Oauth 2.0 使用WSO2 IS和XACML策略保护REST API
我尝试使用OAuth中介和wso2来保护我的RESTAPI(在wso2 ESB中)。 我希望允许用户使用有效的令牌,当请求匹配特定的URI(来自ESB exp/sample/test的调用)并且还匹配其他条件时,例如Oauth 2.0 使用WSO2 IS和XACML策略保护REST API,oauth-2.0,wso2esb,wso2is,xacml,abac,Oauth 2.0,Wso2esb,Wso2is,Xacml,Abac,我尝试使用OAuth中介和wso2来保护我的RESTAPI(在wso2 ESB中)。 我希望允许用户使用有效的令牌,当请求匹配特定的URI(来自ESB exp/sample/test的调用)并且还匹配其他条件时,例如scope\u name和client\u ip。 我可以在XACML策略中检查username,scope\u name,并允许它,但我想添加client\u id和特定URI 这是我在WSO2 ESB中的Rest API示例: <api xmlns="http://ws.a
scope\u name
和client\u ip
。
我可以在XACML策略中检查username
,scope\u name
,并允许它,但我想添加client\u id
和特定URI
这是我在WSO2 ESB中的Rest API示例:
<api xmlns="http://ws.apache.org/ns/synapse" name="sample" context="/sample">
<resource methods="GET" uri-template="/test">
<inSequence>
<log level="custom">
<property name="ip address" expression="get-property('axis2','REMOTE_ADDR')"/>
</log>
<oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
<payloadFactory media-type="json">
<format>{"result":true}</format>
<args/>
</payloadFactory>
<respond/>
</inSequence>
</resource>
</api>
除非规则允许,否则以下XACML配置将被拒绝。它只允许scope\u name
和username
而不允许其他条件(客户端ip和特定API URI)。它应该只允许具有/sample/*
URI和例如10.2.3.4
IP的请求,但我不知道如何做
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Apolicy2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/sample/.*</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">soheyl</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplescope</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/oauth-scope/scope-name" Category="http://wso2.org/identity/oauth-scope" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplesp</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
/样本/*
苏赫尔
取样镜
样本
在规则1末尾添加一条规则,如下所示,然后再试一次
谢谢你的回答,但这不是我的答案。我将“规则组合算法”设置为“拒绝,除非允许”。我需要规则来允许在调用特定的URL(资源)时只使用特定的IP。我已经更新了问题,以澄清这一点@加扬-我已经澄清了新问题中的问题。请办理登机手续
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Apolicy2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/sample/.*</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">soheyl</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplescope</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/oauth-scope/scope-name" Category="http://wso2.org/identity/oauth-scope" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplesp</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>