Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
10 replies Latest Post - ‏2014-08-19T06:58:15Z by alymelek
SRW
SRW
29 Posts
ACCEPTED ANSWER

Pinned topic Authorization using AAA Info file

‏2010-10-12T11:10:58Z |
Hi,

We are currently using the AAA info file for authorization. I am able to define a resource and allow or deny access for that resource. But for a user if we have to deny access for some of the wsdl operations how should I go about?

Pls let me know.
Updated on 2013-03-07T17:20:32Z at 2013-03-07T17:20:32Z by SystemAdmin
  • Jaango
    Jaango
    266 Posts
    ACCEPTED ANSWER

    Re: Authorization using AAA Info file

    ‏2010-10-15T11:45:03Z  in response to SRW
    use the below one

    <Authorize>
    <InputCredential>Consumer-Name </InputCredential>
    <InputResource>ServiceName.Operation-Name</InputResource>
    <Access>deny</Access>
    </Authorize>
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Authenticate and Authorization using AAA Info file

      ‏2012-04-18T23:03:38Z  in response to Jaango
      Hi I have two question in this line <InputResource>ServiceName.Operation-Name</InputResource>

      1. which is the Sercive Name? is the name of the web service proxy, is the name of thw WSDl file, the URI.

      2. Can you give me an example for Authorize Authenticate and Authorization

      i try to construct the file for Authenticate and it´s ok in the DataPower but Authorization is fail

      thanks! adolfoereyes@gmail.com

      <?xml version="1.0" encoding="utf-8"?>
      <!--
      Licensed Materials - Property of IBM
      IBM WebSphere DataPower Appliances
      Copyright IBM Corporation 2007,2009. All Rights Reserved.
      US Government Users Restricted Rights - Use, duplication or disclosure
      restricted by GSA ADP Schedule Contract with IBM Corp.
      -->

      <aaa:AAAInfo xmlns:aaa="http://www.datapower.com/AAAInfo">

      <aaa:FormatVersion>1</aaa:FormatVersion>
      <aaa:Filename>local:///AAAInfoFileV1.xml</aaa:Filename>
      <aaa:Summary>Prueba info file v1</aaa:Summary>

      <aaa:Authenticate>
      <aaa:Username>appCliente1</aaa:Username>
      <aaa:Password>123456</aaa:Password>
      <aaa:OutputCredential>appCliente1</aaa:OutputCredential>
      </aaa:Authenticate>

      <aaa:Authenticate>
      <aaa:Username>appCliente2</aaa:Username>
      <aaa:Password>123456</aaa:Password>
      <aaa:OutputCredential>appCliente2</aaa:OutputCredential>
      </aaa:Authenticate>

      <aaa:MapCredentials>
      <aaa:InputCredential>appCliente1</aaa:InputCredential>
      <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
      </aaa:MapCredentials>

      <aaa:MapCredentials>
      <aaa:InputCredential>appCliente2</aaa:InputCredential>
      <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
      </aaa:MapCredentials>

      <aaa:MapResource>
      <aaa:OriginalURL>insertarCliente</aaa:OriginalURL>
      <aaa:OutputResource>PRIVATE</aaa:OutputResource>
      </aaa:MapResource>

      <aaa:Authorize>
      <aaa:InputCredential>VALIDUSERS</aaa:InputCredential>
      <aaa:InputResource>PRIVATE</aaa:InputResource>
      <aaa:Access>allow</aaa:Access>
      </aaa:Authorize>

      </aaa:AAAInfo>
      • swlinn
        swlinn
        1346 Posts
        ACCEPTED ANSWER

        Re: Authenticate and Authorization using AAA Info file

        ‏2012-04-19T14:46:58Z  in response to SystemAdmin
        The input resource will be what you chose in the extract resource (ER) step of AAA, which stands for Authentication, Authorization, and Audit. If you chose Local Name of Request Element from the list of choices, if the message is a SOAP message, the local name of the child element of the SOAP Body element will be your input resource, otherwise, the local name of the root element of the message. There are other choices in ER you could make of course, so you could have multiple resource identities, but that authorization would not succeed unless the client identity from the extract identity step (EI) and this resource is allowed in the table.

        An example of a AAAInfo.xml file can be found on your appliance in the store:/// directory.

        Best Regards,
        Steve
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Authenticate and Authorization using AAA Info file

          ‏2012-04-19T16:28:44Z  in response to swlinn
          Mr. swlinn Hello thank a lot, i solve the problem with your recommendation!

          Best Regards,

          Adolfo Reyes
          adolfoereyes@gmail.com
          Bogotá, Colombia
          • SystemAdmin
            SystemAdmin
            6772 Posts
            ACCEPTED ANSWER

            Re: Authenticate and Authorization using AAA Info file

            ‏2013-03-06T00:18:25Z  in response to SystemAdmin
            Hi , I have a requirement for AAA authorization based on the operation.I have looked at the various ER options available on DP .We have AZ in place based on "URL sent by client" .After going thru the docs and ER options I ruled out URL options,Processing Metadata,HTTP post/get.
            Even the "Local Name of Request Element" doesnt seem to help as in my case I would need to authorize based on operation as shown below in bold.Any help is greatly appreciated

            </soapenv:Header>
            <soapenv:Body>
            <iss:Sample version="1.0.0">
            <iss:Account accountId="xxxxxxxx">
            <iss:Practice>
            <iss:GetPractice/>
            </iss:Practice>
            </iss:Account>
            </iss:LoyaltyRequest>
            </soapenv:Body>

            Thanks,
            DP
            • kenhygh
              kenhygh
              1461 Posts
              ACCEPTED ANSWER

              Re: Authenticate and Authorization using AAA Info file

              ‏2013-03-06T02:25:35Z  in response to SystemAdmin
              Well, since this isn't one of the conventions that DP supports, you'll have to do 'custom' and write your own stylesheet to extract this element.

              Ken
              • SystemAdmin
                SystemAdmin
                6772 Posts
                ACCEPTED ANSWER

                Re: Authenticate and Authorization using AAA Info file

                ‏2013-03-07T17:20:32Z  in response to kenhygh
                Ken , thank you !
              • This reply was deleted by Dream-S 2014-04-15T04:22:11Z.
      • alymlk
        alymlk
        1 Post
        ACCEPTED ANSWER

        Re: Authenticate and Authorization using AAA Info file

        ‏2014-05-30T06:51:41Z  in response to SystemAdmin

        Hi all,

        We got the same problem which is denying/allowing user access for some of the wsdl operations and here is our solution:

        • Chosing Local Name of Request Element from the list of choices in the extract resource (ER) step of AAA.
        • Adding <aaa:SOAPRequestOpName> to "MapResource" at AAA info file:
        <aaa:MapResource>
        <aaa:OriginalURL>ORIGINAL_URL</aaa:OriginalURL>
        <aaa:SOAPRequestOpName>OPERATION_NAME_AT_SOAP_MSG_BODY</aaa:SOAPRequestOpName>
        <aaa:OutputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:OutputResource>
        </aaa:MapResource>

         

        • Editing  "Authorize"  at AAA info file as below:
        <aaa:Authorize>
        <aaa:InputCredential>USER</aaa:InputCredential>
        <aaa:InputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:InputResource>
        <aaa:Access>deny</aaa:Access>
        </aaa:Authorize>

         

        Best Regards,

        aly

        Updated on 2014-05-30T06:53:30Z at 2014-05-30T06:53:30Z by alymlk
        • NILAY97
          NILAY97
          207 Posts
          ACCEPTED ANSWER

          Re: Authenticate and Authorization using AAA Info file

          ‏2014-06-13T16:54:59Z  in response to alymlk

          My requirement is also the same. I have a WSP on which I need to particularly allow one specific operation to pass through AAA without getting the CN/DN name verified and authorized from AAAInfo.xml.

          The above shown method is what I used and I got an error stating:- Unsupported Format Version in Datapower.

          The  ER is URL sent by Client. Could you please help me with the same.

          Thanks,

          Nilay

        • alymelek
          alymelek
          1 Post
          ACCEPTED ANSWER

          AAA Object Bug

          ‏2014-08-19T06:58:15Z  in response to alymlk

          Hello,

          After handling the problem of denying/allowing user access for operations, a strange behavior is observed. All of the authenticated users, who can call all the services successfully before,  were unable to call the services except the one that has AAA authorization at operation level.

          We also realized that if the "Local Name of Request Element" radio button at ER is unchecked, this problem disappears but our previous problem re-appears in that case. 

          Any suggestions to fix this bug?

          Best,

          alymelek

           

  • This reply was deleted by Dream-S 2014-04-15T04:22:06Z.