0

我正在尝试编写一个代码,使用户能够基于安全角色从网站访问内容。因此,有些用户可以看到所有内容,而有些用户只能看到带有某些扩展名的 url。

我的大部分代码都有效,但我无法访问 3 个子类别。

<Rule Effect="Permit" RuleId="accesses">
    <Description>Permission for lower clearance</Description>
    <Target>
        <Resources>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">home.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">localweather.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">about.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
        </Resources>
    </Target>
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <SubjectAttributeDesignator AttributeId="AccessLevel"
                    DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                    MustBePresent="true" />
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Clear</AttributeValue>
            </Apply>
        </Apply>
    </ Condition >
</Rule>

我有这 3 个资源,当我运行程序时,我得到一个“不确定”的响应。每个规则我只能有 1 个资源吗?还有什么东西抛出异常吗?

4

2 回答 2

0

You can have tree resources for in target. According to the your rule, they would act as "OR". Please check with your XACML request, may be you are sending request that is not matching with policy (policy has MustBePresent="true it means, if attribute is not there, PDP would create a indeterminate error). Please change them to "false" and see.

于 2013-02-27T11:45:14.600 回答
0

这实际上是一个条件问题。这些资源都是叶级文件。我的策略没有正确的用户属性值集。我将它与我的 LDAP 模式进行了比较并让它工作。

于 2013-07-26T12:37:09.333 回答