I am a user of WSO2 IS, I need to add a custom RuleCombining algorithm in my WSO2 IS. I am using this example of balana and when I create this Policy in the WSO2 IS I obtain this Error: Unsupported Entitlement Policy. Policy can not be parsed, and this is the log of the WSO2 IS:
ERROR {org.wso2.carbon.identity.entitlement.pap.PAPPolicyReader} - Error while parsing the policy org.wso2.balana.ParsingException: Error parsing combining algorithm in Policy
Caused by: org.wso2.balana.UnknownIdentifierException: unknown combining algId: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:highest-effect
at org.wso2.balana.combine.BaseCombiningAlgFactory.createAlgorithm(BaseCombiningAlgFactory.java:138)
at org.wso2.balana.AbstractPolicy.<init>(AbstractPolicy.java:237)
Edited:
Thank you for the answer David,
In the same example page we can read that we can extend the WSO2 IS with custom functions, algorithms and data-types, adding a balana configuration file:
However, If you want to ask WSO2 Identity Server to initialize the Balana by reading configuration file. You can do it by creating a new configuration file called “balana-config.xml” under the /repository/conf/security directory. As an example, Say you want to add new rule combining algorithm to work with WSO2 Identity Server entitlement engine. Then you can follow same way that is configuring it with Balana. Please refer this blog post for more details. However I would like to summarize the step to follow.
But after following the steps it doesn't seem to be working.
Any other help in this issue will be appreciated.
I am considering axiomatics as XACML engine, but it seem very difficult to get a version for testing or inception purposes. Can you give me any light on this concern?.
It is impossible to extend the WSO2 IS with custom combining algoritm. The post you link to states:
WSO2 Identity Server does not deal with those Because most of the applications use standard set of functions, attribute and combining algorithms that is defined in the XACML specification. Therefore, by default, WSO2 Identity Server initializes the Balana instance with default standard configuration.
If you want to use a combining algorithm, use the Axiomatics Policy Server instead.
Side note: why do you want a combining algorithm? You should try to stick to standard combining algorithms. What does urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:highest-effect do? Also you cannot use the OASIS namespace for your combining algorithm.