文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >WSO2标识服务器--在PAP的“尝试-It”下设置XACMLV.3策略的问题

WSO2标识服务器--在PAP的“尝试-It”下设置XACMLV.3策略的问题
EN

Stack Overflow用户
提问于 2016-06-14 18:36:07
回答 1查看 142关注 0票数 0

我想添加一个策略集,以便使用一个目标依次运行一系列策略,该目标根据输入字段“资源”定义是否适用给定的策略。为了开始测试,我编写了一个包含一个策略的policySet。

WSO2 PAP的评估不能显示"NotApplicable“的结果,而我希望得到”许可“。

在这里,用XML创建了名为"cfatest0“的策略:

代码语言:javascript
复制
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).  Any modification to this file will be lost upon recompilation of the source ALFA file-->
   <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="cfatest0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
      <xacml3:Description></xacml3:Description>
      <xacml3:PolicyDefaults>
         <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
      </xacml3:PolicyDefaults>
      <xacml3:Target>
         <xacml3:AnyOf>
            <xacml3:AllOf>
               <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
                  <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
               </xacml3:Match>
            </xacml3:AllOf>
         </xacml3:AnyOf>
      </xacml3:Target>
      <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.permitAll">
         <xacml3:Description></xacml3:Description>
         <xacml3:Target></xacml3:Target>
      </xacml3:Rule>
      <xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.checkId">
         <xacml3:Description></xacml3:Description>
         <xacml3:Target></xacml3:Target>
         <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
               <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                  <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></xacml3:Function>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef@br.red.com</xacml3:AttributeValue>
                  <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
               </xacml3:Apply>
            </xacml3:Apply>
         </xacml3:Condition>
         <xacml3:ObligationExpressions>
            <xacml3:ObligationExpression ObligationId="obligation.displayAttributes" FulfillOn="Deny">
               <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Access denied due to invalid UserID</xacml3:AttributeValue>
               </xacml3:AttributeAssignmentExpression>
            </xacml3:ObligationExpression>
         </xacml3:ObligationExpressions>
      </xacml3:Rule>
      <xacml3:AdviceExpressions>
         <xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Deny">
            <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
            </xacml3:AttributeAssignmentExpression>
         </xacml3:AdviceExpression>
         <xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Permit">
            <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
            </xacml3:AttributeAssignmentExpression>
         </xacml3:AdviceExpression>
      </xacml3:AdviceExpressions>
   </xacml3:Policy>

在这里,用XML创建了名为PolicySet的cfapolicyset1:

代码语言:javascript
复制
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).  Any modification to this file will be lost upon recompilation of the source ALFA file-->
   <xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicySetId="cfapolicyset1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" Version="1.0">
      <xacml3:Description></xacml3:Description>
      <xacml3:PolicySetDefaults>
         <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
      </xacml3:PolicySetDefaults>
      <xacml3:Target>
         <xacml3:AnyOf>
            <xacml3:AllOf>
               <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
                  <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
               </xacml3:Match>
            </xacml3:AllOf>
         </xacml3:AnyOf>
      </xacml3:Target>
      <xacml3:PolicyIdReference>cfatest0</xacml3:PolicyIdReference>
   </xacml3:PolicySet>

下面是由PAP下的WSO2 "Try-It“工具生成的请求:

代码语言:javascript
复制
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef@br.red.com</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

决定是: NotApplicable

我是否错过了向PolicySet发送请求的方式?当使用WSO2高级策略编辑器时,我在响应中得到相同的错误。当测试PAP "Try-It“工具中隔离的策略时,我会收到正确的值,这个策略的值是:”许可证“。

authorization
xacml
abac
alfa
wso2-identity-server
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2016-06-15 06:58:43

我在公理化政策管理点内尝试了您的请求和策略,我得到了想要的响应,即许可+建议

您是否忘了在WSO2IS中加载策略?

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/37819672

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档