文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >AuthzForce XACML响应是不确定的

AuthzForce XACML响应是不确定的
EN

Stack Overflow用户
提问于 2018-01-25 12:22:33
回答 2查看 357关注 0票数 2

我正在探索Authzforce XACML3.0,并且遇到了一些问题。我不断地得到我的不确定的答复。下面是我的设置和它抛出的异常跟踪。任何帮助都是非常感谢的。

请求档案:

代码语言:javascript
复制
<?xml version="1.0" encoding="utf-8"?>
<Request  ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">46</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>

政策档案:

代码语言:javascript
复制
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">
    <Description>
        Policy for Conformance Test IIA011.
    </Description>
    <Target />
    <Rule Effect="Permit"
        RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
        <Description>
            Anyone who is 45 integer years old may perform any
            action on any resource.
        </Description>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
                </Apply>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
            </Apply>
        </Condition>
    </Rule>
</Policy>

PDP Config文件:

代码语言:javascript
复制
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
    <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="policy.xml" />
</pdp>

异常跟踪:

代码语言:javascript
复制
org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-equal: indeterminate arg
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:662)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evaluate(BaseFirstOrderFunctionCall.java:359)
    at org.ow2.authzforce.core.pdp.impl.expression.ApplyExpressions$VariableApplyExpression.evaluate(ApplyExpressions.java:87)
    at org.ow2.authzforce.core.pdp.impl.rule.ConditionEvaluators$BooleanExpressionEvaluator.evaluate(ConditionEvaluators.java:94)
    at org.ow2.authzforce.core.pdp.impl.rule.RuleEvaluator.evaluate(RuleEvaluator.java:535)
    at org.ow2.authzforce.core.pdp.impl.combining.CombiningAlgEvaluators$RulesWithSameEffectEvaluator.evaluate(CombiningAlgEvaluators.java:134)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:764)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:881)
    at org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluators$StaticView.findAndEvaluate(RootPolicyEvaluators.java:190)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$IndividualDecisionRequestEvaluator.evaluateInNewContext(BasePdpEngine.java:685)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$NonCachingIndividualDecisionRequestEvaluator.evaluate(BasePdpEngine.java:730)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.evaluate(BasePdpEngine.java:984)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:128)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:149)
    at XACMLTester.main(XACMLTester.java:29)
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Indeterminate arg #0
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evalPrimitiveArgs(BaseFirstOrderFunctionCall.java:94)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.access$200(BaseFirstOrderFunctionCall.java:53)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:658)
    ... 14 more
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only: Invalid arg #0: empty bag or bag size > 1. Required: one and only one value in bag.
    at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions$SingletonBagToPrimitive.<init>(FirstOrderBagFunctions.java:82)
    at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions.getFunctions(FirstOrderBagFunctions.java:554)
    at org.ow2.authzforce.core.pdp.impl.func.StandardFunction.getRegistry(StandardFunction.java:901)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.<init>(PdpEngineConfiguration.java:286)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:479)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:519)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:551)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:687)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:704)
    at XACMLTester.main(XACMLTester.java:23)

例外情况是,袋子要么是空的,要么超过1个,但我并不认为这是问题所在,因为我正在根据需要提供数据。任何帮助都是非常感谢的。

authzforce
java
security
authorization
xacml
EN

回答 2

Stack Overflow用户

回答已采纳

发布于 2018-01-25 16:56:56

这很简单。你要送去两个年头。你只需要寄一个年龄。尝试以下几点:

代码语言:javascript
复制
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>
票数 1
EN

Stack Overflow用户

发布于 2018-01-28 23:36:55

大卫是对的。为了了解策略评估是如何工作的,异常堆栈跟踪中的根本原因消息是arg #0,即传递给函数整数-1和-只读的第一个(和唯一)参数,它是一个包,没有一个和唯一的值,也就是说它不是空的就是多个。

实际上,在您的策略中,您将这个参数定义为一个AttributeDesignator,即属性值的袋子.:一致性测试:年龄;在您的请求中,您为该属性提供了两个不同的值。因此,AttributeDesignator的计算结果是一个包含2个值的袋子,对于函数整一和纯函数来说,这是无效的。这太过分了。

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/48442804

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档