XACML型袋

Question

包的XACML类型是什么？

我的条件函数是string-at-least-one-member-of，我在请求中使用了string-bag函数。我给包的DataType是什么数据类型的AttributeDesignator？

我的情况是：

     <xacml3:Condition>
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="WHAT SHOULD THIS BE?" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
        </xacml3:Apply>
     </xacml3:Condition>

我的属性是

    <xacml3:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <xacml3:Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="false">
          <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</xacml3:AttributeValue>
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</xacml3:AttributeValue>
            <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</xacml3:AttributeValue>
          </xacml3:Apply>
        </xacml3:Attribute>
    </xacml3:Attributes>

当我在WSO2中尝试请求时，我得到

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Deny</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
    </Result>
</Response> 

对于那些对整个档案感兴趣的人，我的请求是：

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="test:xacml:1.0:county" IncludeInResult="true">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="true">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</AttributeValue>
      </Apply>
    </Attribute>
</Attributes>
</Request>

我的政策是：

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="county-based-3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
  <xacml3:Description></xacml3:Description>
  <xacml3:Target></xacml3:Target>
  <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/stackoverflow.example.checkGroup">
     <xacml3:Description></xacml3:Description>
     <xacml3:Target></xacml3:Target>
     <xacml3:Condition>
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
           <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
        </xacml3:Apply>
     </xacml3:Condition>
  </xacml3:Rule> 
  <xacml3:Rule Effect="Deny" RuleId="deny-rule"></xacml3:Rule>

​

Answer 1

数据类型应该是http://www.w3.org/2001/XMLSchema#string

        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
       <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
       <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
    </xacml3:Apply>

实际上，所有属性指示符都是XACML中的袋子。数据类型适用于包的整个元素。

此外，您还使用了函数urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of，它接受XACML3.0 规格说明中定义的2袋字符串

• urn:oasis:names:tc:xacml:x.x:function:type-at-least-one-member-of

此函数将接受两个参数，它们都是“类型”值的一个包。它将返回一个“http://www.w3.org/2001/XMLSchema#boolean”。如果第一个参数的至少一个元素包含在"urn:oasis:names:tc:xacml:x.x:function:type-is-in".确定的第二个参数中，则该函数应计算为“真”。

您发送的请求无效。<Request/>元素不能在内部包含<Apply/>元素。

删除<Apply/>，您应该得到以下请求：

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="test:xacml:1.0:county" IncludeInResult="true">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="true">

        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</AttributeValue>

    </Attribute>
</Attributes>
</Request>

这是公理化策略服务器中的图形表示：

​

​