources also can be retrieved from any sources such as JDBC, web services or any thing. In this sample i am not going to go through them much as we have already discussed on writing a PIP for JDBC.

There are two ways that you can write a PIP resource finder module

  • By implementing the “PIPResourceFinder” Interface. You can find the latest interface from here
  • By extending the “AbstractPIPAttributeFinder” abstract class You can find the latest abstract class from here

Step 1. Write a PIP module by extending “PIPResourceFinder”  Please find the “SampleWebAppResourceFinder” class from here.

Following are the methods,  you need to implement.

a).  init (Properties properties)   Here you can write the logic to initialize your module. Any properties that are defined in the entitlement.properties file,  can be access here.

As an example, JNDI name of the datasource  can be define as property value in entitlement.properties file. And is read here.  Also supported attributes are initialized inside this method.

b).  findChildResources(String parentResourceId, EvaluationCtx context)   Here you can write the logic to find your child resources for given parent resource. You can use XACML request, if you need some more information from it.

c).  findDescendantResources(String parentResourceId, EvaluationCtx context)   Here you can write the logic to find your descendant resources for given parent resource. You can use XACML request, if you need some more information from it.

d)   getModuleName()  name for the module

Also there are some method to implement for caching, we are not worry about them now.

Step 2. You need to create a jar file from your class. You can build the project using maven 3 and create the jar file.

Step 3. Copy created  org.xacmlinfo.xacml.pip.resource-1.0.0.jar in to <IS_HOME>/repository/components/lib directory

Step 4. Copy any dependency libraries for PIP module to <IS_HOME>/repository/components/lib directory.

Step 5. Open the entitlement.properties file which can be found at <IS_HOME>/repository/conf/security  directory  and register your PIP module. Here is my sample configuration and i have removed the default resource finder

PIP.ResourceFinders.Finder.1=org.xacmlinfo.xacml.pip.resource.SampleWebAppResourceFinder

Step 6. Restart the Server if already has been started.

Now You have successfully registered a PIP attribute finder with WSO2 Identity Server…!!!

Once you login in to the management console,  you can see that PIP resource finder has been registered successfully.  You can re-initialize it in run time.

To test this resource finder,  you can use this policy and this request.  Please upload the policy in to the WSO2 Identity Server,  then  publish it to PDP and enable it.  You can then try out policy with TryIt PEP.

You can actually debug this sample code by starting the WSO2 Identity Server in the debug mode as follows

wso2server.sh –debug 5005 (UNIX) or wso2server.bat –debug 5005 (Windows)

Then you can clearly see how methods in “SampleWebAppResourceFinder” are called by the PDP.