使用 XACML 启用基于角色的访问控制 - 评估策略时出错

Enabling Role-Based Access Control Using XACML - Error occurred while evaluating the policy

我关注了Enabling Role-Based Access Control Using XACML。我可以毫无问题地进行所有设置。但是当调用 API 时,它会返回以下错误。

<am:fault xmlns:am="http://wso2.org/apimanager"><am:code>0</am:code><am:type>Status report</am:type><am:message>Runtime Error</am:message><am:description>Error occurred while evaluating the policy</am:description></am:fault>

并且在 APIM 日志中我可以看到以下错误。我在同一台机器上 运行 APIM 2.6 和 IS 5.3,AM 中的偏移量为 2。看来问题出在 Given Guide.

的第 14 步中提到的 EntitlementMediator.xml 中的 remoteServiceUrl="https://127.0.0.1:9443/services" url

[2019-05-28 12:33:05,162] INFO - HTTPSender Unable to sendViaPost to url[https://127.0.0.1:9443/services/EntitlementService] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66) at org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70) at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75) at org.apache.synapse.rest.API.process(API.java:325) at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303) at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158) at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [2019-05-28 12:33:05,164] ERROR - EntitlementMediator Error occurred while evaluating the policy org.apache.axis2.AxisFault: peer not authenticated at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:203) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66) at org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70) at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75) at org.apache.synapse.rest.API.process(API.java:325) at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303) at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158) at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199) ... 31 more [2019-05-28 12:33:05,172] INFO - LogMediator STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = Error occurred while evaluating the policy

当权利中介尝试调用 WSO2 IS 公开的 EntitlementService 时存在主机名验证问题。

您需要从 APIM 正确导出 public 证书并导入到 WSO2 IS 信任库。在 public 中,证书 CN 值应等于主机名或 IP 地址。

据我所知,APIM 2.6.0 和 IS 5.3.0 中的主键存储密钥长度不同。但是,上述步骤应该可以解决您的问题。

此外,如果您使用的 WSO2 IS 版本高于 5.3.0,并且具有默认主机名和默认 public 证书,那么这应该是开箱即用的。