1

我在我的 java 应用程序中使用 XACML 3.0 和 Balana。我的 XML 模式定义如下:

<record>
    <proposal>
            <proposalid></proposalid>
            <proposaltitle></proposaltitle>
            <pi>
                <fullname></fullname>
                <workemail></workemail>
                <userid></userid>
            </pi>
            <copis>
                <copi>
                    <fullname></fullname>
                    <workemail></workemail>
                    <userid></userid>
                </copi>
                <copi>
                    <fullname></fullname>
                    <workemail></workemail>
                    <userid></userid>
                </copi>
                <copi>
                    <firstname></firstname>
                    <lastname></lastname>
                    <workemail></workemail>
                    <userid></userid>
                </copi>
            </copis>                
        </proposal>
    </record>

我的应用程序向 PEP 发送 XACML 请求,如下所示: 

<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:proposal.role" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PI</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Content>
      <ak:record xmlns:ak="http://akpower.org">
        <ak:proposal>
          <ak:proposalid>5702a60865dbb30b09a492cf</ak:proposalid>
          <ak:proposaltitle>Proposal 11</ak:proposaltitle>
          <ak:authorprofile>
            <ak:fullname>Milson Munakami</ak:fullname>
          </ak:authorprofile>
          <ak:pi>
            <ak:fullname>Milson Munakami</ak:fullname>
            <ak:workemail>milsonmun@yahoo.com</ak:workemail>
            <ak:userid>56fee3e965dbb35ce5c900fa</ak:userid>
          </ak:pi>
          <ak:copis>
            <ak:copi>
              <ak:fullname>PS Wang</ak:fullname>
              <ak:workemail>fdsafda@yahoo.comss</ak:workemail>
              <ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
            </ak:copi>
            <ak:copi>
              <ak:fullname>Thomas Voltz</ak:fullname>
              <ak:workemail>fdsafda@yahoo.comsss</ak:workemail>
              <ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
            </ak:copi>
          </ak:copis>
        </ak:proposal>
      </ak:record>
    </Content>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
      <AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:DeletedByPI" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTDELETED</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:SubmittedByPI" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTSUBMITTED</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Save</AttributeValue>
    </Attribute>
  </Attributes>
</Request>

在我的政策规则中,我有:

<ObligationExpressions>
      <ObligationExpression ObligationId="sendEmail" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes</AttributeValue>
        </AttributeAssignmentExpression>
        <AttributeAssignmentExpression AttributeId="piEmail">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>        
        <AttributeAssignmentExpression AttributeId="piFullName">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:pi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>
        <AttributeAssignmentExpression AttributeId="coPisEmail">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:copis/ak:copi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>        
        <AttributeAssignmentExpression AttributeId="coPisFullName">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:copis/ak:copi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>
      </ObligationExpression>
    </ObligationExpressions>

我的回复如下:

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <Result>
    <Decision>Permit</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </Status>
    <Obligations>
      <Obligation ObligationId="sendEmail">
        <AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
          Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes
        </AttributeAssignment>
        <AttributeAssignment  AttributeId="piEmail" DataType="http://www.w3.org/2001/XMLSchema#string">
          milsonmun@yahoo.com
        </AttributeAssignment>
        <AttributeAssignment  AttributeId="piFullName" DataType="http://www.w3.org/2001/XMLSchema#string">
          Milson Munakami
        </AttributeAssignment>
      </Obligation>
    </Obligations>
  </Result>
</Response>

这不包含 coPisEmail 和 coPisFullName 的任何义务值。另外我不确定如何获取这些动态属性的值?我如何在我的应用程序中使用这些值?例如,它会只返回一个包含所有电子邮件和全名的值,还是会在单独的响应中返回单个值?我想我在这里遗漏了一些功能:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:**function:string-one-and-only**">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0**:content-selector**"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
4

1 回答 1

1

在 XACML 中返回多个值没有什么特别需要做的。默认情况下,所有属性都是包。如果 PDP 找到给定表达式(属性指示符或属性选择器)的多个值,那么它将返回所有这些值。

附带说明,作为最佳实践,尽量避免在 XACML 策略中使用 XPath,因为这会使它们更难理解。XML 处理应在 PEP 或 PIP 中完成,并且 XACML 策略应尽可能以业务为中心。

于 2016-04-19T11:49:30.277 回答