AuthzForce XACML 响应不确定
AuthzForce XACML Response is Indeterminate
我正在探索 Authzforce XACML3.0,我 运行 遇到了问题。我一直收到不确定的回复。下面是我的设置和它抛出的异常跟踪。感谢任何帮助。
请求文件:
<?xml version="1.0" encoding="utf-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
</Attribute>
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
</Attribute>
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">46</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>
政策文件:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
Version="1.0">
<Description>
Policy for Conformance Test IIA011.
</Description>
<Target />
<Rule Effect="Permit"
RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
<Description>
Anyone who is 45 integer years old may perform any
action on any resource.
</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
PDP 配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="policy.xml" />
</pdp>
异常跟踪:
org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-equal: indeterminate arg
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:662)
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evaluate(BaseFirstOrderFunctionCall.java:359)
at org.ow2.authzforce.core.pdp.impl.expression.ApplyExpressions$VariableApplyExpression.evaluate(ApplyExpressions.java:87)
at org.ow2.authzforce.core.pdp.impl.rule.ConditionEvaluators$BooleanExpressionEvaluator.evaluate(ConditionEvaluators.java:94)
at org.ow2.authzforce.core.pdp.impl.rule.RuleEvaluator.evaluate(RuleEvaluator.java:535)
at org.ow2.authzforce.core.pdp.impl.combining.CombiningAlgEvaluators$RulesWithSameEffectEvaluator.evaluate(CombiningAlgEvaluators.java:134)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:764)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:881)
at org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluators$StaticView.findAndEvaluate(RootPolicyEvaluators.java:190)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$IndividualDecisionRequestEvaluator.evaluateInNewContext(BasePdpEngine.java:685)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$NonCachingIndividualDecisionRequestEvaluator.evaluate(BasePdpEngine.java:730)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.evaluate(BasePdpEngine.java:984)
at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:128)
at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:149)
at XACMLTester.main(XACMLTester.java:29)
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Indeterminate arg #0
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evalPrimitiveArgs(BaseFirstOrderFunctionCall.java:94)
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.access0(BaseFirstOrderFunctionCall.java:53)
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:658)
... 14 more
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only: Invalid arg #0: empty bag or bag size > 1. Required: one and only one value in bag.
at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions$SingletonBagToPrimitive.<init>(FirstOrderBagFunctions.java:82)
at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions.getFunctions(FirstOrderBagFunctions.java:554)
at org.ow2.authzforce.core.pdp.impl.func.StandardFunction.getRegistry(StandardFunction.java:901)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.<init>(PdpEngineConfiguration.java:286)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:479)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:519)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:551)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:687)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:704)
at XACMLTester.main(XACMLTester.java:23)
异常表明 Bag 为空或超过 1 个,但我不认为这是问题,因为我正在根据需要提供数据。感谢任何帮助
这很简单。您要发送 2 个年龄段。您只需发送一个年龄。请尝试以下操作:
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
大卫是对的。为了您自己了解策略评估的工作原理,异常堆栈跟踪中的根本原因消息说 arg #0,即传递给函数的第一个(也是唯一一个)参数 integer-one-and-only,它是一个包,没有它应该的唯一值,即它要么是空的,要么有多个.
事实上,在您的策略中,您将此参数定义为一个 AttributeDesignator,即属性 ...:conformance-test:age 的值包;在您的请求中,您为此属性提供了 2 个不同的值。因此 AttributeDesignator 的计算结果为一袋 2 个值,这对函数 integer-one-and-only 无效。太多了。
我正在探索 Authzforce XACML3.0,我 运行 遇到了问题。我一直收到不确定的回复。下面是我的设置和它抛出的异常跟踪。感谢任何帮助。
请求文件:
<?xml version="1.0" encoding="utf-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
</Attribute>
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
</Attribute>
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">46</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>
政策文件:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
Version="1.0">
<Description>
Policy for Conformance Test IIA011.
</Description>
<Target />
<Rule Effect="Permit"
RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
<Description>
Anyone who is 45 integer years old may perform any
action on any resource.
</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
PDP 配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="policy.xml" />
</pdp>
异常跟踪:
org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-equal: indeterminate arg
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:662)
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evaluate(BaseFirstOrderFunctionCall.java:359)
at org.ow2.authzforce.core.pdp.impl.expression.ApplyExpressions$VariableApplyExpression.evaluate(ApplyExpressions.java:87)
at org.ow2.authzforce.core.pdp.impl.rule.ConditionEvaluators$BooleanExpressionEvaluator.evaluate(ConditionEvaluators.java:94)
at org.ow2.authzforce.core.pdp.impl.rule.RuleEvaluator.evaluate(RuleEvaluator.java:535)
at org.ow2.authzforce.core.pdp.impl.combining.CombiningAlgEvaluators$RulesWithSameEffectEvaluator.evaluate(CombiningAlgEvaluators.java:134)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:764)
at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:881)
at org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluators$StaticView.findAndEvaluate(RootPolicyEvaluators.java:190)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$IndividualDecisionRequestEvaluator.evaluateInNewContext(BasePdpEngine.java:685)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$NonCachingIndividualDecisionRequestEvaluator.evaluate(BasePdpEngine.java:730)
at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.evaluate(BasePdpEngine.java:984)
at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:128)
at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:149)
at XACMLTester.main(XACMLTester.java:29)
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Indeterminate arg #0
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evalPrimitiveArgs(BaseFirstOrderFunctionCall.java:94)
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.access0(BaseFirstOrderFunctionCall.java:53)
at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:658)
... 14 more
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only: Invalid arg #0: empty bag or bag size > 1. Required: one and only one value in bag.
at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions$SingletonBagToPrimitive.<init>(FirstOrderBagFunctions.java:82)
at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions.getFunctions(FirstOrderBagFunctions.java:554)
at org.ow2.authzforce.core.pdp.impl.func.StandardFunction.getRegistry(StandardFunction.java:901)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.<init>(PdpEngineConfiguration.java:286)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:479)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:519)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:551)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:687)
at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:704)
at XACMLTester.main(XACMLTester.java:23)
异常表明 Bag 为空或超过 1 个,但我不认为这是问题,因为我正在根据需要提供数据。感谢任何帮助
这很简单。您要发送 2 个年龄段。您只需发送一个年龄。请尝试以下操作:
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
大卫是对的。为了您自己了解策略评估的工作原理,异常堆栈跟踪中的根本原因消息说 arg #0,即传递给函数的第一个(也是唯一一个)参数 integer-one-and-only,它是一个包,没有它应该的唯一值,即它要么是空的,要么有多个.
事实上,在您的策略中,您将此参数定义为一个 AttributeDesignator,即属性 ...:conformance-test:age 的值包;在您的请求中,您为此属性提供了 2 个不同的值。因此 AttributeDesignator 的计算结果为一袋 2 个值,这对函数 integer-one-and-only 无效。太多了。