wso2 esb policy with user groups

Question

I'm trying to create a policy xml to secure my proxy service. I take a policy xml example like this but I'm not be able to add the user on user groups. When I give the url of my policy it marks as security but if you look the properties the type of security is usernameToken but the user Groups is empty.

    <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:TransportToken>
                    <wsp:Policy>
                        <sp:HttpsToken RequireClientCertificate="false"></sp:HttpsToken>
                    </wsp:Policy>
                </sp:TransportToken>
                <sp:AlgorithmSuite xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <wsp:Policy>
                        <sp:Basic256></sp:Basic256>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Lax></sp:Lax>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp></sp:IncludeTimestamp>
            </wsp:Policy>
        </sp:TransportBinding>
        <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
    <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
    <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
    <rampart:timestampTTL>300</rampart:timestampTTL>
    <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
    <rampart:timestampStrict>false</rampart:timestampStrict>
    <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
    <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
    <rampart:user>admin</rampart:user>
    <rampart:passwordcallbackclass>org.wso2.carbon.digestpwd.PWCBHandler</rampart:passwordcallbackclass>
</rampart:RampartConfig>
</wsp:Policy>

Answer 1

According to the user name token specification, It only talks about the authentication. The user/password that is sent in the User name token is validated. It does not talk about access control (RBAC). Therefore you can not define the roles, in the policy. You can only use this policy to verify the authentication...

As you have talked about WSO2 ESB, In ESB they have provided some modifications to support the access control in to user name token policy.. The place that they have extended is the password call back handler. In the WSO2 custom password handler, It checks both authentication and access control.. You can find the source of WSO2 password handler from here. I guess, you can secure the proxy services using the management console that ESB has provided.. In this management console, you can configure user name token security policy and can defined allowed roles.. These roles are not saved in the policy, rather than some database in WSO2 ESB has.