为什么XACML响应在Azure Web App上返回NotApplicable?
[英]Why XACML Response Returns NotApplicable on Azure Web App?
问题描述
Firstly, I created a Spring Boot project on IntelliJ basen on [blog]: https://www.javadevjournal.com/spring-boot/spring-boot-application-intellij/ . 
首先,我在[blog]上的IntelliJ basen上创建了一个Spring Boot项目: https ://www.javadevjournal.com/spring-boot/spring-boot-application-intellij/。 Then, I generated a controller and service with @PostMapping inside of it. 然后,我在其中生成了一个带@PostMapping的控制器和服务。 I used balana [github]: https://github.com/wso2/balana to implement XACML engine. 我用balana [github]: https : //github.com/wso2/balana来实现XACML引擎。
When[blog]: https://docs.wso2.com/display/IS570/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+7 is followed, a policy and xacml request created as hardcoded. 当遵循[blog]: https ://docs.wso2.com/display/IS570/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+7时,会将策略和xacml请求创建为硬编码。 When the service is called via Postman as http post ( http://localhost:8080/evaluate ), xacml response worked as excepted with PERMIT and DENY decisions. 当通过Postman作为http post( http:// localhost:8080 / evaluate )调用服务时,xacml响应在PERMIT和DENY决策中作为例外工作。 Everything is okey up to here. 一切都在这里。
When I want to publish it into azure web app, response includes NotApplicable as decision. 当我想将其发布到azure web app时,响应包括NotApplicable作为决定。 Is there any anomaly into my policy and request or did I miss something? 我的政策和要求是否有任何异常,或者我错过了什么?
Sample Policy 样本政策
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>sample policy</Description>
<Target></Target>
<Rule Effect="Permit" RuleId="primary-group-customer-rule">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"> </AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"></Rule>
</Policy>
Sample XACML Request 示例XACML请求
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:group">
<Attribute AttributeId="group" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
</Request>
Response on Localhost 对Localhost的响应
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status>
</Result>
</Response>
Response on Azure Web App Azure Web App上的响应
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>NotApplicable</Decision>
<Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status>
</Result>
</Response>
1 个解决方案
解决方案1
3 已采纳 2019-01-23 14:52:06
There should be no difference in terms of decision making (PERMIT or DENY) based on where your application is deployed. 根据部署应用程序的位置,决策(PERMIT或DENY)应该没有区别。
I can tell you how to determine whether or not the issue is with your application, your policy, or an error in your request. 我可以告诉您如何确定问题是否与您的申请,政策或请求中的错误有关。
First, just to verify the requests are the same, have you checked the logs for the PDP on both Azure and your localhost to make sure the requests are indeed coming up the same? 首先,只是为了验证请求是否相同,您是否在Azure和localhost上检查了PDP的日志,以确保请求确实是相同的?
If so, next I suggest you set up a very, very simple rule that will return DENY no matter what. 如果是这样,接下来我建议你设置一个非常非常简单的规则,无论如何都将返回DENY。 Then ensure that you get DENY on locally running the Spring Boot application locally (ie $ mvn spring-boot:run on your computer) and on a deployed server. 然后确保在本地运行Spring Boot应用程序(即$ mvn spring-boot:run在您的计算机上$ mvn spring-boot:run )和已部署的服务器上进行DENY。
If you can't get a DENY on both, you need to revisit your application logic and such. 如果您无法在两者上获得DENY,则需要重新访问应用程序逻辑等。
Once you get a DENY, set up a simple policy that takes one parameter. 获得DENY后,设置一个带有一个参数的简单策略。 IE if someNumber == 2, return PERMIT. IE如果someNumber == 2,则返回PERMIT。 Then try this on both your localhost and on Azure. 然后在localhost和Azure上尝试此操作。 Once you have this working, you are ready to try the policy you mentioned in your question. 一旦你有了这个工作,你就可以尝试在你的问题中提到的政策了。
FYI I have multiple Spring Boot projects that communicate with a XACML engine (Axiomatics, not WSO2) in my Github, such as: https://github.com/michaelcgood/Axiomatics-Yet-Another-PEP . 仅供参考我有多个Spring Boot项目,可以在我的Github中与XACML引擎(Axiomatics,而不是WSO2)进行通信,例如: https : //github.com/michaelcgood/Axiomatics-Yet-Another-PEP 。
I also have multiple articles about Spring Boot on my website: https://michaelcgood.com/category/spring/ . 我的网站上还有很多关于Spring Boot的文章: https : //michaelcgood.com/category/spring/ 。 If you have questions about the content or code, you can contact me (info on contact page) and I'll respond as I'm able to. 如果您对内容或代码有疑问,可以与我联系(联系页面上的信息),我会尽快回复。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.