XACML标准规定,如果请求指定属性ReturnPolicyIdList="true",则PDP应返回决策中使用的所有完全适用的策略和策略集的列表。
我在WSOIS5.0(使用最新的service pack(中尝试过它,但它似乎只在少数情况下有效。这是第一个测试策略:它允许对每个以.dcm结尾的文件对用户admin进行写访问。
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PolicyTest" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
<Target></Target>
<Rule RuleId="Rule1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^.*.dcm$</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule RuleId="DefaultRule" Effect="Deny"></Rule>
</Policy>
这是示例请求(file.dcm上的读取访问(:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" id="subject1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" id="action1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" id="resource1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">file.dcm</AttributeValue>
</Attribute>
</Attributes>
</Request>
如果这是PDP中唯一活动的策略,则XACML响应是正确的(允许(,并包括用于决策的所有策略的ID列表:
<Response>
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<PolicyIdentifierList>
<PolicyIdReference>PolicyTest</PolicyIdReference>
</PolicyIdentifierList>
</Result>
</Response>
如果我添加任何其他策略(其目标适用于请求(,我会得到一个错误。具体来说,我试图添加一个与第一个策略相同的策略,只是它指的是写操作而不是读:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PolicyTest" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
<Target></Target>
<Rule RuleId="Rule1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^.*.dcm$</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule RuleId="DefaultRule" Effect="Deny"></Rule>
</Policy>
日志显示了以下2个错误(我省略了完整的堆栈跟踪,但如果您需要,我可以发布它(。
第一个错误:
TID[-1234] [IS] [2015-07-03 12:41:34,550] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} - Exception occurred while trying to invoke service method getDecision
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
第二个错误:
TID[-1234] [IS] [2015-07-03 12:41:34,558] ERROR {org.wso2.carbon.identity.entitlement.ui.client.EntitlementServiceClient} - Error occurred while policy evaluation
我怎样才能让它工作?是否有任何设置需要更改,或者这是一个错误?
谢谢!
根据XACML标准,如果将ReturnPolicyIdList设置为true,则PDP将使用请求中使用的策略和策略集标识符列表进行回复。
以下是一个示例XACML 3.0请求(它是空的,即没有任何属性(
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false"
xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
</xacml-ctx:Attributes>
</xacml-ctx:Request>
这是一个响应示例。
<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
<xacml-ctx:PolicyIdentifierList>
<xacml-ctx:PolicyIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/f8d86878-d458-472a-968d-1fd6c9655669</xacml-ctx:PolicyIdReference>
<xacml-ctx:PolicySetIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/21e6e472-d363-4ea9-990d-3fa03512b747</xacml-ctx:PolicySetIdReference>
</xacml-ctx:PolicyIdentifierList>
</xacml-ctx:Result>
</xacml-ctx:Response>
响应清楚地包含PolicyIdentifierList元素内的策略标识符列表。
我在Axiomatics策略服务器上测试了它,它运行得很好。WSO2IS只是一个部分实现,所以它要么是一个缺失的特性,要么就是一个bug。