3

我对与 WSO2 Balana 库一起使用的 XACML 策略有疑问。

有政策:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Policy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MyApp</AttributeValue>
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
                                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Match>            
            </AllOf>
        </AnyOf>
    </Target>
    <Rule Effect="Permit" RuleId="RuleFor_user1_myapp">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user1</AttributeValue>
                        <AttributeDesignator AttributeId="http://example.site.com/id/user" 
                                       Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                                       DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>           
            </AnyOf>
        </Target>
        <Apply  FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>                                
            </Apply>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </Apply>
    </Rule>   
</Policy>   

它应该定义 user1 在 MyApp 上只有 READ 权限。

我有一个评估请求,询问 user1 是否具有 READ 权限,并且我在响应中得到“Permit”,这没关系。

但是,当我请求评估哪个询问 user1 是否具有 WRITE 权限时,我也会得到“Permit”,而不是“Not applicable”。

有人能告诉我,产生我刚才描述的结果的政策是否正确?

先感谢您!

最好的问候, Jurica Krizanic

4

2 回答 2

3

首先,Policy 不是 XACML3 模式的有效策略。您需要在规则中包含由 Apply 元素包围的元素。Rule 基本上包含 Target 和 Condition 元素。Balana 没有对您的策略进行模式验证。它使用策略元素构建对象模块。由于它在规则中找不到元素,因此它忽略了您的元素。所以你的规则实际上只有目标元素,它只评估主题属性。请按以下方式使用。此外,当您将策略上传到 WSO2 身份服务器时,它会进行架构验证。您可以轻松地上传或创建策略。

于 2013-03-01T12:03:44.703 回答
3

您可以使用http://validator.xacml.eu/来验证您的 XACML 策略是否符合 XACML 2.0 或 XACML 3.0。

另外,我建议您使用 ALFA 来编写策略 - 它更容易并且与 Eclipse 集成。

ALFA 代码如下所示:

namespace sample{
    // Import standard XACML attributes
    import Attributes.*

    /**
     * Define custom attributes here
     */
    attribute user{
        category = subjectCat
        id = "http://example.site.com/id/user"
        type = string
    }

    /**
     * MyApp Policy
     */
    policy Policy1{
        target clause resourceId=="MyApp"
        apply firstApplicable
        /**
         * This rule grants READ access for user 1
         */
        rule RuleFor_user1_myapp{
            target clause user=="user1" and actionId=="READ"
            permit
        }
    }
}

生成的 XACML 3.0 如下所示:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/sample.Policy1"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>MyApp Policy</xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">MyApp</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        MustBePresent="false"
                    />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/sample.Policy1.RuleFor_user1_myapp">
        <xacml3:Description>This rule grants READ access for user 1</xacml3:Description>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">user1</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="http://example.site.com/id/user"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">READ</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
    </xacml3:Rule>
</xacml3:Policy>
于 2013-03-02T04:34:17.370 回答