0

我已经玩了一段时间的 WSO2 并开始测试 PolicySets。我有一个基本的,它的目标是“管理员”用户角色和一个除了允许访问之外什么都不做的策略。

当我提出请求时,我会得到Exception occurred while trying to invoke service method getDecision回应。我不是 Java 程序员,所以堆栈跟踪不是很有用。

是我做错了什么,还是 WSO2 中存在错误?

策略集:

<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicySetId="admins" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
   <xacml3:Description></xacml3:Description>
   <xacml3:PolicySetDefaults>
      <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
   </xacml3:PolicySetDefaults>
   <xacml3:Target>
      <xacml3:AnyOf>
         <xacml3:AllOf>
            <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</xacml3:AttributeValue>
               <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
            </xacml3:Match>
         </xacml3:AllOf>
      </xacml3:AnyOf>
   </xacml3:Target>
   <xacml3:Policy PolicyId="admins.AccessGranted" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
      <xacml3:Description></xacml3:Description>
      <xacml3:PolicyDefaults>
         <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
      </xacml3:PolicyDefaults>
      <xacml3:Target></xacml3:Target>
      <xacml3:Rule Effect="Permit" RuleId="admins.AccessGranted.Access">
         <xacml3:Description></xacml3:Description>
         <xacml3:Target></xacml3:Target>
      </xacml3:Rule>
   </xacml3:Policy>
</xacml3:PolicySet> 

请求:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
  <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1773</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">115</AttributeValue>
    </Attribute>
  </Attributes>
</Request>  

请注意,用户角色是通过向 PIP 发出请求来确定的。

堆栈跟踪:

TID: [0] [IS] [2015-10-28 09:04:20,438]  WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} -  Illegal access attempt at [2015-10-28 09:04:20,0438] from IP address 192.168.1.112 while trying to authenticate access to service EntitlementService {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}
TID: [0] [IS] [2015-10-28 09:04:20,558]  INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} -  'admin@carbon.super [-1234]' logged in at [2015-10-28 09:04:20,557+0100] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
TID: [0] [IS] [2015-10-28 09:04:20,562] DEBUG {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder} -  The SQL query: select auth_group.name from AUTH_GROUP, AUTH_USER_GROUPS where auth_user_groups.group_id = auth_group.id and auth_user_groups.user_id = 1773 {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder}
TID: [0] [IS] [2015-10-28 09:04:20,563]  INFO {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder} -  Before connecting {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder}
TID: [0] [IS] [2015-10-28 09:04:20,645]  INFO {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder} -  Trying to connect!!! {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder}
TID: [0] [IS] [2015-10-28 09:04:20,645]  INFO {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder} -  Connected. Executing Query {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder}
TID: [0] [IS] [2015-10-28 09:04:20,726]  INFO {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder} -  Should have worked {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder}
TID: [0] [IS] [2015-10-28 09:04:20,727] DEBUG {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder} -  [administrator] {org.xacmlinfo.xacml.pip.jdbc.JDBCAttributeFinder}
TID: [0] [IS] [2015-10-28 09:04:20,734] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} -  Exception occurred while trying to invoke service method getDecision {org.apache.axis2.rpc.receivers.RPCMessageReceiver}
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
        at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
        at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
        at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
        at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
        at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.StackOverflowError
        at java.util.Collections$UnmodifiableCollection$1.<init>(Collections.java:1064)
        at java.util.Collections$UnmodifiableCollection.iterator(Collections.java:1063)
        at org.wso2.balana.PDP.processPolicyReferences(PDP.java:329)
        at org.wso2.balana.PDP.processPolicyReferences(PDP.java:332)
        ....(1021 of at org.wso2.balana.PDP.processPolicyReferences(PDP.java:332) )
4

2 回答 2

0

我用 Axiomatics Policy Server 测试了这个(见下面的截图),我得到:

  • 如果我不发送角色,则不适用
  • 如果我确实发送角色,请允许。

似乎 WSO2 IS 可能无法连接到您的 PIP 并返回异常。您必须查看您的服务器日志。或者试试Axiomatics 。

公理策略管理点

于 2015-10-27T12:52:42.853 回答
0

您的配置似乎是有效的,否则 IS 会在从 PAP 发布期间提醒它,但尽管如此 - 会发生运行时异常。尝试运行 PIP 自定义代码或在 PIP 运行时本身中可能会发生这种情况。

检查 IS 服务器日志并确保您的 PIP 也将日志写入其中。

于 2015-10-27T19:56:11.890 回答