[英]Authzforce - XACML AttributeSelector
我正在使用Authzforce 10.1.1
並且我已經創建了一些基本策略,現在我正在嘗試使用元素<AttributeSelector>
來比較我計划根據請求發送的資源的某些值。
我一直在關注 http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf中的 xacml 文檔,甚至嘗試了一些示例<AttributeSelector>
沒有成功。
我要創建的策略
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Target />
<Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
</Target>
<Rule RuleId="Ruleo" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
我得到的錯誤
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
<message>Invalid PolicySet with PolicySetId='root', Version=1.0.5</message>
</error>
如果我將<AttributeSelector>
替換為<AttributeDesignator>
策略創建成功,所以我假設錯誤在<AttributeSelector>
中,但從我閱讀的文檔中我找不到錯誤。
確保已啟用 PDP 功能urn:ow2:authzforce:feature:pdp:core:xpath-eval
,如PDP 屬性文檔中所述。
然后你需要修復 PolicySet 中的一些東西:
<PolicySetDefaults><XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion></PolicySetDefaults>
md
指定 XML 命名空間 with xmlns:md="..."
"/md:record/md:parentGuardian/md:parentGuardianId/text()"
(在開頭添加斜線)或更簡單的"//md:parentGuardianId/text()"
。這是固定的 PolicySet 的樣子:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<PolicySetDefaults>
<XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
</PolicySetDefaults>
<Target />
<Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
</Target>
<Rule RuleId="Ruleo" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
xPathEnabled="true"
- pdp.xml
- 在這種情況下啟用 XPath 支持。)/var/log/tomcat9
和/var/log/tomcat9/authzforce-ce
/opt/authzforce-ce-server/conf/logback.xml
中的日志級別,特別是對於名為org.ow2.authzforce
的記錄器。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.