[英]Where to double-check attributes of the XACML-request against Attribute-Providers at the PDP?
I'm evaluation PDP engines and at the moment I give AuthzForce Core a try. 我正在评估PDP引擎,现在我试试AuthzForce Core 。 Evaluating a Request by the PDP runs pretty solid so far:
到目前为止,PDP对请求的评估运行非常可靠:
//My request and pdp configuration files
File confLocation = new File("D:/docs/XACML/AuthZForce/IIA001/pdp.xml");//pdp.xml tells the pdp where the policies xml files are
File requestFile = new File("D:/docs/XACML/AuthZForce/IIA001/Request.xml");
//I instantiate the pdp engine and the xacml parser
final PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance(confLocation, null, null);
PdpEngineInoutAdapter<Request, Response> pdp = PdpEngineAdapters.newXacmlJaxbInoutAdapter(pdpEngineConf);
XmlUtils.XmlnsFilteringParser xacmlParserFactory = XacmlJaxbParsingUtils.getXacmlParserFactory(false).getInstance();
//I parse the request file
Object request = xacmlParserFactory.parse(requestFile.toURI().toURL());
if (request instanceof Request) {
//At this point I could access all request attributes or alter them
//I let the PDP evaluate the request
Response response = pdp.evaluate((Request) request);
//I check the results inside the response
for (Result result : response.getResults()) {
if (result.getDecision() == DecisionType.PERMIT) {
//it's permitted!
} else {
//denied!
}
}
}
Now, according to the literature like [1] I should not trust the attributes in the given request-xacml-file. 现在,根据像[1]这样的文献,我不应该信任给定request-xacml文件中的属性。 Whenever possible, I have to check against a Attribute Provider (eg a Patient database) if the given attributes (eg patient birthdate) actually belong to the patient in order to prevent attacks.
只要有可能,我必须检查属性提供者(例如患者数据库),如果给定的属性(例如患者出生日期)实际上属于患者,以防止发作。
Otherwise the attacker could make the patient younger in the Request in order to access the patient's record as a parent guardian. 否则,攻击者可以使请求中的患者更年轻,以便作为父母监护人访问患者的记录。
Questions 问题
Response response = pdp.evaluate((Request) request);
Response response = pdp.evaluate((Request) request);
之前自己检查提供的Response response = pdp.evaluate((Request) request);
? pdp.xml
file in your example. pdp.xml
文件)了解属性提供程序。 You'll need two other files (XML catalog and schema) depending on the Attribute Provider you want to use. In addition to @cdan's excellent response, here are a few more pointers: 除了@ cdan的出色响应之外,还有以下几点:
Is checking Requests against Attribute Providers the task of a PDP or of another entitiy?
检查针对属性提供程序的请求是PDP或其他权限的任务吗?
The PDP always trusts the information (attributes) it receives whether it be from the PEP or from the PIPs. 无论是来自PEP还是来自PIP,PDP始终信任它接收的信息(属性)。 As such the PDP need not verify values it received from a PEP by checking with a PIP.
因此,PDP不需要通过检查PIP来验证它从PEP接收的值。 That's counter-productive an inefficient.
这是适得其反的低效率。 If you cannot trust the PEP to send the right value, how can you trust it to enforce the right decision?
如果你不能相信PEP发送正确的价值,你怎么能相信它来执行正确的决定呢?
Did OASIS specify anything concrete about that issue?
OASIS是否具体说明了该问题的具体内容? Eg workflow or syntax of configuration files
例如配置文件的工作流程或语法
No, we did not. 我们没有。 PIP behavior is outside the scope of the XACML spec.
PIP行为超出了XACML规范的范围。
Is there a way to make my pdp engine aware of Attribute Providers?
有没有办法让我的pdp引擎知道属性提供者? Should I just check the provided request on my own before Response response = pdp.evaluate((Request) request);?
我应该在响应响应= pdp.evaluate((请求)请求之前自己检查提供的请求);?
The PDP should be configured with PIPs. PDP应配置PIP。 The PDP will use all the PIPs it can.
PDP将使用它可以使用的所有PIP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.