失败的许可访问 XACML
Failed Permitted Access XACML
我目前正在尝试为一个应用程序实现 XACML,并且刚刚开始使用 AuthZForce 库来尝试它。我有一个示例策略,例如:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target/>
<Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
所以我尝试根据这个策略创建XACML请求,希望它能被PDP允许,代码如下:
System.setProperty("javax.xml.accessExternalSchema", "http");
File a = new File("pdp.xml");
final PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance(a.toURI().toString());
final BasePdpEngine pdp = new BasePdpEngine(pdpEngineConf);
final DecisionRequestBuilder<?> requestBuilder = pdp.newRequestBuilder(-1, -1);
String issuer="Julius Hibbert";
final AttributeFqn subjectIdAttributeId = AttributeFqns.newInstance(XACML_1_0_ACCESS_SUBJECT.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_SUBJECT_ID.value());
final AttributeBag<?> subjectIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("Julius Hibbert"));
requestBuilder.putNamedAttributeIfAbsent(subjectIdAttributeId, subjectIdAttributeValues);
final AttributeFqn resourceIdAttributeId = AttributeFqns.newInstance(XACML_3_0_RESOURCE.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_RESOURCE_ID.value());
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));
requestBuilder.putNamedAttributeIfAbsent(resourceIdAttributeId, resourceIdAttributeValues);
// Add action ID attribute (action category), no issuer, string value "GET"
final AttributeFqn actionIdAttributeId = AttributeFqns.newInstance(XACML_3_0_ACTION.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_ACTION_ID.value());
final AttributeBag<?> actionIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("write"));
requestBuilder.putNamedAttributeIfAbsent(actionIdAttributeId, actionIdAttributeValues);
// No more attribute, let's finalize the request creation
final DecisionRequest request = requestBuilder.build(false);
// Evaluate the request
final DecisionResult result = pdp.evaluate(request);
if(result.getDecision() == DecisionType.PERMIT) {
// This is a Permit :-)
System.out.println("ok");
} else {
// Not a Permit :-( (maybe Deny, NotApplicable or Indeterminate)
System.out.println("not ok");
}
但是当我 运行 代码时,它给出了 NotApplicable 的结果,但我不确定为什么。我的代码有错误吗?
我运行你的政策使用Axiomatics,这就是我得到的
属性摘要
JSON
中的示例 XACML 请求
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "Julius Hibbert"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "http://medico.com/record/patient/BartSimpson",
"DataType": "http://www.w3.org/2001/XMLSchema#anyURI"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read"
}
]
},
"Environment": {
"Attribute": []
}
}
}
JSON
中的 XACML 响应
{
"Response" : {
"Decision" : "Permit",
"Status" : {
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
}
}
},
"PolicyIdentifierList" : {
"PolicyIdReference" : {
"Id" : "urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy",
"Version" : "1.0"
}
}
}
}
请求编辑器
resource-id 属性的数据类型在您的代码中有误。您将其设置为 string,而在策略中匹配需要 anyURI。所以只需更改这行代码:
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));
至
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.ANYURI, new AnyUriValue("http://medico.com/record/patient/BartSimpson"));
此外,您将属性的颁发者设置为 Julius Hibbert 的任何特殊原因?否则将其设置为空,不用担心。
String issuer = null;
我目前正在尝试为一个应用程序实现 XACML,并且刚刚开始使用 AuthZForce 库来尝试它。我有一个示例策略,例如:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target/>
<Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
所以我尝试根据这个策略创建XACML请求,希望它能被PDP允许,代码如下:
System.setProperty("javax.xml.accessExternalSchema", "http");
File a = new File("pdp.xml");
final PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance(a.toURI().toString());
final BasePdpEngine pdp = new BasePdpEngine(pdpEngineConf);
final DecisionRequestBuilder<?> requestBuilder = pdp.newRequestBuilder(-1, -1);
String issuer="Julius Hibbert";
final AttributeFqn subjectIdAttributeId = AttributeFqns.newInstance(XACML_1_0_ACCESS_SUBJECT.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_SUBJECT_ID.value());
final AttributeBag<?> subjectIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("Julius Hibbert"));
requestBuilder.putNamedAttributeIfAbsent(subjectIdAttributeId, subjectIdAttributeValues);
final AttributeFqn resourceIdAttributeId = AttributeFqns.newInstance(XACML_3_0_RESOURCE.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_RESOURCE_ID.value());
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));
requestBuilder.putNamedAttributeIfAbsent(resourceIdAttributeId, resourceIdAttributeValues);
// Add action ID attribute (action category), no issuer, string value "GET"
final AttributeFqn actionIdAttributeId = AttributeFqns.newInstance(XACML_3_0_ACTION.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_ACTION_ID.value());
final AttributeBag<?> actionIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("write"));
requestBuilder.putNamedAttributeIfAbsent(actionIdAttributeId, actionIdAttributeValues);
// No more attribute, let's finalize the request creation
final DecisionRequest request = requestBuilder.build(false);
// Evaluate the request
final DecisionResult result = pdp.evaluate(request);
if(result.getDecision() == DecisionType.PERMIT) {
// This is a Permit :-)
System.out.println("ok");
} else {
// Not a Permit :-( (maybe Deny, NotApplicable or Indeterminate)
System.out.println("not ok");
}
但是当我 运行 代码时,它给出了 NotApplicable 的结果,但我不确定为什么。我的代码有错误吗?
我运行你的政策使用Axiomatics,这就是我得到的
属性摘要
JSON
中的示例 XACML 请求{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "Julius Hibbert"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "http://medico.com/record/patient/BartSimpson",
"DataType": "http://www.w3.org/2001/XMLSchema#anyURI"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read"
}
]
},
"Environment": {
"Attribute": []
}
}
}
JSON
中的 XACML 响应{
"Response" : {
"Decision" : "Permit",
"Status" : {
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
}
}
},
"PolicyIdentifierList" : {
"PolicyIdReference" : {
"Id" : "urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy",
"Version" : "1.0"
}
}
}
}
请求编辑器
resource-id 属性的数据类型在您的代码中有误。您将其设置为 string,而在策略中匹配需要 anyURI。所以只需更改这行代码:
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));
至
final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.ANYURI, new AnyUriValue("http://medico.com/record/patient/BartSimpson"));
此外,您将属性的颁发者设置为 Julius Hibbert 的任何特殊原因?否则将其设置为空,不用担心。
String issuer = null;