Does UltraESB support XACML Processing?
I tried to find out whether UltraESB supports XACML processing for Authorization or not. I couldn't find it in any of the blogs. I am looking for below use case:
1. HTTP (REST) Request to ESB
2. ESB will forward the request to External Server to Authenticate the user (e.g Basic Auth).
3. If Authentication succeeds, external server will return 200 OK.
4. If 200 OK, then read XACML policy (may be kept in the ESB OR read it from external server) and check if the user is Authorized to access the given resource or not.
5. If user is Authorized, forward the request to the backend Server (Server which serves the real resource, different server than Authentication Server)
6. Forward the response from Backend Server to the requesting client.
1. If Authentication fails, send back the error code and message returned by the Authentication Server to the client.
2. If Authorization fails, send back the 403 error to client.
Thanks in Advance.
Help get this topic noticed by sharing it on Twitter, Facebook, or email.
The UltraESB does not ship XACML support, but it would be quite straightforward to support it. Already incoming/outgoing Basic & Digest auth, and outgoing NTLM and Amazon S3 auth is supported, in addition to SSL/2-way SSL at the ESB. In your question #2 I guess you want to authenticate credentials for Basic auth against some external server or DB - This is easily possible using Spring security and just configuration alone.
For #4, we could integrate with JBoss PicketBox If you are willing to work with us to help us with some on-site testing at your end, we would be happy to work with you - even with some customisations etc if required. We did the same to implement NTLM support for the UltraESB with another user
That sounds good. Please let me know when do I need to test the configuration for XACML policy with PicketBox. I would like to see working configuration from end to end as mentioned in the Success Sequence steps 1 to 6.
If you are planning to use PicketBox for Authentication (just to mimic the scenario of external server for authentication) as well as Authorization, then I would suggest to have separate call for Authorization based on Authentication Response (status - 200 OK). If authorization succeeds, then only forward request to backend server.