Policy Use Cases

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 11 Security Policies : Policy Use Cases

Policy Use Cases

This section describes the use cases for supported policies.

Authentication Policies

Figure Authentication Policies illustrates how to apply the authentication policies for an incoming request.

Figure 20 Authentication Policies

Configuration

To configure the authentication policies, do the following tasks:

Task D Configure Shared Resource

See Configure Shared Resource for details.

Task E Create Policy

See Create Policy for details.

Task F Register Policy

See Register Policy for detailed steps. You must choose the correct type and subtype to register the policy as shown in the following table:

Policy

Type

SubType

Basic Authentication

Authentication

Basic

UsernameToken Authentication

Authentication

UsernameToken

SAML Authentication

Authentication

SAML

Authentication by OAuth

Authentication

OAuth

Task G Apply Policy

See Apply Policy for details.

TIBCO API Exchange Gateway supports following authentication policies:

Basic

•

The client sends the request with user name/password in HTTP basic authentication header.

•

Basic Authentication policy authenticates the request against LDAP.

Example Policy

BasicAuthentication.policy

<wsp:Policy

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

   <wsp:All>

     <tpa:AuthenticationByJaas>

      <wssp:SupportingTokens>

     <tpa:Any>

       <wssp:HttpBasicAuthentication/>

     </tpa:Any>

     </wssp:SupportingTokens>

    <tpa:SharedResourceLoginModule ResourceInstance="LDAPSource">

    </tpa:SharedResourceLoginModule>

     </tpa:AuthenticationByJaas>

   </wsp:All>

</wsp:Policy>

UsernameToken

•

The client sends the request containing usernameToken in WS-Security header of the SOAP message.

•

UsernameToken authentication policy authenticates the request against LDAP.

Example Policy

AuthenticationByUsernameToken.policy

<wsp:Policy

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009" >

   <wsp:All>

    <wsp:ExactlyOne>

     <tpa:AuthenticationByJaas>

      <wssp:SupportingTokens>

       <tpa:ExactlyOne>

        <wssp:UsernameToken />

       </tpa:ExactlyOne>

      </wssp:SupportingTokens>

   <tpa:SharedResourceLoginModule ResourceInstance="LdapAsp" />

     </tpa:AuthenticationByJaas>

    </wsp:ExactlyOne>

   </wsp:All>

</wsp:Policy>

SAML

The client sends the request containing a SAML assertion in WS-Security header of the SOAP message.

Example Policy

AuthenticationBySaml.policy

<wsp:Policy

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009">

   <wsp:All>

     <wsp:Policy >

      <tpa:WssProcessor ResourceInstance="WssAsp"/>

     </wsp:Policy>

     <wsp:Policy      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

      <tpa:VerifyAuthentication>

       <wsp:ExactlyOne>

        <wssp:SignedSupportingTokens>

       <wsp:ExactlyOne>

        <wssp:SamlToken>

     

     

        </wssp:SamlToken>

        </wsp:ExactlyOne>

        </wssp:SignedSupportingTokens>

        </wsp:ExactlyOne>

        </tpa:VerifyAuthentication>

        </wsp:Policy>

        </wsp:All>

        </wsp:Policy>

SiteMinder

•

The client sends the request containing the SiteMinder session cookie in the HTTP header.

•

SiteMinder authentication policy authenticates the request against SiteMinder service provider.

Example Policy

AuthenticationBySiteMinder.policy

<wsp:Policy

<wsp:Policy

   xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

   xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

   xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009" >

   <wsp:All>

     <wsp:ExactlyOne>

       <tpa:AuthenticationByJaas>

         <wssp:SupportingTokens>

          <tpa:ExactlyOne>

            <tpa:SiteminderToken />

          </tpa:ExactlyOne>

         </wssp:SupportingTokens>

         <tpa:SharedResourceLoginModule ResourceInstance="SiteminderAsp" />

       </tpa:AuthenticationByJaas>

     </wsp:ExactlyOne>

   </wsp:All>

</wsp:Policy>

OAuth

When a request is received from the user, the gateway redirects the user to OAuth Authorization server to login and grant access to the protected facade operation.

When the OAuth authentication server sends the authorization code back to the policy callback endpoint after the user’s successful login and grant access to the facade operation, the gateway exchanges the authorization code for an access token from the authorization server. Since the protected facade operation does not access user’s resources, therefore, the access token is only used for authentication purposes.

Example Policy

AuthenticationbyOAuth Policy

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<ns:AuthenticationByJaas xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009">

<ns:OAuthToken>

<ns:Provider>TIBCO</ns:Provider>

<ns:ClientID>security</ns:ClientID>

<ns:ClientSecret>ef6e7dca3d52973f73ec3dd0da7087d400f5a05a</ns:ClientSecret>

<ns:CallbackURI>http://localhost:9322/asg/oauth2/client/callback</ns:CallbackURI>

</ns:OAuthToken>

</ns:AuthenticationByJaas>

</wsp:Policy>

Authorization Policies

Figure Authorization Policies illustrates how to apply an authorization policy based on the role or how you can apply an OAuth policy.

Figure 21 Authorization Policies

Configuration

To configure a authorization policies, do following tasks:

Task A Configure Shared Resource.

See Configure Shared Resource for details.

Task B Create Policy

See Create Policy for details.

Task C Register Policy

See Register Policy for detailed steps. You must choose the correct type and subtype to register the policy as shown in the following table:

Policy

Type

SubType

Authorization By Role

Authorization

Role

Task D Apply Policy

See Apply Policy for details.

TIBCO API Exchange Gateway supports the following authorization policies:

Role

When an authorization policy by role is applied, an authenticated user with a specific role defined by the policy will be authorized to access all the functions of the target operation.

•

Consumer sends a request with username and password in HTTP header or as a UsernameToken in WS-Security header of the SOAP message.

•

Basic or UsernameToken authentication policy authenticates the request against LDAP and retrieves LDAP attributes/roles for the user.

•

After authentication policy, the gateway invokes an authorization policy. Using SOAP operation information from SOAP request and user role information retrieved from LDAP during authentication, the authorization policy determines if the user that is sending the request is authorized to invoke the SOAP operation.

Example Policy

Authorization By Role Policy

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<wsp:All>

   <wsp:Policy>

     <wsp:All>

     <tpa:Authorization>

     <tpa:ByRole>

     <tpa:Default>

      <xacml:Rule Effect="Deny" RuleId="">

      <xacml:Condition>

      <xacml:Apply FunctionId="always-true">

      </xacml:Apply>

      </xacml:Condition>

      </xacml:Rule>

      </tpa:Default>

       <tpa:Operation>

        <xacml:Rule Effect="Permit" RuleId="">

        <xacml:Target>

        <xacml:Actions>

        <xacml:Action>

        <xacml:ActionMatch MatchId="http://tempuri.org">

        

        <xacml:AttributeValue         DataType="xsd:string">queryBookByAuthorBW</xacml:Attribute        Value>

        <xacml:AttributeSelector DataType="xsd:string"

         RequestContextPath="" />

        </xacml:ActionMatch>

        </xacml:Action>

        </xacml:Actions>

        </xacml:Target>

        <xacml:Condition>

        <xacml:Apply FunctionId="is-in">

        <xacml:AttributeValue DataType="xsd:string">Accounting         Managers</xacml:AttributeValue>

        </xacml:Apply>

        </xacml:Condition>

        </xacml:Rule>

        </tpa:Operation>

        </tpa:ByRole>

        </tpa:Authorization>

        </wsp:All>

   </wsp:Policy>

     </wsp:All>

     </wsp:Policy>

Integrity Policies

The following figure shows how to apply a sign policy:

Figure 22 Sign Policy

Figure VerifySignature Policy shows how to apply a verify signature policy:

Figure 23 VerifySignature Policy

Configuration

To configure the integrity policies, do the following tasks:

Task A Configure Shared Resource

See Configure Shared Resource for details.

Task B Create Policy

See Create Policy for details.

Task C Register Policy

See Register Policy for detailed steps. You must choose the correct type and subtype to register the policy as shown in the following table:

Policy

Type

SubType

Sign

Integrity

Sign

Verify Signature

Integrity

Verify

Task D Apply Policy

See Apply Policy for details.

TIBCO API Exchange Gateway supports following types of integrity policies:

Sign

•

Sign policy can be used to sign the outgoing SOAP message. Before a request is forwarded, the signature policy is applied.

•

The message is signed using the shared resource specified in the policy.

Example Policy

Sign.policy

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsp:All>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<ns:Signature

xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009"

ResourceInstance="SubjectIsp">

<ns1:SignedParts >

<ns1:Body />

<ns1:Header />

</ns1:SignedParts>



<ns:keyAlias>john_key</ns:keyAlias>



<ns1:AlgorithmSuite>

<ns1:Basic128 />

</ns1:AlgorithmSuite>

</ns:Signature>

</wsp:Policy>

</wsp:All>

</wsp:Policy>

Verify Signature

When a signed request is received by the gateway, the verify signature policy is applied.

•

The signature in the message is verified using the shared resource specified in the policy.

•

The policy verifies that there is a signature in the message and it has been verified.

Example Policy

VerifySignature.policy

<wsp:Policy

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<wsp:All>

<wsp:Policy>

<tpa:WssProcessor ResourceInstance="WssAsp"/>

</wsp:Policy>

<wsp:Policy>

<tpa:VerifyAuthentication>

<wssp:SignedSupportingTokens>

<wssp:SamlToken />

</wssp:SignedSupportingTokens>

</tpa:VerifyAuthentication>

</wsp:Policy>

<wsp:Policy>

<tpa:VerifySignature>

<wssp:SignedParts>

<wssp:Header Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>

<wssp:Body />

</wssp:SignedParts>

</tpa:VerifySignature>

</wsp:Policy>

</wsp:All>

</wsp:Policy>

Confidentiality Policies

Figure Encryption Policy shows how to apply an encrypt policy.

Figure 24 Encryption Policy

Figure Decrypt Policy shows how to apply the decrypt policy.

Figure 25 Decrypt Policy

Configuration

To configure the confidentiality policies, do the following tasks:

Task A Configure Shared Resource

See Configure Shared Resource for details.

Task B Create Policy

See Create Policy for details.

Task C Register Policy

See Register Policy for detailed steps. You must choose the correct type and subtype to register the policy as shown in the following table:

Policy

Type

SubType

Encrypt

Confidentiality

Encrypt

Decrypt

Confidentiality

Decrypt

Task D Apply Policy

See Apply Policy for details.

TIBCO API Exchange Gateway supports following types of confidentiality policies:

Encryption

•

Before a request is forwarded the Encryption policy is applied.

•

The message is encrypted using the shared resource specified in the policy.

Example Policy

Encryption.policy

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsp:All>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<ns:Encryption xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009" ResourceInstance="TrustIsp">

<ns1:EncryptedParts>

<ns1:Body />

<ns1:Header />

</ns1:EncryptedParts>



<ns:keyAlias>john_key</ns:keyAlias>



<ns1:AlgorithmSuite>

<ns1:Basic128 />

</ns1:AlgorithmSuite>

</ns:Encryption>

</wsp:Policy>

</wsp:All>

</wsp:Policy>

Decryption

•

When a request is received, the decryption policy is applied.

•

The message is decrypted using the shared resource specified in the policy. The policy verifies that the message is decrypted.

Example Policy

Decryption.policy

<wsp:Policy

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<wsp:All>

<wsp:Policy>

<tpa:WssProcessor ResourceInstance="WssAsp"/>

</wsp:Policy>

<wsp:Policy>

<tpa:VerifyAuthentication>

<wssp:SignedSupportingTokens>

<wssp:SamlToken />

</wssp:SignedSupportingTokens>

</tpa:VerifyAuthentication>

</wsp:Policy>

<wsp:Policy>

<tpa:VerifyDecryption/>

</wsp:Policy>

</wsp:All>

</wsp:Policy>

Credential Mapping Policies

Figure CredentialMapping Policies illustrates how you can apply a credential mapping policy.

Figure 26 CredentialMapping Policies

TIBCO API Exchange Gateway supports following types of credential mapping policies:

UsernameToken Credential Mapping

For UsernameToken Credential Mapping:

•

There is no authentication needed.

•

The client sends request to the facade operation.

•

When the service invoked by the client request calls the target operation, UsernameToken credential mapping policy is applied. A UsernameToken is then added to the outgoing request using the credentials extracted from the policy or the shared resource specified in the policy.

Example Policy

CredentialMappingByUsernameToken Policy

<wsp:Policy

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009" >

<wsp:All>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<ns:CredentialMapping

xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009">

<tpa:Fixed>



<wssp:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<wsse:Username>schalla</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>

</wssp:UsernameToken>

</tpa:Fixed>

<wssp:SupportingTokens

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<wssp:UsernameToken>



</wssp:UsernameToken>

</wssp:SupportingTokens>

</ns:CredentialMapping>

</wsp:Policy>

</wsp:All>

</wsp:Policy>

SAML Credential Mapping

For SAML Credential Mapping:

•

The client sends request as a UsernameToken in WS-Security header of the SOAP message.

•

UsernameToken authentication policy authenticates the request against LDAP and retrieves LDAP attributes/roles for the user.

•

When the service invoked by the client request calls any external service and forwards the outgoing request, SAML credential mapping policy is applied. The SAML assertion generated from the previous UsernameToken authentication is added to the outgoing request.

Example Policy

CredentialMappingBySAML Policy

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsp:All>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<ns:CredentialMapping ResourceInstance="SubjectIsp"

xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009">

<ns:Saml>

<ns:WSS>

<ns:IssuerName>urn:kimyou.tibco.com</ns:IssuerName>

<ns:ValidPeriod>300</ns:ValidPeriod>

</ns:WSS>

</ns:Saml>

<wssp:SignedSupportingTokens

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

<wssp:SamlToken> <wssp:IssuerName>urn:www.example.com</wssp:IssuerName>

<wssp:WssSamlV20Token11 />

</wssp:SamlToken>

</wssp:SignedSupportingTokens>

</ns:CredentialMapping>

</wsp:Policy>

</wsp:All>

</wsp:Policy>

Credential Mapping by OAuth Policy

For Credential Mapping by OAuth:

•

The client sends request to the facade operation.

•

When the service invoked by the client request calls the target operation, OAuth credential mapping policy is applied. An access token is obtained using either client credential or owner credential from the token endpoint of the Authorization server. It then propagate the access token to the target operation by adding the access token to the query string when calling the target operation.

Example Policy

CredentialMappingByOAuth.policy

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<ns:CredentialMapping xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009">

<ns:OAuth>

<ns:Provider>TIBCO</ns:Provider>

<ns:ClientID>security</ns:ClientID>

<ns:ClientSecret>ef6e7dca3d52973f73ec3dd0da7087d400f5a05a</ns:ClientSecret>

<ns:CallbackURI>http://localhost:9322/asg/oauth2/client/callback</ns:CallbackURI>

<ns:Scope>public</ns:Scope>

<ns:GrantType>OWNER_CREDENTIAL</ns:GrantType>

<ns:Username>eric</ns:Username>

<ns:Password>#!OG7dY1XHxlRknIJxgIx4TE08IXNX6+MhSiSAXov3K34=</ns:Password>

</ns:OAuth>

</ns:CredentialMapping>

</wsp:Policy>

Policy	Type	SubType
Basic Authentication	Authentication	Basic
UsernameToken Authentication	Authentication	UsernameToken
SAML Authentication	Authentication	SAML
Authentication by OAuth	Authentication	OAuth