问题
I'm investigating the possibility to use WSO2 API Manager 1.0 for creating an API Store to be used internally in my company; and I'm trying to figure out if it fits all requirements.
In particular I would like to understand if it is possible to use a mechanism of entitlement of the API access based on XACML policies: I found several articles describing how to implement "XACML Fine Grained Authorization" using the WSO2 ESB and the WSO2 IS.
So my question is if it possible (and how) to configure the WSO2 API Manager to enforce the API access using XACML policies or, in alternative, how it is possible to configure it to use WSO2 IS as entitlement service (as API Manager seems to be pretty much based on ESB).
Thank you!
回答1:
It is not possible to configure WSO2 API Manager to work as a XACML engine, but certainly you can configure it to be a Policy Enforcement Point (PEP) that communicates with WSO2 Identity Server (IS) which will act as the Policy Decision Point (PDP/XACML engine) and retrieve authorization decisions.
As you pointed out the WSO2 API Manager gateway is based on WSO2 Enterprise Service Bus (ESB). In the ESB, policy enforcement is achieved by adding an Entitlement Mediator to the inSequence (as you must have come across in the articles you mentioned). The way to do policy enforcement in the API Manager will be more or less the same.
However currently there is no UI support to add mediators to sequences in WSO2 API Manager. So you will have to edit the configuration file using the source view in the WSO2 API Manager Management Console UI. A easier way of doing it would be to first try adding an entitlement mediator using the Management Console UI in the WSO2 ESB and then copy-n-paste the relevant configuration from its source view into the api elements' inSequence in the WSO2 API Manager.
There is also a concept called api handlers which can be engaged at the API level. This could be useful to you if you think the default entitlement mediator is not enough/suitable for your requirement. The advantage in this approach would be that you have the flexibility of writing a custom PEP with any logic and putting it into the request flow, however the flip side of it is you have to write your own code.
来源:https://stackoverflow.com/questions/11949590/wso2-api-manager-and-xacml-entitlement