Serge Blais

Main | Open ESB Acronyms... »
Saturday Dec 01, 2007

1/4 - Getting involved in JBI, an XACML engine v1


I started looking into JBI when it was still forming... At the time, it was more of an academic interest than anything else. When I was playing with it, I created a Service Engine (SE) to process XACML version 1.0 requests. I though the idea was cool, but had limited possibilities at the time. But it was a great learning experience.


Recently, I started looking at OpenESB, the open source project. I found that it was well populated and I came across the tech talk from Srinivasan Chikkala So, I figured, why not redo my SE with the new tool set and learn it at the same time. So, that is what I did!

I created:



  • A service engine that uses the service engine wizard,

  • A Service Engine module that plugs in the Netbeans 6.0 environment to create new XACML service units (JBI modules),

  • A Composite Application with a BPEL process that is "protected" with the XACML


Basic Approach


The drawing above illustrate the end target of this work. The yellow path indicates the road a request coming in over SOAP would take. The http BC would handle the request, forward it to the BPEL process. From there, the first step in the BPEL process would be to call the XACML SE over the NMR for authorization. Note that this is not the perfect implementation. Ideally, the XACML SE would be implemented as a interceptor between the BC and the NMR. Maybe this concept will make it though in the JBI 2.0. we'll see...


The two main containers used are Glassfish that hosts the JBI implementation, and Netbeans 6.0 that is being used as the IDE. While the whole development took place in the NB IDE, the only thing depicted here is the work need to create the sample. Creation of the BPEL Module, the XACML Module and of the Composite Application.


In the next few entries, I'll describe what I did, the steps I followed, and the lessons learned. Please, come back for the rest! Starting the process, I needed to figure out what I still had! When porting an old project, I may want to keep the good stuff, but I would like to remove as much as possible the "old feeling" of harvesting code previously developed.


First I needed to check back into the code I had. What could I reuse from what I created in the past... Well not much.



  1. The scripts I did were not the route I wanted to take. I wanted to use as much as I could from the Netbeans GUI.

  2. The structure I built around the SE to support the XACML processing would definitely conflict with the structure that the wizard would build for me.


So, I kept:



  1. My samples policy files that I used for testing,

  2. The core class for the message processing.

  3. The XACML jar files that were developed by the Sun Labs a few years back (this is XACML version 1.0...)


With this, I was up to a good start. I had the elements that made my service engine unique, and, so I hoped, the SE wizard would create the rest of it for me... Now time to create the Empty Service Engine, a subject for the next blog entry... In the meantime, you can read on the crl model that open esb engineers used and seems to be promoting to use in the different components. The SE wizard also seems to be based on this.


Serge


Posted at 11:00AM Dec 01, 2007 by sergeblais in OpenESB  |  Comments[4]

Comments:

Hi Serge: Thank you for this wonderful posting of XACML. I am working on a project where we need to build XACML service engine. Could you please send the code for the component as well as the sample to test it. That would be really wonderful.

Posted by ravi on July 07, 2008 at 04:09 PM EDT #

Hi,

I just got back from vacation, and currently traveling, so for the delay. I'll be posting the source code next week, and update the posts.

Thanks for the comment.

Posted by Serge Blais on July 14, 2008 at 06:11 PM EDT #

Hi Serge,

I have a scenario in which i have to call a web service that calls the stored procedure to get some entitlements attribute of the user based on the soap request it receives and then returns these attributes.
e.g. I will send the userId and SystemId to this web service in XACML format. Now this webservice will in turn call the stored procedure and get the FirstName and LastName based on Userid and return it in XACML format. Can you please send a sample soap request for this scenario? it will be really helpful for me to understand.

Thanks
Gaurav

Posted by Gaurav on January 10, 2009 at 04:40 AM EST #

Sorry, but I did code the XACML SE a while ago, and I am buzy right now on the iep SE. I'll try to get around to sending you a sample, but it will (not may, it will) take a long time before I can get to it.

You can however, find examples of the messages in the 3rd blog post on this subject

http://blogs.sun.com/sblais/entry/xacml_jbi_deployment_module_creation

Or get some more example from the sun labs I believe. (The source for the xacml jar file I use)

Posted by Serge Blais on January 27, 2009 at 12:28 PM EST #

Post a Comment:
  • HTML Syntax: NOT allowed