比较 XACML 策略中的两个多元素属性
Compare two multi-element attributes in XACML policy
考虑一个主体和客体都具有如下定义的标签:
subject/object label = [i1, i2, ..., in],其中 i 是另一个主题的一些 subjectId。
在策略 (ALFA/XACML) 中,我如何对主题和对象标签进行比较,以便两个列表中的元素都不相同。
例如:
subject_label = [i2, i4, i9]
object_label = [i1, i3, i7, i9]
最终的决定是 DENY,因为两个标签都包含 i9。如果在任何列表中都没有找到匹配项,则访问结果将为 PERMIT.
您要使用的是 stringAtLeastOneMemberOf(或其他数据类型的等效项)。这个函数有两个参数:
- 一个字符串类型的包
- 一个字符串类型的包
如果第一个包中至少有一个值等于第二个包中的一个值,则 returns 为真。对于字符串,比较是 case-sensitive.
namespace com.axiomatics{
/**
* Ths policy will checks the contents of the user label and the the resource label.
* It will deny access if there is at least one value in the user label equal to at least
* one value in the resource label.
*/
policy denyIfSameContent{
apply firstApplicable
/**
* This rule will deny access is user.label contains at least 1 value that is also present
* in object.label
*/
rule denyIfSameContent{
deny
condition stringAtLeastOneMemberOf(user.label, object.label)
}
}
}
这里是 XACML/XML 表示:
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Ths policy will checks the contents of the user
label and the the resource label.
It will deny access if there is at least one value in the user label
equal to at least
one value in the resource label.
</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Deny"
RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
<xacml3:Description>This rule will deny access is user.label contains
at least 1 value that is also present
in object.label
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.label"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.object.label"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
考虑一个主体和客体都具有如下定义的标签:
subject/object label = [i1, i2, ..., in],其中 i 是另一个主题的一些 subjectId。
在策略 (ALFA/XACML) 中,我如何对主题和对象标签进行比较,以便两个列表中的元素都不相同。
例如:
subject_label = [i2, i4, i9]
object_label = [i1, i3, i7, i9]
最终的决定是 DENY,因为两个标签都包含 i9。如果在任何列表中都没有找到匹配项,则访问结果将为 PERMIT.
您要使用的是 stringAtLeastOneMemberOf(或其他数据类型的等效项)。这个函数有两个参数:
- 一个字符串类型的包
- 一个字符串类型的包
如果第一个包中至少有一个值等于第二个包中的一个值,则 returns 为真。对于字符串,比较是 case-sensitive.
namespace com.axiomatics{
/**
* Ths policy will checks the contents of the user label and the the resource label.
* It will deny access if there is at least one value in the user label equal to at least
* one value in the resource label.
*/
policy denyIfSameContent{
apply firstApplicable
/**
* This rule will deny access is user.label contains at least 1 value that is also present
* in object.label
*/
rule denyIfSameContent{
deny
condition stringAtLeastOneMemberOf(user.label, object.label)
}
}
}
这里是 XACML/XML 表示:
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Ths policy will checks the contents of the user
label and the the resource label.
It will deny access if there is at least one value in the user label
equal to at least
one value in the resource label.
</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Deny"
RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
<xacml3:Description>This rule will deny access is user.label contains
at least 1 value that is also present
in object.label
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.label"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.object.label"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>