authorization - 在 XACML JSON 请求/响应中关联资源

Question

我正在尝试使用 REST API 评估 XACML 请求。我使用 JSON 请求来获取“根”下所有资源的决策。WSO2 给了我结果，但我没有在结果中得到相应的资源

https://docs.wso2.com/display/IS530/Using+REST+APIs+via+XACML+to+Manage+Entitlement

JSON 格式的 XACML 请求

{
    "Request": {
        "Action": {
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "POST"
                }
            ]
        },
        "Resource": {
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                    "Value": "root"
                }, {
                    "AttributeId": "urn:oasis:names:tc:xacml:2.0:resource:scope",
                    "Value": "Children"
                }
            ]
        },
        "AccessSubject": {
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
                    "Value": "customer"
                }
            ]
        }
    }
}

JSON 格式的 XACML 响应

{
    "Response": [{
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            }
        }, {
            "Decision": "Permit",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0: status: ok "
                }
            }
        }
    ]
}

我没有得到任何结果的资源。我将如何关联结果？

score 0 · Accepted Answer

WSO2-IS 完全支持带有 XML 的 XACML 3.0 规范。通过 IS 5.6.0 Milestone 2，WSO2 支持使用 JSON 的多决策配置文件

score 0 · Accepted Answer

如果您尝试 XACML JSON 请求，应该如下所示：

 {
   "Request": {
      "http://wso2.org/identity/user": [
      {
         "Attribute": [
            {
               "AttributeId": "http://wso2.org/identity/user/username",
               "Value": "adminUser",
                "IncludeInResult": true,
                "DataType": "string"
            }
         ]
      },{
         "Attribute": [
            {
               "AttributeId": "http://wso2.org/identity/user/username",
               "Value": "publicUser",
                "IncludeInResult": true,
                "DataType": "string"
            }
         ]
      }  ],

      "Resource": {
         "Attribute": [
            {
               "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
               "Value": "index.jsp",
                "IncludeInResult": true,
                "DataType": "http://www.w3.org/2001/XMLSchema#string"
            }
         ]
      },
      "Action": [{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "view-welcome",
                     "IncludeInResult": true,
                     "DataType": "http://www.w3.org/2001/XMLSchema#string"
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "view-status",
                     "IncludeInResult": true,
                     "DataType": "http://www.w3.org/2001/XMLSchema#string"
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "view-summary",
                     "IncludeInResult": true,
                     "DataType": "http://www.w3.org/2001/XMLSchema#string"
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "modify-welcome",
                     "IncludeInResult": true,
                     "DataType": "http://www.w3.org/2001/XMLSchema#string"
                }
            ]
        } ] 
   }
}

相关回应如下，

{
    "Response": [
        {
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Obligations": [
                {
                    "Id": "fail_to_permit",
                    "AttributeAssignments": [
                        {
                            "AttributeId": "obligation-id",
                            "Value": "You can not access the resource index.jsp",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "adminUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "view-status",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Obligations": [
                {
                    "Id": "fail_to_permit",
                    "AttributeAssignments": [
                        {
                            "AttributeId": "obligation-id",
                            "Value": "You can not access the resource index.jsp",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "adminUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "view-summary",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Permit",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "view-welcome",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "publicUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Permit",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "view-summary",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "publicUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Obligations": [
                {
                    "Id": "fail_to_permit",
                    "AttributeAssignments": [
                        {
                            "AttributeId": "obligation-id",
                            "Value": "You can not access the resource index.jsp",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "adminUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "view-welcome",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Obligations": [
                {
                    "Id": "fail_to_permit",
                    "AttributeAssignments": [
                        {
                            "AttributeId": "obligation-id",
                            "Value": "You can not access the resource index.jsp",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "view-status",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "publicUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Obligations": [
                {
                    "Id": "fail_to_permit",
                    "AttributeAssignments": [
                        {
                            "AttributeId": "obligation-id",
                            "Value": "You can not access the resource index.jsp",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "modify-welcome",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "publicUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        },
        {
            "Decision": "Permit",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "http://wso2.org/identity/user": {
                "Attribute": [
                    {
                        "AttributeId": "http://wso2.org/identity/user/username",
                        "Value": "adminUser",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "modify-welcome",
                        "IncludeInResult": "true",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        }
    ]
}

在 XACML 的多决策配置文件中 - 结果将提供可以针对特定主题或资源所有者对资源采取行动的所有决策组合。

“IncludeInResult”属性会将这些参数包含在响应中，您可以通过将其设置为 false 来缩短响应。

在 WSO2 身份服务器中，您可以添加自定义类别，如“ http://wso2.org/identity/user ”，用户声明为 AttributeId：如“ http://wso2.org/identity/user/username ”

WSO2 IS Multi-Decision Profile in JSON 支持 JSON 简化格式以及 XAML 标准 URI。你可以两个都试试。

例如：urn:oasis:names:tc:xacml:1.0:action:action-id -> action-id

score 0 · Accepted Answer

您的请求中有几处错误。

首先，您正在尝试使用XACML 的多决策配置文件（即一次提出多个问题并同时获得多个响应的方法）。您正在使用一个名为urn:oasis:names:tc:xacml:2.0:resource:scope xacml. 该属性实际上属于旧版本的XACML 多决策配置文件，称为XACML v2.0 的多资源配置文件。这是你的第一个错误。XACML 的 JSON 配置文件仅适用于 XACML 3.0。因此，您不能使用仅适用于 XACML 2.0 的旧配置文件。你在哪里找到这个例子？

其次，让我们假设请求确实通过了。您的请求，正如它所写的那样，永远不应触发多重决策响应。它应该失败或返回单个响应。那是因为您没有在资源属性中指明子项。所以你不可能得到回应。

展望未来，我建议您阅读XACML 的 JSON 配置文件，该配置文件解释了如何产生多个决策请求和响应。这是一个例子：

Alice 可以编辑、查看和删除 doc #123 吗？

{
    "Request": {
        "AccessSubject": {
            "Attribute": [{
                    "AttributeId": "com.axiomatics.username",
                    "Value": "Alice"
                }
            ]
        },
        "Action": [{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "view"
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "edit"
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "delete"
                }
            ]
        }],
        "Resource": {
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                    "Value": "123"
                }, {
                    "AttributeId": "resource-type",
                    "Value": "document"
                }
            ]
        }
    }
}

和回应：

{"Response": [
      {
      "Decision": "Deny",
      "Status": {"StatusCode":       {
         "Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
         "StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
      }}
   },
      {
      "Decision": "Deny",
      "Status": {"StatusCode":       {
         "Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
         "StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
      }}
   },
      {
      "Decision": "Deny",
      "Status": {"StatusCode":       {
         "Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
         "StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
      }}
   }
]}

关联响应

现在，如果您想将请求与响应相关联，每个属性都有一个名为的标志IncludeInResult，false默认情况下可以切换到true.

这是一个例子

要求

{
    "Request": {
        "AccessSubject": {
            "Attribute": [{
                    "AttributeId": "com.axiomatics.username",
                    "Value": "Alice"
                }
            ]
        },
        "Action": [{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "view",
                    "IncludeInResult": true
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "edit",
                    "IncludeInResult": true
                }
            ]
        },{
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "delete",
                    "IncludeInResult": true
                }
            ]
        }],
        "Resource": {
            "Attribute": [{
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                    "Value": "123"
                }, {
                    "AttributeId": "resource-type",
                    "Value": "document"
                }
            ]
        }
    }
}

回复

{"Response": [
      {
      "Decision": "Deny",
      "Status": {"StatusCode":       {
         "Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
         "StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
      }},
      "Category":       {
         "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
         "Attribute":          {
            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
            "Value": "delete",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
         }
      }
   },
      {
      "Decision": "Deny",
      "Status": {"StatusCode":       {
         "Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
         "StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
      }},
      "Category":       {
         "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
         "Attribute":          {
            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
            "Value": "edit",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
         }
      }
   },
      {
      "Decision": "Deny",
      "Status": {"StatusCode":       {
         "Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
         "StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
      }},
      "Category":       {
         "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
         "Attribute":          {
            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
            "Value": "view",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
         }
      }
   }
]}

authorization - 在 XACML JSON 请求/响应中关联资源

JSON 格式的 XACML 请求

JSON 格式的 XACML 响应

3 回答 3

关联响应

要求

回复

Related

Reference