WSO2 身份服务器 - 将请求中的多个属性发送到 WSO2IS 中的自定义策略信息点 (PIP)
WSO2 Identity Server - Sending Multiple Attributes in the Request to a Custom Policy Info Point (PIP) in WSO2IS
我正在使用 WSO2IS 5.3.0,并且我已按照此网站上的说明进行操作:https://docs.wso2.com/display/IS530/Writing+a+Custom+Policy+Info+Point
我已经成功实现了自定义 PIP 属性查找器 (KMarketJDBCAttributeFinder),到目前为止一切顺利。我遇到的问题是我想发送多个属性,但 AttributeFinder 只选择一个。接下来,我的政策和要求:
XACML 策略:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="My-Custom-Policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">subj-id</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="rule1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action-value</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">some-value-returned-by-custom-pip-finder-jar</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:my:custom:id:data-one"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="rule2" Effect="Deny"/>
</Policy>
XACML 请求:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">subj-id</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action-value</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">re-src-id</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:my:custom:id:data-one" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">data-one</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:my:custom:id:data-two" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">data-two</AttributeValue>
</Attribute>
</Attributes>
</Request>
如您所见,我发送了三个属性作为资源类别的一部分;但是当我调试代码时,我只看到其中一个属性被选中(其他的被忽略)
此外,根据请求和政策,我使用了海关 AttributeId:urn:my:custom:id:data-one 和 urn:my:custom:id:data-two
¿如何发送多个属性(不使用选项 "Multiple Requests",我只发送一个请求)并确认我的自定义 attributeFinder PIP 扩展正确获取了所有属性?
分析抽象class负责从请求中提取属性的代码,创建属性包的方法只提取一个;这就是我的测试不起作用的方式。
我找到的解决方案是创建自己的抽象 class 实现 class PIPAttributeFinder 并从请求中获取所有属性:
... (other code)
List<String> resourceList = new ArrayList<String>();
EvaluationResult resource = evaluationCtx.getAttribute(new URI("http://www.w3.org/2001/XMLSchema#string"), new URI("urn:oasis:names:tc:xacml:1.0:resource:resource-id"), issuer, new URI("urn:oasis:names:tc:xacml:3.0:attribute-category:resource"));
if (resource != null && resource.getAttributeValue() != null && resource.getAttributeValue().isBag()) {
key = (BagAttribute) resource.getAttributeValue();
if (key.size() > 0) {
Iterator iterator = key.iterator();
String encodeAttribute = "";
while(iterator.hasNext()) {
AttributeValue attributeValue = (AttributeValue)iterator.next();
encodeAttribute = attributeValue.encode();
resourceList.add(encodeAttribute);
}
if (log.isDebugEnabled()) {
log.debug(String.format("Finding attributes for the resource %1$s", new Object[]{encodeAttribute}));
}
resourceId = "empty-value";
}
}
... (other code)
attributeValues = this.getAttributeValues(subjectId, resourceId, resourceList, actionId, environmentId, attributeId.toString(), issuer);
... (other code)
请记住,您需要修改方法的签名getAttributeValues
我正在使用 WSO2IS 5.3.0,并且我已按照此网站上的说明进行操作:https://docs.wso2.com/display/IS530/Writing+a+Custom+Policy+Info+Point
我已经成功实现了自定义 PIP 属性查找器 (KMarketJDBCAttributeFinder),到目前为止一切顺利。我遇到的问题是我想发送多个属性,但 AttributeFinder 只选择一个。接下来,我的政策和要求:
XACML 策略:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="My-Custom-Policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">subj-id</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="rule1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action-value</AttributeValue>
<AttributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">some-value-returned-by-custom-pip-finder-jar</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:my:custom:id:data-one"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="rule2" Effect="Deny"/>
</Policy>
XACML 请求:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">subj-id</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action-value</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">re-src-id</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:my:custom:id:data-one" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">data-one</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:my:custom:id:data-two" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">data-two</AttributeValue>
</Attribute>
</Attributes>
</Request>
如您所见,我发送了三个属性作为资源类别的一部分;但是当我调试代码时,我只看到其中一个属性被选中(其他的被忽略)
此外,根据请求和政策,我使用了海关 AttributeId:urn:my:custom:id:data-one 和 urn:my:custom:id:data-two
¿如何发送多个属性(不使用选项 "Multiple Requests",我只发送一个请求)并确认我的自定义 attributeFinder PIP 扩展正确获取了所有属性?
分析抽象class负责从请求中提取属性的代码,创建属性包的方法只提取一个;这就是我的测试不起作用的方式。
我找到的解决方案是创建自己的抽象 class 实现 class PIPAttributeFinder 并从请求中获取所有属性:
... (other code)
List<String> resourceList = new ArrayList<String>();
EvaluationResult resource = evaluationCtx.getAttribute(new URI("http://www.w3.org/2001/XMLSchema#string"), new URI("urn:oasis:names:tc:xacml:1.0:resource:resource-id"), issuer, new URI("urn:oasis:names:tc:xacml:3.0:attribute-category:resource"));
if (resource != null && resource.getAttributeValue() != null && resource.getAttributeValue().isBag()) {
key = (BagAttribute) resource.getAttributeValue();
if (key.size() > 0) {
Iterator iterator = key.iterator();
String encodeAttribute = "";
while(iterator.hasNext()) {
AttributeValue attributeValue = (AttributeValue)iterator.next();
encodeAttribute = attributeValue.encode();
resourceList.add(encodeAttribute);
}
if (log.isDebugEnabled()) {
log.debug(String.format("Finding attributes for the resource %1$s", new Object[]{encodeAttribute}));
}
resourceId = "empty-value";
}
}
... (other code)
attributeValues = this.getAttributeValues(subjectId, resourceId, resourceList, actionId, environmentId, attributeId.toString(), issuer);
... (other code)
请记住,您需要修改方法的签名getAttributeValues