1. 首页
  2. 问答
  3. WSO2身份服务器 - PAP

WSO2身份服务器 - PAP

2016-06-14 158 views
0

的尝试,它根据与XACML V.3策略集的问题我想补充,以便使用目标,如果给定政策,规定运行的一系列序列政策设置的策略基于输入字段“资源”是否适用。为了开始测试,我编写了一个包含一个策略的policySet。WSO2身份服务器 - PAP

由WSO2 PAP评估失败,则会显示的“NotApplicable的”一个结果,而我希望能收到“许可证”。

在这里,在XML创建了一个名为 “cfatest0” 政策:

<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file--> 
    <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="cfatest0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> 
     <xacml3:Description></xacml3:Description> 
     <xacml3:PolicyDefaults> 
     <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> 
     </xacml3:PolicyDefaults> 
     <xacml3:Target> 
     <xacml3:AnyOf> 
      <xacml3:AllOf> 
       <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
        <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue> 
        <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator> 
       </xacml3:Match> 
      </xacml3:AllOf> 
     </xacml3:AnyOf> 
     </xacml3:Target> 
     <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.permitAll"> 
     <xacml3:Description></xacml3:Description> 
     <xacml3:Target></xacml3:Target> 
     </xacml3:Rule> 
     <xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.checkId"> 
     <xacml3:Description></xacml3:Description> 
     <xacml3:Target></xacml3:Target> 
     <xacml3:Condition> 
      <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> 
       <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
        <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></xacml3:Function> 
        <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[email protected]</xacml3:AttributeValue> 
        <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator> 
       </xacml3:Apply> 
      </xacml3:Apply> 
     </xacml3:Condition> 
     <xacml3:ObligationExpressions> 
      <xacml3:ObligationExpression ObligationId="obligation.displayAttributes" FulfillOn="Deny"> 
       <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 
        <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Access denied due to invalid UserID</xacml3:AttributeValue> 
       </xacml3:AttributeAssignmentExpression> 
      </xacml3:ObligationExpression> 
     </xacml3:ObligationExpressions> 
     </xacml3:Rule> 
     <xacml3:AdviceExpressions> 
     <xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Deny"> 
      <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue> 
      </xacml3:AttributeAssignmentExpression> 
     </xacml3:AdviceExpression> 
     <xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Permit"> 
      <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue> 
      </xacml3:AttributeAssignmentExpression> 
     </xacml3:AdviceExpression> 
     </xacml3:AdviceExpressions> 
    </xacml3:Policy>

在这里,在XML创建的策略集命名cfapolicyset1:

<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file--> 
    <xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="cfapolicyset1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" Version="1.0"> 
     <xacml3:Description></xacml3:Description> 
     <xacml3:PolicySetDefaults> 
     <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> 
     </xacml3:PolicySetDefaults> 
     <xacml3:Target> 
     <xacml3:AnyOf> 
      <xacml3:AllOf> 
       <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
        <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue> 
        <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator> 
       </xacml3:Match> 
      </xacml3:AllOf> 
     </xacml3:AnyOf> 
     </xacml3:Target> 
     <xacml3:PolicyIdReference>cfatest0</xacml3:PolicyIdReference> 
    </xacml3:PolicySet>

下面由WSO2产生的请求 “尝试,它”工具下的PAP:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> 
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 
     <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[email protected]</AttributeValue> 
     </Attribute> 
    </Attributes> 
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 
     <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</AttributeValue> 
     </Attribute> 
    </Attributes> 
</Request>

决定是:不适用

难道我错过我如何使用发送到策略集的请求方式的东西吗?使用WSO2高级策略编辑器时,在响应中出现相同的错误。在测试PAP“Try-It”工具中的政策时,我会收到正确的值,对于此政策,此值为“许可”。

来源

2016-06-14 Claude Falbriard

回答

1

我在Axiomatics Policy Administration Point中尝试了您的请求和策略,我得到了所需的响应,即Permit + Advice

Simulation result in the Axiomatics Policy Administration Point

难道你忘了装载内部WSO2IS政策?

来源

2016-06-15 06:58:43

+0

感谢测试的情况下@大卫布罗萨德,你的提示是正确的,在PolicyReference声明中引用的政策必须存在的策略集的源代码,会后声明的权利放在里面:xacml3:PolicyIdReference。在一个XML文件中提供源代码,WSO2 PAP工具能够正确解释它,而无需将设置和引用策略加载到PDP中。这对测试很有帮助。 –

相关问题

 相关问题