如何使用 XACML 在我的義務表達式中返回多個屬性值?
[英]How can I return multiple attribute values in my Obligation Expression using XACML?
問題描述
我在我的 Java 應用程序中使用 XACML 3.0 和 Balana。 我的 XML 模式定義如下:
<record>
<proposal>
<proposalid></proposalid>
<proposaltitle></proposaltitle>
<pi>
<fullname></fullname>
<workemail></workemail>
<userid></userid>
</pi>
<copis>
<copi>
<fullname></fullname>
<workemail></workemail>
<userid></userid>
</copi>
<copi>
<fullname></fullname>
<workemail></workemail>
<userid></userid>
</copi>
<copi>
<firstname></firstname>
<lastname></lastname>
<workemail></workemail>
<userid></userid>
</copi>
</copis>
</proposal>
</record>
我的應用程序向 PEP 發送 XACML 請求,如下所示:
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:proposal.role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PI</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Content>
<ak:record xmlns:ak="http://akpower.org">
<ak:proposal>
<ak:proposalid>5702a60865dbb30b09a492cf</ak:proposalid>
<ak:proposaltitle>Proposal 11</ak:proposaltitle>
<ak:authorprofile>
<ak:fullname>Milson Munakami</ak:fullname>
</ak:authorprofile>
<ak:pi>
<ak:fullname>Milson Munakami</ak:fullname>
<ak:workemail>milsonmun@yahoo.com</ak:workemail>
<ak:userid>56fee3e965dbb35ce5c900fa</ak:userid>
</ak:pi>
<ak:copis>
<ak:copi>
<ak:fullname>PS Wang</ak:fullname>
<ak:workemail>fdsafda@yahoo.comss</ak:workemail>
<ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
</ak:copi>
<ak:copi>
<ak:fullname>Thomas Voltz</ak:fullname>
<ak:workemail>fdsafda@yahoo.comsss</ak:workemail>
<ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
</ak:copi>
</ak:copis>
</ak:proposal>
</ak:record>
</Content>
<Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
<AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:DeletedByPI" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTDELETED</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:SubmittedByPI" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTSUBMITTED</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Save</AttributeValue>
</Attribute>
</Attributes>
</Request>
在我的政策規則中,我有:
<ObligationExpressions>
<ObligationExpression ObligationId="sendEmail" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes</AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="piEmail">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="piFullName">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:pi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="coPisEmail">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:copis/ak:copi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="coPisFullName">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:copis/ak:copi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
我的回應如下:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<Obligations>
<Obligation ObligationId="sendEmail">
<AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes
</AttributeAssignment>
<AttributeAssignment AttributeId="piEmail" DataType="http://www.w3.org/2001/XMLSchema#string">
milsonmun@yahoo.com
</AttributeAssignment>
<AttributeAssignment AttributeId="piFullName" DataType="http://www.w3.org/2001/XMLSchema#string">
Milson Munakami
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
這不包含 coPisEmail 和 coPisFullName 的任何義務值。 另外我不確定如何獲取這些動態屬性的值? 我如何在我的應用程序中使用這些值? 例如,它會只返回一個包含所有電子郵件和全名的值,還是會在單獨的響應中返回單個值? 我想我在這里遺漏了一些功能:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:**function:string-one-and-only**">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0**:content-selector**"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
1 個解決方案
解決方案1
1 2016-04-19 11:49:30
在 XACML 中返回多個值沒有什么特別的事情需要做。 默認所有屬性都是包。 如果 PDP 為給定的表達式(屬性指示符或屬性選擇器)找到多個值,那么它將返回所有這些值。
附帶說明一下,作為最佳實踐,盡量避免在 XACML 策略中使用 XPath,因為這會使它們更難理解。 XML 處理應該在 PEP 或 PIP 內完成,並且 XACML 策略應該盡可能地以業務為中心。
我可以在xacml plicy的attributevalue中使用類似xpath的表達式嗎
[英]Can i use xpath-like expression in the attributevalue in a xacml plicy
我們是否可以在單個 XACML 請求中包含多個操作,如果是,如何操作?
[英]Can we have multiple actions in a single XACML request, if yes how?
在XACML中可以激活多個角色時如何處理作用域角色
[英]How to deal with scoped roles when multiple roles can be activated in XACML
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.