问题
We are using WSO2 IS
as the Identity Bus for our solutions. We make REST API in WSO2 ESB
to implement our Integration and use OAuth mediator in that to securing our API.
in WSO2 IS we create a service provider as sp1
and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx
and request URI is http://wso2ESB.uri/sampleApi/app
and method is GET
.
please help me to make this XACML policy in WSO2 IS.
回答1:
Currently WSO2 Identity Server support only scope based XACML policy evaluation for oauth2/oidc service providers, where there is no out of the box capability to evaluate policy against client_ip, request URI, HTTP method. One way to handle this situation is irrespective of oauth mediator you can write custom class mediator to intercept the request (PEP) and invoke EntitlementService to evaluate request against XACML PDP in Identity Server. Inside custom class mediator you can write necessary logic to extract necessary information for XACML request client_ip, request URI, HTTP method ...etc
[1] https://docs.wso2.com/display/IS570/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies
来源:https://stackoverflow.com/questions/54955792/how-to-using-client-ip-and-request-uri-in-xacml-policy-in-wso2-is