I'm looking for authorization of users in the policy after user (email@example.com) is authenticated using WS-Security Username Token based on the below condition.
Could please help how the above condition be placed in "attribute requirements" of authorization "attribute" filter .
Thanks in advance,
To add more details in the sample policy that I developed ipfilter,authentication (WS-Security Username Token) and authorization.
For authorization as I was unable to configure authorization message attribute , i'm using compare attribute with following pattern of "OR" condition for multiple users.
The way to authorize like your are doing is not a way I would recommend as its not very dynamic. You don't say whatever you are using a repository like an Active Domain but in general you would always check whatever the user that is authenticated is member in a specific group rather than keeping a list of users in an compare filter. You want to avoid having very specific logic in the gateway configurations as much as possible, otherwise you will have to redeploy every time you want to add or remove users etc.
If you are using an active directory you can use the filter "Retrieve from Directory Server" after a successful authentication to retrieve attributes of that user and then normally memberOf which will give you all the groups the specific user is a member of and on that data you would do an authorization check.
If you are using the built in User repository there is a "Check Group Membership" filter that can be used instead.
Thanks for your inputs which worked like magic.
We are using ldap for authentication and our webservice do not depend on the attributes like group etc.
So as per your suggestion , we maintain group of users meant for specific set of webservices to authorize.
So when we add/remove users from the group , via api gateway manager, we don't need any deployment right?