WSO2 Identity/PAP使用多个语句拒绝条件逻辑(XML编辑器和上载)
当使用包含多个语句的XACML V.3“条件”逻辑时,我在保存新策略时收到一个错误。WSO2 XML编辑器以及策略“上载”函数拒绝下面附加的源代码,并抛出以下错误消息: 错误WSO2 Identity/PAP使用多个语句拒绝条件逻辑(XML编辑器和上载),wso2,identity,xacml,Wso2,Identity,Xacml,当使用包含多个语句的XACML V.3“条件”逻辑时,我在保存新策略时收到一个错误。WSO2 XML编辑器以及策略“上载”函数拒绝下面附加的源代码,并抛出以下错误消息: 错误 Policy uploading failed. Unsupported Entitlement Policy. Policy can not be parsed 或 下面是使用“条件”逻辑的策略的示例代码。源代码以前使用XACML版本3架构进行过验证,并被认为是有效的 源代码示例: <Policy xmlns="
Policy uploading failed. Unsupported Entitlement Policy. Policy can not be parsed
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="cfatest4" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Target></Target>
<Rule Effect="Deny" RuleId="Deny-Rule1">
<Target></Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="http://w3.RED.com/subject/groupsUserBelong"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"/>
</Apply>
</Apply>
</Apply>
</Condition>
<ObligationExpressions>
<ObligationExpression FulfillOn="Deny" ObligationId="groupscheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1 - The groups validation error</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression ObligationId="debug1" FulfillOn="Deny">
<AttributeAssignmentExpression AttributeId="debug1">
<AttributeDesignator AttributeId="http://w3.RED.com/subject/groupsUserBelong" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
<Rule Effect="Permit" RuleId="Permit-Rule1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="countrycheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1: The Bluegroups validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="allchecks">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The overall validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy>
myGroup
规则1-组验证错误
ldap
阅读
规则1:Bluegroups验证成功通过
整体验证已成功通过
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="cfatest4" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Target></Target>
<Rule Effect="Deny" RuleId="Deny-Rule1">
<Target></Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="http://w3.RED.com/subject/groupsUserBelong"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"/>
</Apply>
</Apply>
</Apply>
</Condition>
<ObligationExpressions>
<ObligationExpression FulfillOn="Deny" ObligationId="groupscheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1 - The groups validation error</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression ObligationId="debug1" FulfillOn="Deny">
<AttributeAssignmentExpression AttributeId="debug1">
<AttributeDesignator AttributeId="http://w3.RED.com/subject/groupsUserBelong" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
<Rule Effect="Permit" RuleId="Permit-Rule1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="countrycheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1: The Bluegroups validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="allchecks">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The overall validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy>