Entitlement engine (XACML engine) of WSO2 Identity Server, is based on the Balana XACML 3.0 implementation. But If you search through WSO2 Identity Server distribution, it provides separate set of configurations to configure the entitlement engine. Basically for defining the attribute finders and policy finders, it uses a property file called “entitlement.properties” which can be found at <IS_HOME>/repository/conf/security directory. Because WSO2 Identity Server wraps some interfaces of Balana implementation and provides a simple and more flexible interface for developers to deal with. As an example, developers who write the attribute and policy finder extension, do not want to worry about caching, indexing and so on, Because those are internally handled by the WSO2 Identity Server.
However, If you wish to extend custom attributes, functions and combining algorithms for WSO2 Identity Server, Actually you want to do it in Balana level. WSO2 Identity Server does not deal with those Because most of the applications use standard set of functions, attribute and combining algorithms that is defined in the XACML specification. Therefore, by default, WSO2 Identity Server initializes the Balana instance with default standard configuration. As following
balana = Balana.getInstance();
You can refer more details on initializing Balana from here.
However, If you want to ask WSO2 Identity Server to initialize the Balana by reading configuration file. You can do it by creating a new configuration file called “balana-config.xml” under the <IS_HOME>/repository/conf/security directory.
As an example, Say you want to add new rule combining algorithm to work with WSO2 Identity Server entitlement engine. Then you can follow same way that is configuring it with Balana. Please refer this blog post for more details. However i would like to summarize the step to follow.
Step 1. As we are implementing rule combining algorithm, you want to extend abstract class called “RuleCombiningAlgorithm”
Step 2. You only need to implement the “combine” method and introduce a new default constructor
Step 3. Compile your class and create a jar file.
Basically you can use this project. But remove them “Main” class before compiling it. Then build the project using maven and Jar file could be found in target directory.
Step 4. Copy jar file in to <IS_HOME>/repository/components/lib directory.
Step 5. Update the configuration file of Balana with new rule combining algorithm.
Basically create “balana-config.xml” under the <IS_HOME>/repository/conf/security directory and copy following content.
<config defaultPDP="pdp" defaultAttributeFactory="attr" defaultCombiningAlgFactory="comb" defaultFunctionFactory="func"> <pdp name="pdp"> <attributeFinderModule class="org.wso2.balana.finder.impl.CurrentEnvModule"/> <attributeFinderModule class="org.wso2.balana.finder.impl.SelectorModule"/> </pdp> <attributeFactory name="attr" useStandardDatatypes="true"/> <functionFactory name="func" useStandardFunctions="true"/> <combiningAlgFactory name="comb" useStandardAlgorithms="true"> <algorithm class="org.wso2.balana.samples.custom.algo.HighestEffectRuleAlg"/> </combiningAlgFactory> </config>
Step 6. Enable Balana configuration for WSO2 Identity Server by setting following property to true in “entitlement.properties” which can be found at <IS_HOME>/repository/conf/security directory
PDP.Balana.Config.Enable=true
Step 7. Restart WSO2 Identity Server.
Step 8. Test your new rule combining algorithm. You can use policies that can be found from here.
So, like that we can configure new custom attribute types, functions and combining algorithms with WSO2 Identity server.
Note : this would not work with WSO2 Identity Server 4.0.0 release. Due to issue [1]. But this would fix in next release.
[1] https://wso2.org/jira/browse/IDENTITY-621