XACML 3.0 和 rfc822Name 属性

Question

我是 XACML 的新手。我正在使用 Balana，我认为我掌握了基础知识，所以我正在尝试使用 Target、Rule 和 Condition。我的政策是由两条规则制定的。第一条规则适用于每个人的主题名称中都有 med.example.com（是的，OASIS 提供的基本示例），如果您的主题名称是 jim@med.example.com，您将获得 PERMIT 作为响应。我知道这是多余的。第二条规则说每个人都不满足第一条规则的条件将得到拒绝。我想要做的是在 Target 和 Condition 中都使用 rfc822Name 属性。可能吗？这是我的政策定义：

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
  http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
  PolicyId="urn:oasis:names:tc:xacml:3.0:example:PolicyWithDENYRule" 
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>
    Medi Corp access control policy
</Description>
<Target />
<Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:OnlyJimShallPass"
    Effect="Permit">
    <Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
                    <AttributeDesignator MustBePresent="false"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                        DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">jim@med.example.com</AttributeValue>
                    <AttributeDesignator MustBePresent="false"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                        DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" />
        </Apply>
    </Condition>
</Rule>
<Rule Effect="Deny" RuleId="defaultRule" />

当我尝试评估我的请求时，我遇到了这个异常：

java.lang.IllegalArgumentException: second arg has to be a bag
2017-05-19 09:33:34 ERROR FileBasedPolicyFinderModule:248 - Fail to load policy : /home/pezzati/workspace/SecurityProofOfConcept/src/test/resources/policywithdenyrule/policy.xml
java.lang.IllegalArgumentException: illegal parameter
at org.wso2.balana.cond.FunctionBase.checkInputsNoBag(FunctionBase.java:419)
at org.wso2.balana.cond.HigherOrderFunction.checkInputs(HigherOrderFunction.java:421)
at org.wso2.balana.cond.Apply.<init>(Apply.java:89)
at org.wso2.balana.cond.Apply.getInstance(Apply.java:227)
at org.wso2.balana.cond.Apply.getInstance(Apply.java:188)
at org.wso2.balana.cond.ExpressionHandler.parseExpression(ExpressionHandler.java:53)
at org.wso2.balana.cond.Condition.getInstance(Condition.java:177)
at org.wso2.balana.Rule.getInstance(Rule.java:237)
at org.wso2.balana.Policy.<init>(Policy.java:303)
at org.wso2.balana.Policy.getInstance(Policy.java:382)
at org.wso2.balana.finder.impl.FileBasedPolicyFinderModule.loadPolicy(FileBasedPolicyFinderModule.java:242)
at org.wso2.balana.finder.impl.FileBasedPolicyFinderModule.loadPolicies(FileBasedPolicyFinderModule.java:202)
at org.wso2.balana.finder.impl.FileBasedPolicyFinderModule.init(FileBasedPolicyFinderModule.java:91)
at org.wso2.balana.finder.PolicyFinder.init(PolicyFinder.java:149)
at org.wso2.balana.PDP.<init>(PDP.java:97)
at edu.pezzati.sec.xaml.XacmlTest.getPDP(XacmlTest.java:20)
at edu.pezzati.sec.xaml.PolicyWithDenyRule.init(PolicyWithDenyRule.java:37)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)

为什么会出现这个异常？ XACML 3.0 说您可以在条件中使用 AttributeDesignator。我有什么限制吗？可以找到完整的项目 here。看看PolicyWithDenyRule测试。

Answer 1

我成功了。我面临着两种不同类型的价值观。我这样更改了 Condition：

<Condition>
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
    <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal"/>
    <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">jim@med.example.com</AttributeValue>
    <AttributeDesignator MustBePresent="false"
      Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" />
  </Apply>
</Condition>

我把主函数从string-equal改成了rfc822Name-equal，把持有jim@med.example.com的AttributeValue从string改成了rfc822Name。通过这种方式，主要条件的函数可以检查 rfc822Name 属性是否符合预期的 rfc822Name 属性包。 我还在 github 上更新了我的项目，现在可以使用了。