问题
Maybe my understanding is wrong, please advice.
Requirement:
(1) user A, and user B wanna to access a web service SayHello.
(2) only user A has permission.
(3) SayHello web service simply return a string "hello"
Previously:
(1) To invoke SayHello, create a client according to SayHello?wsdl. -- Success
(2) Create a proxy service SayHelloProxyService through ESB, host this proxy service to SayHello service, create a client according to SayHelloProxyService?wsdl. --Success
Now:
Add Identity Server inside, only give user A access permission, something like the following diagram :
Question:
for now, I'm thinking if I still wanna to invoke SayHelloProxyService, should I change the client's code? carrying some tokens like username or what to SayHelloProxyService? if so how to write the client code? maybe my understanding is totally wrong, but if there is a small example regarding will be a great help, could anyone know about this?
thank you in advance.
回答1:
My understanding is that you are setting the wrong permissions. Role permissions in "Configure > Users and Roles > Roles" are only valid locally for the server itself, which is IS in your scenario, but not for external services.
If you need IS to authorize some service, rather than changing your client's code, you might want to create a simple XACML policy like it is described in [1], and enable WSO2IS as a policy decision point.
[1] http://wso2.org/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform
来源:https://stackoverflow.com/questions/15634019/wso2-how-to-integrate-esb-with-identity-server