如何在WSO2 IS的XACML策略中使用client_ip和request_uri [英] How to using client_ip and request_uri in XACML policy in WSO2 IS

问题描述

我们将 WSO2 IS 用作我们解决方案的身份总线。我们在 WSO2 ESB 中创建REST API，以实现我们的集成，并在其中使用OAuth中介程序来保护我们的API。 WSO2中的
是我们创建的服务提供商为 sp1 ，并对其应用XACML策略。我想创建XACML策略以仅在 client_ip为xxx.xxx.xxx.xxx 和请求URI为http：// wso2ESB时才允许传入请求。 uri / sampleApi / app 和方法是GET 。

We are using WSO2 IS as the Identity Bus for our solutions. We make REST API in WSO2 ESB to implement our Integration and use OAuth mediator in that to securing our API. in WSO2 IS we create a service provider as sp1 and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx and request URI is http://wso2ESB.uri/sampleApi/app and method is GET.

请帮助我

推荐答案

当前WSO2 Identity Server仅支持针对oauth2 / oidc服务提供商的基于范围的XACML策略评估，没有开箱即用的功能可以根据client_ip，请求URI，HTTP方法评估策略。解决这种情况的一种方法是，无论使用oauth介体，您都可以编写自定义类介体来拦截请求（PEP）并调用EntitlementService来对Identity Server中的XACML PDP评估请求。在自定义类介体内部，您可以编写必要的逻辑以提取XACML请求client_ip，请求URI，HTTP方法等所需的信息。

Currently WSO2 Identity Server support only scope based XACML policy evaluation for oauth2/oidc service providers, where there is no out of the box capability to evaluate policy against client_ip, request URI, HTTP method. One way to handle this situation is irrespective of oauth mediator you can write custom class mediator to intercept the request (PEP) and invoke EntitlementService to evaluate request against XACML PDP in Identity Server. Inside custom class mediator you can write necessary logic to extract necessary information for XACML request client_ip, request URI, HTTP method ...etc

[1] https://docs.wso2.com / display / IS570 / Validating + the + Scope + of + OAuth + Access + Tokens + using + XACML + Policies

这篇关于如何在WSO2 IS的XACML策略中使用client_ip和request_uri的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！