WSO2标识XACML -支持条件语句？

Question

XACML 3语法验证器在WSO2 XML编辑器中有问题，该编辑器拒绝插入语句。我计划添加一个属性列表，而不是一个属性检查。下面是被XACML语法验证器拒绝的语句的打印输出：

这个带有“字符串包”的简单条件正在引发架构错误：

<xacml3:Condition>
<xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">  
  <xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag">
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue>
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Belem</xacml3:AttributeValue>
  </xacml3:Apply>
<xacml3:AttributeDesignator Category=" urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
</xacml3:Apply>
</xacml3:Condition>

显示的错误消息是：

Entitlement policy is not updated. Error is :Invalid Entitlement Policy. Policy is not valid according to XACML schema

使用“或”逻辑运算符的此条件运行良好：

 <xacml3:Condition>
 <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
       <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
    </xacml3:Apply>
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue>
       <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
    </xacml3:Apply>
 </xacml3:Apply>
 </xacml3:Condition>

如上文所示，描述条件的语句就在该规则的最后一节之前插入。

WSO2 PAP是否支持使用属性列表，并且是的，这个错误能用语法构造中的错误来解释吗？

在Web上寻找公共语法和模式验证器，这是一个实用工具，可以帮助调试与XACML V3语法兼容的类似问题。

Answer 1

公理化政策管理点告诉您，在您的情况下，错误的确切位置是：

org.xml.sax.SAXParseException; lineNumber: 13; columnNumber: 99; cvc-complex-type.3.2.2: Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'.
    at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
    at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.processAttributes(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source)
    at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
    at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importInputStream(PolicyImporter.java:285)
    at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importFile(PolicyImporter.java:264)

更具体地说，它说：

属性'functionid‘不允许出现在元素’xacml3 3:Apply‘中。

这是一个XML验证错误。XACML模式并不期望XML元素Apply中有一个名为Apply的XML属性。

相反，它期望FunctionId。你所要做的就是运用正确的资本化，然后政策就像一种魅力一样导入。

顺便问一下，您使用urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of的原因有哪些？

Answer 2

我在定义“String-袋”元素的语句序列中隔离了XACML语法错误(参见下面的示例代码)。在语法固定的情况下，这个条件现在可以在一系列选择中验证一个城市的名称：

<xacml3:Condition>
 <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
    <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Porto Alegre</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rio de Janeiro</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">São Paulo</xacml3:AttributeValue>
    </xacml3:Apply>
 </xacml3:Apply>

​