Enabling and configuring the TESB PEP
To enable authorization on a TESB service endpoint, it is necessary to install the TESB PEP interceptor. This can be done in a number of different ways. The easiest way for a JAX-WS based endpoint is to use the following WS-Policy expression:
<tpa:Authorization xmlns:tpa="http://types.talend.com/policy/assertion/1.0" type="XACML" />
This will automatically install the PolicyEnforcementPoint interceptor and ensure that only authorized requests invoke on the endpoint. When the PEP is installed in this way, an additional property ("tesb.pdp.address") is needed to tell the PEP where to find the PDP. This can be done in the "etc/org.talend.esb.authorization.pdp.cfg" configuration file, by setting a value for the "tesb.pdp.address" property. Alternatively, it can be set as a property on the endpoint, e.g.:
<jaxws:server ...>
<jaxws:properties>
<entry key="tesb.pdp.address"
value="https://localhost:9001/services/pdp/authorize"/>
</jaxws:properties>
</jaxws:server>
See the 'syncope-esb-xacml' example for more information on adding the PolicyEnforcementPoint to a JAX-WS service endpoint. It is also possible to create the PEP interceptor and add it directly to the CXF interceptor chain for the endpoint. For example:
<bean
class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor"
id="XACMLInterceptor">
<property name="pdpAddress"
value="https://localhost:9001/services/pdp/authorize"/>
</bean>
This can then be added to the Interceptor chain of a JAX-WS endpoint via:
<jaxws:endpoint ...>
<jaxws:inInterceptors>
<ref bean="XACMLInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
The PEP can also be added to the Interceptor chain of a JAX-RS endpoint via:
<jaxrs:server ...>
<jaxrs:inInterceptors>
<ref bean="XACMLInterceptor"/>
</jaxrs:inInterceptors>
</jaxws:endpoint>
See the 'syncope-esb-xacml-rest' example for more information on adding the PolicyEnforcementPoint to a JAX-RS service endpoint. An example of how to use the co-located PDP is given in the ‘syncope-esb-xacml-coloc' example. In this example, the service provider obtains the PDP from the OSGi registry via:
<reference id="pdpBean"
interface="org.talend.esb.authorization.xacml.pdp.PolicyDecisionPoint"/>
<bean class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor"
id="XACMLInterceptor">
<property name="policyDecisionPoint" ref="pdpBean"/>
</bean>