XACML is very popular as a fine grained authorization method among the community. Fine-grained authorization specifies the requirements and variables in an access control policy that is used to authorize access to a resource. However, there are plenty of other aspects of XACML other than it being just a fine grained authorization mechanism.
We have remove the default support for XACML from Identity Server 7.1 onwards. However, you can still use the XACML feature by following the below guide to enable it.
-
Download Identity Server latest pack using the following link. https://wso2.com/identity-server/
-
Download the XACML connector artifacts from here https://store.wso2.com.
-
Unzip the downloaded pack.
- Execute the database scripts in
<XACML_CONNECTOR>/dbscriptsfolder against identity DB.
If you are a linux user, you can use the setup script from setup.sh to configure the Identity Server. Make sure to change the XACML_CONNECTOR and IS_HOME variable value as per your setup.
Please follow the below steps.
-
Add the jar files in
<XACML_CONNECTOR>/dropinsfolder to the<IS_HOME>/repository/components/dropinsfolder. -
Add the jar file in <XACML_CONNECTOR>/api-server folder to the
<IS_HOME>/repository/deployment/server/webapps/api/WEB-INF/libfolder. -
Add the
<XACML_CONNECTOR>/config-files/entitlement.propertiesfile to the<IS_HOME>/repository/conf/identity. -
Add the
<XACML_CONNECTOR>/config-files/entitlement.properties.j2file to the<IS_HOME>/repository/resources/conf/templates/repository/conf/identity. -
Add the
balana-config.xmlfile to the<IS_HOME>/repository/conf/security. -
Append the json content in the
<XACML_CONNECTOR>/config-files/org.wso2.carbon.identity.xacml.server.feature.default.jsonfile to the<IS_HOME>/repository/resources/conf/default.json. -
Add default XACML policies resides in folder
<XACML_CONNECTOR>/config-files/policiesto the<IS_HOME>/repository/resources/identity/policies/xacml/defaultfolder. -
Restart Identity Server.