在策略或规则中动态生成 XACML 建议字符串
Generating XACML advice string dynamically in a policy or rule
有没有办法根据评估中使用的属性(例如环境)动态生成 XACML 响应中返回的 Advice 或 Obligation 字符串?
例如,通过实现逻辑的扩展。
在 XACML 3.0 中,Obligation 和 Advice 元素可以包含属性分配。属性分配是可以用静态值或动态值填充的占位符,例如来自另一个 XACML 属性的值。例如,我们可以有以下内容(使用 alfa notation - the Axiomatics Language for Authorization):
obligation notifyManager = "com.axiomatics.examples.notification.notifyManager"
policy accessDocs{
apply firstApplicable
rule denyOutOfOffice{
target clause currentTime>"17:00:00":time or currentTime<"09:00:00":time
deny
on deny{
obligation notifyManager{
com.axiomatics.examples.message = "You cannot access anything outside office hours"
com.axiomatics.examples.user.managerEmail = com.axiomatics.examples.user.managerEmail
}
}
}
}
在此示例中,义务有 2 个占位符:
- com.axiomatics.examples.message: 这个占位符包含一个静态值。
- com.axiomatics.examples.user.managerEmail: 这个占位符包含一个动态值。
您可以在占位符中使用函数,例如字符串连接。
XACML 源代码如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/example.accessDocs"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Deny"
RuleId="http://axiomatics.com/alfa/identifier/example.accessDocs.denyOutOfOffice">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:ObligationExpressions>
<xacml3:ObligationExpression ObligationId="com.axiomatics.examples.notification.notifyManager"
FulfillOn="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.message" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">You cannot access anything outside office hours</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
<xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.user.manager.email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.examples.user.manager.email"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:AttributeAssignmentExpression>
</xacml3:ObligationExpression>
</xacml3:ObligationExpressions>
</xacml3:Rule>
</xacml3:Policy>
有没有办法根据评估中使用的属性(例如环境)动态生成 XACML 响应中返回的 Advice 或 Obligation 字符串?
例如,通过实现逻辑的扩展。
在 XACML 3.0 中,Obligation 和 Advice 元素可以包含属性分配。属性分配是可以用静态值或动态值填充的占位符,例如来自另一个 XACML 属性的值。例如,我们可以有以下内容(使用 alfa notation - the Axiomatics Language for Authorization):
obligation notifyManager = "com.axiomatics.examples.notification.notifyManager"
policy accessDocs{
apply firstApplicable
rule denyOutOfOffice{
target clause currentTime>"17:00:00":time or currentTime<"09:00:00":time
deny
on deny{
obligation notifyManager{
com.axiomatics.examples.message = "You cannot access anything outside office hours"
com.axiomatics.examples.user.managerEmail = com.axiomatics.examples.user.managerEmail
}
}
}
}
在此示例中,义务有 2 个占位符:
- com.axiomatics.examples.message: 这个占位符包含一个静态值。
- com.axiomatics.examples.user.managerEmail: 这个占位符包含一个动态值。
您可以在占位符中使用函数,例如字符串连接。
XACML 源代码如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/example.accessDocs"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Deny"
RuleId="http://axiomatics.com/alfa/identifier/example.accessDocs.denyOutOfOffice">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:ObligationExpressions>
<xacml3:ObligationExpression ObligationId="com.axiomatics.examples.notification.notifyManager"
FulfillOn="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.message" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">You cannot access anything outside office hours</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
<xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.user.manager.email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.examples.user.manager.email"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:AttributeAssignmentExpression>
</xacml3:ObligationExpression>
</xacml3:ObligationExpressions>
</xacml3:Rule>
</xacml3:Policy>