TESB service provider PEP
A CXF interceptor (see here for its implementation) is available that provides the base functionality of a Policy Enforcement Point (PEP) for a TESB service provider. It uses the XACML creation and processing functionality described earlier. It has a reference to the XACML creation interface which uses the default implementation, but also has accessor methods so that a custom implementation can be configured instead.
The interceptor obtains the Principal name and roles via a CXF SAMLSecurityContext object on the CXF message. For the case of a JAX-WS service endpoint that receives a SAML Token, the WSS4JInInterceptor will automatically create a SAMLSecurityContext using the principal corresponding to the Subject of the SAML Token, and the roles extracted using a URI from the Attributes. This URI can be configured on the endpoint via a JAX-WS property. For the REST case, a SAMLSecurityContext is also created with the same information.
Once the request has been created, it must be dispatched to the PDP. The TESB PEP implementation, which wraps the basic CXF interceptor, provides functionality to send the request to the TESB PDP (described in the previous chapter). The PDP request can happen in one of two different ways:
- A remote HTTP request to the TESB JAX-RS PDP using POST
- A local request to the co-located PDP (that could have been obtained from the OSGi registry, for example)