Use the PolicyManagement Web service to manage updateable Policy remotely. UpdateablePolicy provides methods for the modification of permissions at runtime and management of roles. You can find a detailed description of this Web service in The Authorization Model in WSO2 SOA Enablement Server.
The PolicyManagement Web service is accessible at http://localhost:6060/admin/policymanagement (assuming that the WSO2 SOA Enablement Server is running on localhost and default ports). Note that if the WSO2 SOA Enablement Server Server is running in secure mode, then this service is protected by both authentication and authorization.
The PolicyManagement Web service is manipulated through the methods of org.systinet.wasp.admin's PolicyManagement interface. Use these methods to:
Add and remove permissions to a principal or a role
Get information about roles and principals
Test policies
For details on these methods, please see the API for org.systinet.wasp.admin.PolicyManagement.
Permissions are related to an object through its identifiers. To get the identifier for a package, service instance, service endpoint and method you can use org.systinet.wasp.admin.security.PermissionHelper.
The methods of the PolicyManagement Web service have restricted access. To call one of these methods, the caller must have the relevant permissions and their associated actions under org.systinet.security.perm.ACLPermission.
ACLPermission extends the standard java.security.Permission class and has two required attributes: name and actions. These attributes specify the access level to permission management. Their usage is described in the Javadoc for ACLPermission.
Even without an ACLPermission, you can always grant or revoke permissions to manipulate objects you own. You own an object if you have DelegatePermission for it. It is also possible to remove permissions to yourself. To get principal entries from the policy you must own at least one object (such as deployed package) or you must have permission to deploy packages.
The PolicyManagement interface provides remote access to the security policy, which can be read-only. If the policy is read-only (meaning that you have probably not installed security), then it will not be possible to use it remotely as almost all methods will throw the Access Control Exception: 'Security policy is read-only.'
For complete information about the PolicyManagement Web service and its interface PolicyManagement please review the Javadoc for org.systinet.wasp.admin.PolicyManagement and the Web service's WSDL.
Permissions are related to the object through identifiers of the objects. To get identifier for package, service instance, service endpoint and method you can use PermissionHelper.
addPermission(codeSource, principal, permission)
Adds a single permission to specified principal. Returns true if the permission was added, false if it cannot be added, because the principal already owns the permission.
addPermissions(codeSource, principal, permissionCollection)
Adds collection of permissions to specified principal.
addPermissionToRole(roleName, permission)
Adds permission to role. Returns true if the permission was added, false if it cannot be added.
Returns enumeration of principal entries.
getPrincipalEntries(permission)
Returns enumeration of principal entries that are granted with specified atomic permission. The permission is atomic if both its name and actions are not composed values.
getPrincipalPermissions(codeSource,principal)
Returns permissions associated with the principal (typically supplied by a grant entry for this principal, permissions inherited from contained roles are not returned).
getPrincipalPermissions(codeSource,principal,roleInherited)
Returns permissions associated with the principal (typically supplied by a grant entry for this principal, permissions inherited from contained roles are returned if the roleInherited flag is true).
Returns an iterator of role names.
Get permissions of the role.
Tests whether this policy can manage roles.
Tests whether this policy is really updateable or is read-only.
removePermission(codeSource, principal, permission)
Removes permission from specified principal. Returns true if the permission was removed, false if it cannot be removed.
removePermissionFromRole(roleName, permission)
Removes permission from specified role. Returns true if the permission was removed, false if it cannot be removed.