Wso2 XACML-如何获取决策中使用的策略列表?
XACML标准规定,如果请求指定了属性Wso2 XACML-如何获取决策中使用的策略列表?,wso2,wso2is,xacml,Wso2,Wso2is,Xacml,XACML标准规定,如果请求指定了属性ReturnPolicyIdList=“true”,PDP应返回决策中使用的所有完全适用的策略和策略集的列表 我用WSO IS 5.0(最新的service pack)试用过,但它似乎只在少数情况下起作用。这是第一个测试策略:它允许对以.dcm结尾的每个文件的useradmin进行写访问 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PolicyTes
ReturnPolicyIdList=“true”
,PDP应返回决策中使用的所有完全适用的策略和策略集的列表
我用WSO IS 5.0(最新的service pack)试用过,但它似乎只在少数情况下起作用。这是第一个测试策略:它允许对以.dcm
结尾的每个文件的useradmin
进行写访问
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PolicyTest" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
<Target></Target>
<Rule RuleId="Rule1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^.*.dcm$</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule RuleId="DefaultRule" Effect="Deny"></Rule>
</Policy>
如果这是PDP中唯一活动的策略,则XACML响应是正确的(允许),并包括用于决策的所有策略的ID列表:
<Response>
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<PolicyIdentifierList>
<PolicyIdReference>PolicyTest</PolicyIdReference>
</PolicyIdentifierList>
</Result>
</Response>
第二个错误:
TID[-1234] [IS] [2015-07-03 12:41:34,558] ERROR {org.wso2.carbon.identity.entitlement.ui.client.EntitlementServiceClient} - Error occurred while policy evaluation
我怎样才能让它工作?是否有任何设置需要更改,或者这是一个bug
谢谢大家! 根据XACML标准,如果您将ReturnPolicyIdList设置为true,则PDP应回复请求中使用的策略和策略集标识符列表 下面是一个XACML 3.0请求示例(它是空的,即没有任何属性)
下面是一个示例响应
<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
<xacml-ctx:PolicyIdentifierList>
<xacml-ctx:PolicyIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/f8d86878-d458-472a-968d-1fd6c9655669</xacml-ctx:PolicyIdReference>
<xacml-ctx:PolicySetIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/21e6e472-d363-4ea9-990d-3fa03512b747</xacml-ctx:PolicySetIdReference>
</xacml-ctx:PolicyIdentifierList>
</xacml-ctx:Result>
</xacml-ctx:Response>
许可证
http://www.axiomatics.com/automatic-unique-id/f8d86878-d458-472a-968d-1fd6c9655669
http://www.axiomatics.com/automatic-unique-id/21e6e472-d363-4ea9-990d-3fa03512b747
响应显然包含PolicyIdentifierList
元素中的策略标识符列表
我在电脑上测试过,效果很好。WSO2只是一个部分实现,因此它要么是缺少的功能,要么是一个bug。您可以发布其他策略吗?我猜您在上面尝试了相同的XACML请求?您好,我在问题中添加了第二个策略的代码。要求是一样的。谢谢。我在WSO2的《吉拉:坦克你大卫》上发表了一篇文章,我认为这是一个bug。我将在WSO2的Jira上发表一篇文章。仅供参考,Axiomatics网站现在已关闭。我们将我们的漏洞保留在网站上:-)
TID[-1234] [IS] [2015-07-03 12:41:34,550] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} - Exception occurred while trying to invoke service method getDecision
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
TID[-1234] [IS] [2015-07-03 12:41:34,558] ERROR {org.wso2.carbon.identity.entitlement.ui.client.EntitlementServiceClient} - Error occurred while policy evaluation
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false"
xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
<xacml-ctx:PolicyIdentifierList>
<xacml-ctx:PolicyIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/f8d86878-d458-472a-968d-1fd6c9655669</xacml-ctx:PolicyIdReference>
<xacml-ctx:PolicySetIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/21e6e472-d363-4ea9-990d-3fa03512b747</xacml-ctx:PolicySetIdReference>
</xacml-ctx:PolicyIdentifierList>
</xacml-ctx:Result>
</xacml-ctx:Response>