Enabling and configuring the TESB PEP - 7.1

Talend ESB Infrastructure Services Configuration Guide

Version
7.1
Language
English (United States)
Product
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
Module
Talend ESB
Talend Runtime
Content
Design and Development
Installation and Upgrade

To enable authorization on a TESB service endpoint, it is necessary to install the TESB PEP interceptor. This can be done in a number of different ways. The easiest way for a JAX-WS based endpoint is to use the following WS-Policy expression:

<tpa:Authorization xmlns:tpa="http://types.talend.com/policy/assertion/1.0" type="XACML" />

This will automatically install the PolicyEnforcementPoint interceptor and ensure that only authorized requests invoke on the endpoint. When the PEP is installed in this way, an additional property ("tesb.pdp.address") is needed to tell the PEP where to find the PDP. This can be done in the "etc/org.talend.esb.authorization.pdp.cfg" configuration file, by setting a value for the "tesb.pdp.address" property. Alternatively, it can be set as a property on the endpoint, e.g.:

<jaxws:server ...>
    <jaxws:properties>
        <entry key="tesb.pdp.address" 
               value="https://localhost:9001/services/pdp/authorize"/>
    </jaxws:properties> 
</jaxws:server>

See the 'syncope-esb-xacml' example for more information on adding the PolicyEnforcementPoint to a JAX-WS service endpoint. It is also possible to create the PEP interceptor and add it directly to the CXF interceptor chain for the endpoint. For example:

<bean
    class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor" 
    id="XACMLInterceptor">
    <property name="pdpAddress" 
              value="https://localhost:9001/services/pdp/authorize"/>
</bean>

This can then be added to the Interceptor chain of a JAX-WS endpoint via:

<jaxws:endpoint ...>
    <jaxws:inInterceptors>
        <ref bean="XACMLInterceptor"/>
    </jaxws:inInterceptors>
</jaxws:endpoint>

The PEP can also be added to the Interceptor chain of a JAX-RS endpoint via:

<jaxrs:server ...>
    <jaxrs:inInterceptors>
        <ref bean="XACMLInterceptor"/>
    </jaxrs:inInterceptors>
</jaxws:endpoint>

See the 'syncope-esb-xacml-rest' example for more information on adding the PolicyEnforcementPoint to a JAX-RS service endpoint. An example of how to use the co-located PDP is given in the ‘syncope-esb-xacml-coloc' example. In this example, the service provider obtains the PDP from the OSGi registry via:

<reference id="pdpBean"  
   interface="org.talend.esb.authorization.xacml.pdp.PolicyDecisionPoint"/>

<bean class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor"
    id="XACMLInterceptor">
    <property name="policyDecisionPoint" ref="pdpBean"/>
</bean>