具有多个条件的 XACML 3.0 策略

【问题标题】:XACML 3.0 policy with multiple conditions具有多个条件的 XACML 3.0 策略
【发布时间】:2014-04-15 16:44:38
【问题描述】:

我需要定义一个允许请求的策略

  • 资源 /tenant-3/*
  • 对于属于财务角色和组织工资的用户

wso2is 编辑器不接受我定义的条件作为标准 XACML.3.0 策略。 有人能告诉我如何定义这样的政策吗? 会很好 ? 问候 Vpl

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="tenant-3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/tenant-3/*</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="rule-1">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">finance</AttributeValue>
            <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
         </Apply>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">payrol</AttributeValue>
            <AttributeDesignator AttributeId="http://wso2.org/claims/organization" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
         </Apply>

      </Condition>
   </Rule>
</Policy>

【问题讨论】:

    标签: xacml xacml3


    【解决方案1】:

    您的政策无效。根据您的情况,您需要使用 urn:oasis:names:tc:xacml:1.0:function:and 函数将两个 &lt;Apply/&gt; 元素合并到一个 &lt;Apply/&gt; 元素中。

    我更新了您的策略,它在 Axiomatics 策略服务器中运行良好:

    <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="tenant-3" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
  <xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/tenant-3/*</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
  </xacml3:Target>
  <xacml3:Rule RuleId="rule-1" Effect="Permit">
    <xacml3:Condition >
      <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">finance</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="http://wso2.org/claims/role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </xacml3:Apply>
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">payrol</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="http://wso2.org/claims/organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </xacml3:Apply>
      </xacml3:Apply>
    </xacml3:Condition>
  </xacml3:Rule>
</xacml3:Policy>

    请注意,您不需要像您所做的那样简单的比较条件。您可以使用&lt;Target/&gt; 重写您的整个策略,如下所示:

    <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="tenant-3" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
  <xacml3:Description></xacml3:Description>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
  <xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/tenant-3/*</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
  </xacml3:Target>
  <xacml3:Rule RuleId="rule-1" Effect="Permit">
    <xacml3:Description></xacml3:Description>
    <xacml3:Target>
      <xacml3:AnyOf>
        <xacml3:AllOf>
          <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">finance</xacml3:AttributeValue>
            <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="http://wso2.org/claims/role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml3:Match>
          <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">payrol</xacml3:AttributeValue>
            <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="http://wso2.org/claims/organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml3:Match>
        </xacml3:AllOf>
      </xacml3:AnyOf>
    </xacml3:Target>
  </xacml3:Rule>
</xacml3:Policy>

    这是 Axiomatics Policy Administration Point 中的屏幕截图:

    注意你有一个错字:payrol 应该写成payroll

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2023-03-17
      • 1970-01-01
      • 1970-01-01
      • 2020-01-23
      • 2017-03-13
      • 2022-10-13
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode