TESB service provider PEP
A CXF interceptor (see here for its implementation) is available that provides the base functionality of a Policy Enforcement Point (PEP) for a TESB service provider. It uses the XACML creation and processing functionality described earlier. It has a reference to the XACML creation interface which uses the default implementation, but also has accessor methods so that a custom implementation can be configured instead.
The interceptor obtains the Principal name and roles via a CXF SAMLSecurityContext object on the CXF message. For the case of a JAX-WS service endpoint that receives a SAML Token, the WSS4JInInterceptor will automatically create a SAMLSecurityContext using the principal corresponding to the Subject of the SAML Token, and the roles extracted using a URI from the Attributes. This URI can be configured on the endpoint via a JAX-WS property. For the REST case, a SAMLSecurityContext is also created with the same information.
Once the request has been created, it must be dispatched to the PDP. The TESB PEP implementation, which wraps the basic CXF interceptor, provides functionality to send the request to the TESB PDP (described in the previous chapter). The PDP request can happen in one of two different ways:
- A remote HTTP request to the TESB JAX-RS PDP using POST
- A local request to the co-located PDP (that could have been obtained from the OSGi registry, for example)
Enabling and configuring the TESB PEP
To enable authorization on a TESB service endpoint, it is necessary to install the TESB PEP interceptor. This can be done in a number of different ways. The easiest way for a JAX-WS based endpoint is to use the following WS-Policy expression:
<tpa:Authorization xmlns:tpa="http://types.talend.com/policy/assertion/1.0" type="XACML" />This will automatically install the PolicyEnforcementPoint interceptor and ensure that only authorized requests invoke on the endpoint. When the PEP is installed in this way, an additional property ("tesb.pdp.address") is needed to tell the PEP where to find the PDP. This can be done in the "etc/org.talend.esb.authorization.pdp.cfg" configuration file, by setting a value for the "tesb.pdp.address" property. Alternatively, it can be set as a property on the endpoint, e.g.:
<jaxws:server ...>
<jaxws:properties>
<entry key="tesb.pdp.address"
value="https://localhost:9001/services/pdp/authorize"/>
</jaxws:properties>
</jaxws:server>See the 'syncope-esb-xacml' example for more information on adding the PolicyEnforcementPoint to a JAX-WS service endpoint. It is also possible to create the PEP interceptor and add it directly to the CXF interceptor chain for the endpoint. For example:
<bean
class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor"
id="XACMLInterceptor">
<property name="pdpAddress"
value="https://localhost:9001/services/pdp/authorize"/>
</bean>This can then be added to the Interceptor chain of a JAX-WS endpoint via:
<jaxws:endpoint ...>
<jaxws:inInterceptors>
<ref bean="XACMLInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>The PEP can also be added to the Interceptor chain of a JAX-RS endpoint via:
<jaxrs:server ...>
<jaxrs:inInterceptors>
<ref bean="XACMLInterceptor"/>
</jaxrs:inInterceptors>
</jaxws:endpoint>See the 'syncope-esb-xacml-rest' example for more information on adding the PolicyEnforcementPoint to a JAX-RS service endpoint. An example of how to use the co-located PDP is given in the ‘syncope-esb-xacml-coloc' example. In this example, the service provider obtains the PDP from the OSGi registry via:
<reference id="pdpBean"
interface="org.talend.esb.authorization.xacml.pdp.PolicyDecisionPoint"/>
<bean class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor"
id="XACMLInterceptor">
<property name="policyDecisionPoint" ref="pdpBean"/>
</bean>