堆栈内存溢出
  简体   繁体   English

具有附加属性的XACML 3.0请求与匹配,即使策略规则中缺少该属性

[英]XACML 3.0 Request with additional Attribute is matching even that attribute is missing in the policy rule

 原文  2016-07-30 18:36:01       authorization/ wso2is/ xacml/ xacml3/ abac

问题描述

I have a XACML 3.0 policy defined like this: 我有一个这样定义的XACML 3.0策略: 

<?xml version="1.0" encoding="UTF-8"?>
<Policy 
  xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicyId="Proposal-Rules" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="1.0">
  <Description>Policy for any proposal.</Description>
  <PolicyDefaults>
    <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
  </PolicyDefaults>
  <Target />
  <Rule Effect="Permit" RuleId="ApproveProposalByDepartmentChair-Rule13a">
    <Description>"Department Chair" can "Approve" a "Whole Proposal" when ApprovedByDepartmentChair = READYFORAPPROVAL and where condition check all department chairs are not approved.</Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Department Chair</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:position.title" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READYFORAPPROVAL</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ApprovedByDepartmentChair" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
          <AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="//ak:signedByAllChairs/text()" DataType="http://www.w3.org/2001/XMLSchema#boolean"/>
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">false</AttributeValue>
      </Apply>
    </Condition>
  </Rule>
</Policy>

My XACML request looks like this with an extra AttributeId="group" containing value "Computer Engineering". 我的XACML请求看起来像这样,带有一个额外的AttributeId =“ group”,其中包含值“ Computer Engineering”。 

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
                <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:position.title" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Department Chair</AttributeValue>
                    </Attribute>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:group" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Computer Engineering</AttributeValue>
                    </Attribute>
                </Attributes>
                <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
                    <Content>
                        <record xmlns:ak="http://akpower.org">
                            <proposal>  
                                <signedByAllChairs>false</signedByAllChairs>
                            </proposal>
                        </record>
                    </Content>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
                        <AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
                    </Attribute>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ApprovedByDepartmentChair" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READYFORAPPROVAL</AttributeValue>
                    </Attribute>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
                    </Attribute>
                </Attributes>
                <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
                    </Attribute>
                </Attributes>
    </Request>

I was hoping the PEP going to return NotApplicable but on contrary it returns following response: with PERMIT Even though the defined Policy Rule doesn't contain any Attribute called "group" as Rule Target whereas the request is sending "group" attribute with value "Computer Engineering" and even it is returning match and PERMIT response! 我希望PEP返回NotApplicable,但相反,它将返回以下响应: PERMIT即使定义的策略规则不包含任何称为“ group”的属性作为Rule Target,而请求却发送“ value”的“ group”属性计算机工程”,甚至返回匹配和PERMIT响应! 

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Permit</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
        </Status>       
    </Result>
</Response>

Is there something I am missing? 我有什么想念的吗? I could not figure it out. 我不知道。 I am currently using Balana as PEP implementation for my application. 我目前正在将Balana用作我的应用程序的PEP实现。

1 个解决方案

解决方案1
 2  2016-08-01 00:42:29

I have now managed to import your policy inside the Axiomatics Policy Administration Point. 现在,我已成功将您的政策导入公理政策管理点。

Basic Issues 基本问题

You had several mistakes: 您有几个错误:

  1. Your XPath expressions uses a prefix ak: ( Path="//ak:signedByAllChairs/text()" ) but the XPath doesn't contain the definition for ak: 您的XPath表达式使用前缀ak:Path="//ak:signedByAllChairs/text()" ),但是XPath不包含ak的定义:
  2. The AttributeSelector is marked as a boolean but text() in XPath returns a string, not a boolean. AttributeSelector被标记为布尔值,但是XPath中的text()返回一个字符串,而不是布尔值。 You need to change to string. 您需要更改为字符串。
  3. The XML snippet part of the XACML request <Content/> does not actually use the ak: prefix. XACML请求<Content/>的XML代码段部分实际上并未使用ak:前缀。 It does define a namespace with that prefix but never uses it. 它确实使用该前缀定义了名称空间,但从未使用过它。

Representation of the policy in APS APS中策略的表示

政策代表

Simulating the policy 模拟政策

I simulated your policy and did not get a Permit back. 我模拟了您的政策,但没有找回许可证。 I get Indeterminate. 我不确定。 Here is the evaluation trace. 这是评估跟踪。 There must be something wrong in WSO2 IS or you forgot to deploy the new policy. WSO2 IS中肯定有问题,否则您忘记部署新策略。

评估跟踪-公理政策服务器

Now, if I clean up the XML you send to have exactly this: 现在,如果我清理发送给您的XML,则它具有以下确切含义: 

<record xmlns:ak="http://akpower.org">
    <proposal>                  
        <signedByAllChairs>false</signedByAllChairs>                    
    </proposal>
</record>

then I get Permit back from the policy. 然后我从政策中获得了许可证。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将XACML 3.0请求与策略存储中存储的策略进行匹配 - how to match XACML 3.0 request against policy stored in policy store 评估 XACML 2.0 策略中的多值属性 - Evaluating multi-valued Attribute in XACML 2.0 policy 在策略或规则中动态生成XACML建议字符串 - Generating XACML advice string dynamically in a policy or rule 用于XACML 3.0策略创建的开源策略编辑器工具 - Open source policy editor tool for XACML 3.0 policy creation WSO2 Identity Server XACML JSON请求的结果为“不确定” [找不到AttributeDesignator属性] - WSO2 Identity Server XACML JSON Request results in “Indeterminate” [Couldn't find AttributeDesignator attribute] XACML 中的 Policy Target 和 Rule Target 有什么区别? - What is the difference between Policy Target and Rule Target in XACML? 在PDP处对属性提供者的XACML请求的属性进行双重检查的位置? - Where to double-check attributes of the XACML-request against Attribute-Providers at the PDP? 如何使用XACML中的义务来跟踪属性的值 - How to trace the value for an attribute using obligations in XACML WSO2 XACML动态属性值 - WSO2 XACML dynamic attribute value XACML条件比较主题属性和资源属性,未硬编码 - XACML condition comparing subject attribute and resource attribute, not hard coded
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM