WSO2 身份服务器 - 在 PAP 的 Try-It 下 XACML V.3 策略集的问题

【问题标题】:WSO2 Identity Server - Issues with XACML V.3 Policy Set under the Try-It of PAPWSO2 身份服务器 - 在 PAP 的 Try-It 下 XACML V.3 策略集的问题
【发布时间】:2016-06-14 18:36:07
【问题描述】:

我想添加一个策略集,以便使用基于输入字段“资源”定义给定策略是否适用的目标按顺序运行一系列策略。为了开始测试,我编写了一个包含一个策略的策略集。

WSO2 PAP 的评估未能显示“不适用”的结果,而我希望收到“许可”。

这里是用 XML 创建的名为“cfatest0”的策略:

<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).  Any modification to this file will be lost upon recompilation of the source ALFA file-->
   <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="cfatest0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
      <xacml3:Description></xacml3:Description>
      <xacml3:PolicyDefaults>
         <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
      </xacml3:PolicyDefaults>
      <xacml3:Target>
         <xacml3:AnyOf>
            <xacml3:AllOf>
               <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
                  <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
               </xacml3:Match>
            </xacml3:AllOf>
         </xacml3:AnyOf>
      </xacml3:Target>
      <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.permitAll">
         <xacml3:Description></xacml3:Description>
         <xacml3:Target></xacml3:Target>
      </xacml3:Rule>
      <xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.checkId">
         <xacml3:Description></xacml3:Description>
         <xacml3:Target></xacml3:Target>
         <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
               <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                  <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></xacml3:Function>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef@br.red.com</xacml3:AttributeValue>
                  <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
               </xacml3:Apply>
            </xacml3:Apply>
         </xacml3:Condition>
         <xacml3:ObligationExpressions>
            <xacml3:ObligationExpression ObligationId="obligation.displayAttributes" FulfillOn="Deny">
               <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Access denied due to invalid UserID</xacml3:AttributeValue>
               </xacml3:AttributeAssignmentExpression>
            </xacml3:ObligationExpression>
         </xacml3:ObligationExpressions>
      </xacml3:Rule>
      <xacml3:AdviceExpressions>
         <xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Deny">
            <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
            </xacml3:AttributeAssignmentExpression>
         </xacml3:AdviceExpression>
         <xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Permit">
            <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
            </xacml3:AttributeAssignmentExpression>
         </xacml3:AdviceExpression>
      </xacml3:AdviceExpressions>
   </xacml3:Policy>

这里是在 XML 中创建的名为 cfapolicyset1 的 PolicySet:

<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).  Any modification to this file will be lost upon recompilation of the source ALFA file-->
   <xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicySetId="cfapolicyset1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" Version="1.0">
      <xacml3:Description></xacml3:Description>
      <xacml3:PolicySetDefaults>
         <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
      </xacml3:PolicySetDefaults>
      <xacml3:Target>
         <xacml3:AnyOf>
            <xacml3:AllOf>
               <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
                  <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
               </xacml3:Match>
            </xacml3:AllOf>
         </xacml3:AnyOf>
      </xacml3:Target>
      <xacml3:PolicyIdReference>cfatest0</xacml3:PolicyIdReference>
   </xacml3:PolicySet>

在PAP下WSO2“Try-It”工具生成的请求下方:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef@br.red.com</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

决定:不适用

我在向 PolicySet 发送请求的方式上是否遗漏了什么?使用 WSO2 高级策略编辑器时,我在响应中收到相同的错误。在测试 PAP“Try-It”工具中隔离的策略时,我收到了正确的值,对于该策略,它是:“Permit”。

【问题讨论】:

    标签: authorization wso2is xacml abac alfa


    【解决方案1】:

    我在 Axiomatics Policy Administration Point 中尝试了您的请求和策略,我得到了想要的响应,即 Permit + Advice

    可能是您忘记在 WSO2IS 中加载策略吗?

    【讨论】:

    • 感谢您测试案例@David Brossard,您的提示是正确的,PolicyReference 语句中引用的策略必须存在于 PolicySet 的源代码中,位于语句之后:xacml3:PolicyIdReference。通过在一个 XML 文件中提供源,WSO2 PAP 工具能够正确解释它,而无需将设置和引用的策略加载到 PDP 中。这对测试很有帮助。
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2018-03-07
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2012-07-10
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode