Topic
  • 10 replies
  • Latest Post - ‏2014-08-19T06:58:15Z by alymelek
SRW
SRW
29 Posts

Pinned topic Authorization using AAA Info file

‏2010-10-12T11:10:58Z |
Hi,

We are currently using the AAA info file for authorization. I am able to define a resource and allow or deny access for that resource. But for a user if we have to deny access for some of the wsdl operations how should I go about?

Pls let me know.
Updated on 2013-03-07T17:20:32Z at 2013-03-07T17:20:32Z by SystemAdmin
  • Jaango
    Jaango
    268 Posts

    Re: Authorization using AAA Info file

    ‏2010-10-15T11:45:03Z  
    use the below one

    <Authorize>
    <InputCredential>Consumer-Name </InputCredential>
    <InputResource>ServiceName.Operation-Name</InputResource>
    <Access>deny</Access>
    </Authorize>
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Authenticate and Authorization using AAA Info file

    ‏2012-04-18T23:03:38Z  
    • Jaango
    • ‏2010-10-15T11:45:03Z
    use the below one

    <Authorize>
    <InputCredential>Consumer-Name </InputCredential>
    <InputResource>ServiceName.Operation-Name</InputResource>
    <Access>deny</Access>
    </Authorize>
    Hi I have two question in this line <InputResource>ServiceName.Operation-Name</InputResource>

    1. which is the Sercive Name? is the name of the web service proxy, is the name of thw WSDl file, the URI.

    2. Can you give me an example for Authorize Authenticate and Authorization

    i try to construct the file for Authenticate and it´s ok in the DataPower but Authorization is fail

    thanks! adolfoereyes@gmail.com

    <?xml version="1.0" encoding="utf-8"?>
    <!--
    Licensed Materials - Property of IBM
    IBM WebSphere DataPower Appliances
    Copyright IBM Corporation 2007,2009. All Rights Reserved.
    US Government Users Restricted Rights - Use, duplication or disclosure
    restricted by GSA ADP Schedule Contract with IBM Corp.
    -->

    <aaa:AAAInfo xmlns:aaa="http://www.datapower.com/AAAInfo">

    <aaa:FormatVersion>1</aaa:FormatVersion>
    <aaa:Filename>local:///AAAInfoFileV1.xml</aaa:Filename>
    <aaa:Summary>Prueba info file v1</aaa:Summary>

    <aaa:Authenticate>
    <aaa:Username>appCliente1</aaa:Username>
    <aaa:Password>123456</aaa:Password>
    <aaa:OutputCredential>appCliente1</aaa:OutputCredential>
    </aaa:Authenticate>

    <aaa:Authenticate>
    <aaa:Username>appCliente2</aaa:Username>
    <aaa:Password>123456</aaa:Password>
    <aaa:OutputCredential>appCliente2</aaa:OutputCredential>
    </aaa:Authenticate>

    <aaa:MapCredentials>
    <aaa:InputCredential>appCliente1</aaa:InputCredential>
    <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
    </aaa:MapCredentials>

    <aaa:MapCredentials>
    <aaa:InputCredential>appCliente2</aaa:InputCredential>
    <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
    </aaa:MapCredentials>

    <aaa:MapResource>
    <aaa:OriginalURL>insertarCliente</aaa:OriginalURL>
    <aaa:OutputResource>PRIVATE</aaa:OutputResource>
    </aaa:MapResource>

    <aaa:Authorize>
    <aaa:InputCredential>VALIDUSERS</aaa:InputCredential>
    <aaa:InputResource>PRIVATE</aaa:InputResource>
    <aaa:Access>allow</aaa:Access>
    </aaa:Authorize>

    </aaa:AAAInfo>
  • swlinn
    swlinn
    1396 Posts

    Re: Authenticate and Authorization using AAA Info file

    ‏2012-04-19T14:46:58Z  
    Hi I have two question in this line <InputResource>ServiceName.Operation-Name</InputResource>

    1. which is the Sercive Name? is the name of the web service proxy, is the name of thw WSDl file, the URI.

    2. Can you give me an example for Authorize Authenticate and Authorization

    i try to construct the file for Authenticate and it´s ok in the DataPower but Authorization is fail

    thanks! adolfoereyes@gmail.com

    <?xml version="1.0" encoding="utf-8"?>
    <!--
    Licensed Materials - Property of IBM
    IBM WebSphere DataPower Appliances
    Copyright IBM Corporation 2007,2009. All Rights Reserved.
    US Government Users Restricted Rights - Use, duplication or disclosure
    restricted by GSA ADP Schedule Contract with IBM Corp.
    -->

    <aaa:AAAInfo xmlns:aaa="http://www.datapower.com/AAAInfo">

    <aaa:FormatVersion>1</aaa:FormatVersion>
    <aaa:Filename>local:///AAAInfoFileV1.xml</aaa:Filename>
    <aaa:Summary>Prueba info file v1</aaa:Summary>

    <aaa:Authenticate>
    <aaa:Username>appCliente1</aaa:Username>
    <aaa:Password>123456</aaa:Password>
    <aaa:OutputCredential>appCliente1</aaa:OutputCredential>
    </aaa:Authenticate>

    <aaa:Authenticate>
    <aaa:Username>appCliente2</aaa:Username>
    <aaa:Password>123456</aaa:Password>
    <aaa:OutputCredential>appCliente2</aaa:OutputCredential>
    </aaa:Authenticate>

    <aaa:MapCredentials>
    <aaa:InputCredential>appCliente1</aaa:InputCredential>
    <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
    </aaa:MapCredentials>

    <aaa:MapCredentials>
    <aaa:InputCredential>appCliente2</aaa:InputCredential>
    <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
    </aaa:MapCredentials>

    <aaa:MapResource>
    <aaa:OriginalURL>insertarCliente</aaa:OriginalURL>
    <aaa:OutputResource>PRIVATE</aaa:OutputResource>
    </aaa:MapResource>

    <aaa:Authorize>
    <aaa:InputCredential>VALIDUSERS</aaa:InputCredential>
    <aaa:InputResource>PRIVATE</aaa:InputResource>
    <aaa:Access>allow</aaa:Access>
    </aaa:Authorize>

    </aaa:AAAInfo>
    The input resource will be what you chose in the extract resource (ER) step of AAA, which stands for Authentication, Authorization, and Audit. If you chose Local Name of Request Element from the list of choices, if the message is a SOAP message, the local name of the child element of the SOAP Body element will be your input resource, otherwise, the local name of the root element of the message. There are other choices in ER you could make of course, so you could have multiple resource identities, but that authorization would not succeed unless the client identity from the extract identity step (EI) and this resource is allowed in the table.

    An example of a AAAInfo.xml file can be found on your appliance in the store:/// directory.

    Best Regards,
    Steve
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Authenticate and Authorization using AAA Info file

    ‏2012-04-19T16:28:44Z  
    • swlinn
    • ‏2012-04-19T14:46:58Z
    The input resource will be what you chose in the extract resource (ER) step of AAA, which stands for Authentication, Authorization, and Audit. If you chose Local Name of Request Element from the list of choices, if the message is a SOAP message, the local name of the child element of the SOAP Body element will be your input resource, otherwise, the local name of the root element of the message. There are other choices in ER you could make of course, so you could have multiple resource identities, but that authorization would not succeed unless the client identity from the extract identity step (EI) and this resource is allowed in the table.

    An example of a AAAInfo.xml file can be found on your appliance in the store:/// directory.

    Best Regards,
    Steve
    Mr. swlinn Hello thank a lot, i solve the problem with your recommendation!

    Best Regards,

    Adolfo Reyes
    adolfoereyes@gmail.com
    Bogotá, Colombia
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Authenticate and Authorization using AAA Info file

    ‏2013-03-06T00:18:25Z  
    Mr. swlinn Hello thank a lot, i solve the problem with your recommendation!

    Best Regards,

    Adolfo Reyes
    adolfoereyes@gmail.com
    Bogotá, Colombia
    Hi , I have a requirement for AAA authorization based on the operation.I have looked at the various ER options available on DP .We have AZ in place based on "URL sent by client" .After going thru the docs and ER options I ruled out URL options,Processing Metadata,HTTP post/get.
    Even the "Local Name of Request Element" doesnt seem to help as in my case I would need to authorize based on operation as shown below in bold.Any help is greatly appreciated

    </soapenv:Header>
    <soapenv:Body>
    <iss:Sample version="1.0.0">
    <iss:Account accountId="xxxxxxxx">
    <iss:Practice>
    <iss:GetPractice/>
    </iss:Practice>
    </iss:Account>
    </iss:LoyaltyRequest>
    </soapenv:Body>

    Thanks,
    DP
  • kenhygh
    kenhygh
    2164 Posts

    Re: Authenticate and Authorization using AAA Info file

    ‏2013-03-06T02:25:35Z  
    Hi , I have a requirement for AAA authorization based on the operation.I have looked at the various ER options available on DP .We have AZ in place based on "URL sent by client" .After going thru the docs and ER options I ruled out URL options,Processing Metadata,HTTP post/get.
    Even the "Local Name of Request Element" doesnt seem to help as in my case I would need to authorize based on operation as shown below in bold.Any help is greatly appreciated

    </soapenv:Header>
    <soapenv:Body>
    <iss:Sample version="1.0.0">
    <iss:Account accountId="xxxxxxxx">
    <iss:Practice>
    <iss:GetPractice/>
    </iss:Practice>
    </iss:Account>
    </iss:LoyaltyRequest>
    </soapenv:Body>

    Thanks,
    DP
    Well, since this isn't one of the conventions that DP supports, you'll have to do 'custom' and write your own stylesheet to extract this element.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Authenticate and Authorization using AAA Info file

    ‏2013-03-07T17:20:32Z  
    • kenhygh
    • ‏2013-03-06T02:25:35Z
    Well, since this isn't one of the conventions that DP supports, you'll have to do 'custom' and write your own stylesheet to extract this element.

    Ken
    Ken , thank you !
  • alymlk
    alymlk
    1 Post

    Re: Authenticate and Authorization using AAA Info file

    ‏2014-05-30T06:51:41Z  
    Hi I have two question in this line <InputResource>ServiceName.Operation-Name</InputResource>

    1. which is the Sercive Name? is the name of the web service proxy, is the name of thw WSDl file, the URI.

    2. Can you give me an example for Authorize Authenticate and Authorization

    i try to construct the file for Authenticate and it´s ok in the DataPower but Authorization is fail

    thanks! adolfoereyes@gmail.com

    <?xml version="1.0" encoding="utf-8"?>
    <!--
    Licensed Materials - Property of IBM
    IBM WebSphere DataPower Appliances
    Copyright IBM Corporation 2007,2009. All Rights Reserved.
    US Government Users Restricted Rights - Use, duplication or disclosure
    restricted by GSA ADP Schedule Contract with IBM Corp.
    -->

    <aaa:AAAInfo xmlns:aaa="http://www.datapower.com/AAAInfo">

    <aaa:FormatVersion>1</aaa:FormatVersion>
    <aaa:Filename>local:///AAAInfoFileV1.xml</aaa:Filename>
    <aaa:Summary>Prueba info file v1</aaa:Summary>

    <aaa:Authenticate>
    <aaa:Username>appCliente1</aaa:Username>
    <aaa:Password>123456</aaa:Password>
    <aaa:OutputCredential>appCliente1</aaa:OutputCredential>
    </aaa:Authenticate>

    <aaa:Authenticate>
    <aaa:Username>appCliente2</aaa:Username>
    <aaa:Password>123456</aaa:Password>
    <aaa:OutputCredential>appCliente2</aaa:OutputCredential>
    </aaa:Authenticate>

    <aaa:MapCredentials>
    <aaa:InputCredential>appCliente1</aaa:InputCredential>
    <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
    </aaa:MapCredentials>

    <aaa:MapCredentials>
    <aaa:InputCredential>appCliente2</aaa:InputCredential>
    <aaa:OutputCredential>VALIDUSERS</aaa:OutputCredential>
    </aaa:MapCredentials>

    <aaa:MapResource>
    <aaa:OriginalURL>insertarCliente</aaa:OriginalURL>
    <aaa:OutputResource>PRIVATE</aaa:OutputResource>
    </aaa:MapResource>

    <aaa:Authorize>
    <aaa:InputCredential>VALIDUSERS</aaa:InputCredential>
    <aaa:InputResource>PRIVATE</aaa:InputResource>
    <aaa:Access>allow</aaa:Access>
    </aaa:Authorize>

    </aaa:AAAInfo>

    Hi all,

    We got the same problem which is denying/allowing user access for some of the wsdl operations and here is our solution:

    • Chosing Local Name of Request Element from the list of choices in the extract resource (ER) step of AAA.
    • Adding <aaa:SOAPRequestOpName> to "MapResource" at AAA info file:
    <aaa:MapResource>
    <aaa:OriginalURL>ORIGINAL_URL</aaa:OriginalURL>
    <aaa:SOAPRequestOpName>OPERATION_NAME_AT_SOAP_MSG_BODY</aaa:SOAPRequestOpName>
    <aaa:OutputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:OutputResource>
    </aaa:MapResource>

     

    • Editing  "Authorize"  at AAA info file as below:
    <aaa:Authorize>
    <aaa:InputCredential>USER</aaa:InputCredential>
    <aaa:InputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:InputResource>
    <aaa:Access>deny</aaa:Access>
    </aaa:Authorize>

     

    Best Regards,

    aly

    Updated on 2014-05-30T06:53:30Z at 2014-05-30T06:53:30Z by alymlk
  • NILAY97
    NILAY97
    313 Posts

    Re: Authenticate and Authorization using AAA Info file

    ‏2014-06-13T16:54:59Z  
    • alymlk
    • ‏2014-05-30T06:51:41Z

    Hi all,

    We got the same problem which is denying/allowing user access for some of the wsdl operations and here is our solution:

    • Chosing Local Name of Request Element from the list of choices in the extract resource (ER) step of AAA.
    • Adding <aaa:SOAPRequestOpName> to "MapResource" at AAA info file:
    <aaa:MapResource>
    <aaa:OriginalURL>ORIGINAL_URL</aaa:OriginalURL>
    <aaa:SOAPRequestOpName>OPERATION_NAME_AT_SOAP_MSG_BODY</aaa:SOAPRequestOpName>
    <aaa:OutputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:OutputResource>
    </aaa:MapResource>

     

    • Editing  "Authorize"  at AAA info file as below:
    <aaa:Authorize>
    <aaa:InputCredential>USER</aaa:InputCredential>
    <aaa:InputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:InputResource>
    <aaa:Access>deny</aaa:Access>
    </aaa:Authorize>

     

    Best Regards,

    aly

    My requirement is also the same. I have a WSP on which I need to particularly allow one specific operation to pass through AAA without getting the CN/DN name verified and authorized from AAAInfo.xml.

    The above shown method is what I used and I got an error stating:- Unsupported Format Version in Datapower.

    The  ER is URL sent by Client. Could you please help me with the same.

    Thanks,

    Nilay

  • alymelek
    alymelek
    1 Post

    AAA Object Bug

    ‏2014-08-19T06:58:15Z  
    • alymlk
    • ‏2014-05-30T06:51:41Z

    Hi all,

    We got the same problem which is denying/allowing user access for some of the wsdl operations and here is our solution:

    • Chosing Local Name of Request Element from the list of choices in the extract resource (ER) step of AAA.
    • Adding <aaa:SOAPRequestOpName> to "MapResource" at AAA info file:
    <aaa:MapResource>
    <aaa:OriginalURL>ORIGINAL_URL</aaa:OriginalURL>
    <aaa:SOAPRequestOpName>OPERATION_NAME_AT_SOAP_MSG_BODY</aaa:SOAPRequestOpName>
    <aaa:OutputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:OutputResource>
    </aaa:MapResource>

     

    • Editing  "Authorize"  at AAA info file as below:
    <aaa:Authorize>
    <aaa:InputCredential>USER</aaa:InputCredential>
    <aaa:InputResource>OUTPUT_RESOURCE_FOR_OPERATION</aaa:InputResource>
    <aaa:Access>deny</aaa:Access>
    </aaa:Authorize>

     

    Best Regards,

    aly

    Hello,

    After handling the problem of denying/allowing user access for operations, a strange behavior is observed. All of the authenticated users, who can call all the services successfully before,  were unable to call the services except the one that has AAA authorization at operation level.

    We also realized that if the "Local Name of Request Element" radio button at ER is unchecked, this problem disappears but our previous problem re-appears in that case. 

    Any suggestions to fix this bug?

    Best,

    alymelek