问题标签 [balana]
For questions regarding programming in ECMAScript (JavaScript/JS) and its various dialects/implementations (excluding ActionScript). Note JavaScript is NOT the same as Java! Please include all relevant tags on your question; e.g., [node.js], [jquery], [json], [reactjs], [angular], [ember.js], [vue.js], [typescript], [svelte], etc.
authorization - 如何测试我的保单?生成 Balana jar 文件后是什么?
我已经正确安装了 Balana 并运行 mvn clean install 没有错误,我怎样才能从 Jar 文件中受益?如何测试我在 XACML 中编写的策略?
authorization - 如何获得 XACML 政策许可?
我有两个策略,第一个应该返回许可,第二个应该返回拒绝,但它总是向请求返回拒绝。
这是策略集:
我希望它具有许可响应的 XACML 请求:
请求我希望它有许可响应:
对这两个请求的响应:
这是阿尔法代码:
这就是我将其添加到规则中的条件:
我只是不知道为什么所有有条件的尝试都失败了!我在 Deny_Rule 中尝试过这种情况:
但是当我发送请求时,它会返回:
即使我只是写了:
!!!
authorization - 如何在 XACML 3.0 中表示显式访问控制
我们使用 XACML 资源数据标签来提供对数据的访问控制。对于每个属性类型(anyinall 或 allinall)使用基本逻辑的数据标签中可以/应该放入的内容是有限制的。
除了数据标签之外,还需要提供额外的限制,这些限制可以包括具有访问权限的主体的明确列表。在这种情况下,我们希望通过明确的主题列表来扩展数据标签中的限制(并且数据标签允许列表中的那些)。
我们将如何在 XACML 策略中编写此内容,其中 (a) 我们不仅可以识别主题,而且 (b) 可以执行额外resource.attributes的subject.attribute比较。
我们使用权利来表示“列表”中的成员资格,这是权利管理密集型的。权利还具有资源属性到主题id 属性的有限复杂逻辑(例如AND 和OR 的组合)。
数据标记使用包含 anyinall 或 allinall 到属性包的规则(即resource.classification:"private" allinall subject.classification:"private")
我希望许可证包括:
- 基于 subject.attributes 允许所有数据标签
- subjectID 包含在“列表”中
- subjectID 满足 resource.attributes 到 subjectID.attributes 的 AND 和 OR 规则的复杂逻辑比较
每个部分都会允许或拒绝,任何拒绝都会使整体政策失败
java - How does missing-attribute work in XACML?
I am doing an access control application using XACML and, specifically, the Balana implementation for the PDP.
In this application, specific types of user accounts can access only determinate resources. This is a reduced version of the Policy:
In reality there are many more rules that cover all account types and all resource types, but they all have the same structure: the target is a subject-id (type of account), trying to access one [or more] resource[s] through an action. All the rules are with "Deny" effect, since the combining algorithm is "Deny-Overrides". At the end of all the rules, there is a general rule that grants access to everyone to anything with any action (I know this is not the best approach and in the future I will switch to a "least privilege" approach). If a request matches any of the deny rules (along with the last "Permit" rule), the final decision will be "Deny", otherwise only the last rule will be a match and the decision will be "Permit", instead.
The following is a request generated by the PEP to the Balana PDP:
The decision of the PDP with this specific request should be "Permit", since it does not match the first rule due to the requested resource-id and it will match only the last Permit rule.
Now, the issue is that, regardless of the request I send, the outcome of the PDP decision is the following:
And I have no clue why.
https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cd-1-en.html
The XACML docs say that it's due to "The absence of matching attributes in the request context for any of the attribute designators attribute or selectors that are found in the policy" but I don't see why, since the last rule should always be a match. (This policy "format" is taken by the official Balana Github repository: https://github.com/wso2/balana/blob/master/modules/balana-samples/kmarket-trading-sample/resources/kmarket-blue-policy.xml)