Authentication and Authorization with WSO2ESB and WSO2IS

13 Feb

This is very impotent post because I’m going to discuss how to secure the proxy service with Username Token  as well as Authorization with XACML policies.

For Authorization we are using the WSO2 Identity server and Inbuilt Entitlement mediator in WSO2 ESB.

Authentication and Authorization

You can see the high level view of the ESB and IS communication. Let me explain the scenario.

1. User going to access the proxy service with the user credentials.
2. ESB authenticate the user first
3. If the authentication pass then go to Identity Server through the Entitlement Mediator and call the get decision method with above credentials
4. Identity Server will look the XACML policies and return the decision.
5. If decision is “Permit” then proxy service allow to access the echo service
6. If decision is “Deny” or “Not applicable” proxy service not allow to access the echo service.

Lets look at the configuration of this setup. We are using ESB-4.6.0 and IS-4.1.0

1. You have to share the same User store with WSO2ESB and WSO2IS
refer the ESB user-mgt.xml and IS user-mgt.xml – this is done for Embedded LDAP coming with WSO2IS but you can configure any DB as your user store and share with both ESB and IS

2. Start the IS first and then ESB with port offset 1
3. Create “In sequence” in ESB
here you need to add the entitlement mediator as a first child of In Sequence

Select the entitlement and set the entitlement server url, username and password.
entitlement server url = https://localhost:9443/services/
username = admin
password = admin

Set the Fault mediators under OnReject as well as set the Send mediator under OnAccept

Set the Header mediator as follows and remove the security headers.

Click on the Namespaces and put the following entry.
Prefix – wsse

3. Create “Out sequence” in ESB
just put send and log mediators as follows

4. Now we need create the proxy service for echo service already in WSO2ESB
Add new proxy -> custom proxy then you can see the following window and you have to specify the following details.
Name – EchoProxy
Publishing WSDL – Specify source URI
then put the wsdl of the echo service as “http://localhost:8281/services/echo?wsdl”

Move next and select the “InSequence” that we created before.

Move next again and select the “OutSequence” as well.

finally click the finish
Now you have to create the new role “testRole” with admin permission and new user “testuser” with password “testuser” and assign the “testRole” because we are using this to control the access . then secure the created proxy with Username Token as follows




Now you complete the proxy service creation and lets move to Identity server configurations.

5. In Identity server we need to add the XACML Policy
Here I’m going to create the simple User base XACML policy.

Name – EchoServicePolicy
Specify the Role name as “testRole” as well as you have to specify the action as “read” because our Entitlement mediator send the action string as “read

Finish the policy and enable the policy to test.

Now you can evaluate the policy through the Tryit.


But if you click on the “Evaluate with PDP” you will not get Premit because still you not promote the XACML policy to the PDP.

to promote XACML policy to the PDP you can click on the button in front of the policy “sync with PDP“. Now try to “Evaluate with PDP”.

Now we done the configuration on Identity Server.

6. Go to ESB and select the EchoProxy service and go to TryIt.

Here we are using “testuser” which is under the role “testRole” so the XACML engine will permit to access the resource

Now go and remove the “testRole” form user “testuser” and try to access the service. Now you can see XACML engine is not permit to user to access the resource.


Tags: , ,

4 responses to “Authentication and Authorization with WSO2ESB and WSO2IS

  1. Maxim

    February 19, 2013 at 4:41 am

    Thank’s for your post. It was very usefull for me. But I have a question.
    You wrote that the Entitlement Mediator sends XACML request with action “read”. But what if I have several operations in my WSDL and I want each operation will have own XACML rule in policy.
    For example:
    I have operations “readOrganizations” and “addOrganization” in my WSDL and I would like that first operation can execute every one but the second one – admin only. So I need that mediator send readOrganizations action to PDP when firs operation have been called and addOrganization action when second operation have been called. How could I realize this task.

    P.S: sorry for my bad english 😉

    • malalanayake

      February 19, 2013 at 5:53 am

      Yes you can do this. What you have to do is just attached the property mediator in wso2esb and you can take it from IS the you have to write new own policy according to your requirement.

  2. karan sharma

    June 7, 2017 at 9:35 am

    Thank’s for your post. It was very usefull for me. But I have a question.
    As I am working on WSO2 Enterprise Integrator so through developer studio i have enabled the security. Now i want to know about policy creation as, while creating policy through WSO2IS I am getting an error “Not Applicable”.

    So can you just explain me how to move further.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: