Authzforce ABAC - 无法在域上启用结果后处理器扩展
Authzforce ABAC - Fail to Enable a Result Postprocessor extension on a domain
我按照 link
上的说明进行操作
1- 通过将类型替换为 'urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default'
从 'TestCombinedDecisionXacmlJaxbResultPostprocessor' class 创建扩展 jar 包
2- 将 jar 放在 /opt/authzforce-ce-server/webapp/WEB-INF/lib 目录下
3- 尝试启用扩展:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5">
<feature
type="urn:ow2:authzforce:feature-type:pdp:result-postproc"
enabled="true">urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</feature>
<rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpPropertiesUpdate>
并得到回复:
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;
} h1, h2, h3, b {color:white;background-color:#525D76;
} h1 {font-size: 22px;
} h2 {font-size: 16px;
} h3 {font-size: 14px;
} p {font-size: 12px;
} a {color:black;
} .line {height: 1px;background-color:#525D76;border:none;
}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.54 (Debian)</h3></body></html>
在此之后,我收到域上所有请求的 HTTP-404。
你能建议我缺少什么吗?该问题的根本原因是什么?
扩展包源码分享:
public class PostprocessorLoader extends BaseXacmlJaxbResultPostprocessor {
private static final Set<String> FEATURES = ImmutableSet.of(DecisionResultPostprocessor.Features.XACML_MULTIPLE_DECISION_PROFILE_COMBINED_DECISION);
private static final Response SIMPLE_INDETERMINATE_RESPONSE = new Response(
Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(XacmlStatusCode.PROCESSING_ERROR.value(), Optional.<String>empty()), null, null, null, null)));
// private static final List<Result> INDETERMINATE_RESULT_SINGLETON_LIST_BECAUSE_NO_INDIVIDUAL = Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(
// StatusHelper.STATUS_PROCESSING_ERROR, "No <Result> to combine!"), null, null, null, null));
private static final Response SIMPLE_PERMIT_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.PERMIT, StatusHelper.OK, null, null, null, null)));
private static final Response SIMPLE_DENY_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.DENY, StatusHelper.OK, null, null, null, null)));
private static final Response SIMPLE_NOT_APPLICABLE_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.NOT_APPLICABLE, StatusHelper.OK, null, null, null, null)));
private PostprocessorLoader(final int clientRequestErrorVerbosityLevel) throws IllegalArgumentException {
super(clientRequestErrorVerbosityLevel);
}
@Override
public Set<String> getFeatures()
{
return FEATURES;
}
@Override
public Response process(final Collection<Map.Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest)
{
System.out.println("#####################Inside process");
if (resultsByRequest!=null){
System.out.println(resultsByRequest.size());
}else{
System.out.println("#####################resultsByRequest is null!");
}
DecisionType combinedDecision = DecisionType.INDETERMINATE;
for (final Map.Entry<? extends IndividualXacmlJaxbRequest, ? extends DecisionResult> resultEntry : resultsByRequest)
{
System.out.println("#####################resultEntry:"+resultEntry.getValue());
final DecisionResult result = resultEntry.getValue();
System.out.println("#####################getDecision:"+result.getDecision());
if (result.getDecision() == DecisionType.INDETERMINATE)
{
// either all result must be indeterminate or we return Indeterminate as final result anyway
return SIMPLE_INDETERMINATE_RESPONSE;
}
final ImmutableList<PepAction> pepActions = result.getPepActions();
assert pepActions != null;
if (!pepActions.isEmpty())
{
return SIMPLE_INDETERMINATE_RESPONSE;
}
final DecisionType individualDecision = result.getDecision();
// if combinedDecision not initialized yet (indeterminate), set it to the result's decision
if (combinedDecision == DecisionType.INDETERMINATE)
{
combinedDecision = individualDecision;
} else
// combinedDecision != Indeterminate
if (individualDecision != combinedDecision)
{
return SIMPLE_INDETERMINATE_RESPONSE;
}
}
System.out.println("#####################Before CombinedDecision switch");
try {
System.out.printf("#####################process method!");
//System.out.println(documentService.getIndividualHealthRoleByName("").toString());
}catch(Exception ex){
System.out.println("#####################process method err:"+ex.getCause());
}
switch (combinedDecision)
{
case PERMIT:
return SIMPLE_PERMIT_RESPONSE;
case DENY:
return SIMPLE_DENY_RESPONSE;
case NOT_APPLICABLE:
return SIMPLE_NOT_APPLICABLE_RESPONSE;
default:
return SIMPLE_INDETERMINATE_RESPONSE;
}
}
/**
*
* Factory for this type of result postprocessor filter that allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0
* core spec, §7.3.3).
*
*/
public static final class Factory extends BaseXacmlJaxbResultPostprocessor.Factory
{
/**
* ID of this {@link PdpExtension}
*/
public static final String ID = "urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default";
/**
* Constructor
*/
public Factory()
{
super(ID);
}
@Override
public DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> getInstance(final int clientRequestErrorVerbosityLevel)
{
return new PostprocessorLoader(clientRequestErrorVerbosityLevel);
}
}
}
注意: 当我将 jar 文件从 maven artifactId=authzforce-ce-core-pdp-testutils 放置到 lib 文件夹并尝试使用推荐的请求正文启用时发生了同样的事情上述link.
您正在尝试启用 ID 为 urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default 的后处理器,该后处理器已由 AuthzForce 保留并提供(用于根据 XACML 的 JSON 配置文件处理 JSON 响应)。因此,您不能为自己的实现使用相同的 ID!
所以更改代码中的ID(这里只是一个例子,选择你自己的):
/**
* ID of this {@link PdpExtension}
*/
public static final String ID = "my-own-postproc-id";
仅供参考,如果您只需要 XACML/XML 的 CombinedDecision 功能,看起来是这样(但我可能对您想要实现的目标有误),这已经由 class TestCombinedDecisionXacmlJaxbResultPostprocessor。您只需在 WEB-INF/lib 中部署 authzforce-ce-core-pdp-testutils JAR(与那里的 authzforce-ce-core-pdp-engine JAR 版本相同),重新启动,然后像在第 3 步,但特征 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-xml:multiple:test-combined-decision.
我按照 link
上的说明进行操作1- 通过将类型替换为 'urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default'
从 'TestCombinedDecisionXacmlJaxbResultPostprocessor' class 创建扩展 jar 包2- 将 jar 放在 /opt/authzforce-ce-server/webapp/WEB-INF/lib 目录下
3- 尝试启用扩展:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5">
<feature
type="urn:ow2:authzforce:feature-type:pdp:result-postproc"
enabled="true">urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</feature>
<rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpPropertiesUpdate>
并得到回复:
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;
} h1, h2, h3, b {color:white;background-color:#525D76;
} h1 {font-size: 22px;
} h2 {font-size: 16px;
} h3 {font-size: 14px;
} p {font-size: 12px;
} a {color:black;
} .line {height: 1px;background-color:#525D76;border:none;
}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.54 (Debian)</h3></body></html>
在此之后,我收到域上所有请求的 HTTP-404。 你能建议我缺少什么吗?该问题的根本原因是什么?
扩展包源码分享:
public class PostprocessorLoader extends BaseXacmlJaxbResultPostprocessor {
private static final Set<String> FEATURES = ImmutableSet.of(DecisionResultPostprocessor.Features.XACML_MULTIPLE_DECISION_PROFILE_COMBINED_DECISION);
private static final Response SIMPLE_INDETERMINATE_RESPONSE = new Response(
Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(XacmlStatusCode.PROCESSING_ERROR.value(), Optional.<String>empty()), null, null, null, null)));
// private static final List<Result> INDETERMINATE_RESULT_SINGLETON_LIST_BECAUSE_NO_INDIVIDUAL = Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(
// StatusHelper.STATUS_PROCESSING_ERROR, "No <Result> to combine!"), null, null, null, null));
private static final Response SIMPLE_PERMIT_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.PERMIT, StatusHelper.OK, null, null, null, null)));
private static final Response SIMPLE_DENY_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.DENY, StatusHelper.OK, null, null, null, null)));
private static final Response SIMPLE_NOT_APPLICABLE_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.NOT_APPLICABLE, StatusHelper.OK, null, null, null, null)));
private PostprocessorLoader(final int clientRequestErrorVerbosityLevel) throws IllegalArgumentException {
super(clientRequestErrorVerbosityLevel);
}
@Override
public Set<String> getFeatures()
{
return FEATURES;
}
@Override
public Response process(final Collection<Map.Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest)
{
System.out.println("#####################Inside process");
if (resultsByRequest!=null){
System.out.println(resultsByRequest.size());
}else{
System.out.println("#####################resultsByRequest is null!");
}
DecisionType combinedDecision = DecisionType.INDETERMINATE;
for (final Map.Entry<? extends IndividualXacmlJaxbRequest, ? extends DecisionResult> resultEntry : resultsByRequest)
{
System.out.println("#####################resultEntry:"+resultEntry.getValue());
final DecisionResult result = resultEntry.getValue();
System.out.println("#####################getDecision:"+result.getDecision());
if (result.getDecision() == DecisionType.INDETERMINATE)
{
// either all result must be indeterminate or we return Indeterminate as final result anyway
return SIMPLE_INDETERMINATE_RESPONSE;
}
final ImmutableList<PepAction> pepActions = result.getPepActions();
assert pepActions != null;
if (!pepActions.isEmpty())
{
return SIMPLE_INDETERMINATE_RESPONSE;
}
final DecisionType individualDecision = result.getDecision();
// if combinedDecision not initialized yet (indeterminate), set it to the result's decision
if (combinedDecision == DecisionType.INDETERMINATE)
{
combinedDecision = individualDecision;
} else
// combinedDecision != Indeterminate
if (individualDecision != combinedDecision)
{
return SIMPLE_INDETERMINATE_RESPONSE;
}
}
System.out.println("#####################Before CombinedDecision switch");
try {
System.out.printf("#####################process method!");
//System.out.println(documentService.getIndividualHealthRoleByName("").toString());
}catch(Exception ex){
System.out.println("#####################process method err:"+ex.getCause());
}
switch (combinedDecision)
{
case PERMIT:
return SIMPLE_PERMIT_RESPONSE;
case DENY:
return SIMPLE_DENY_RESPONSE;
case NOT_APPLICABLE:
return SIMPLE_NOT_APPLICABLE_RESPONSE;
default:
return SIMPLE_INDETERMINATE_RESPONSE;
}
}
/**
*
* Factory for this type of result postprocessor filter that allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0
* core spec, §7.3.3).
*
*/
public static final class Factory extends BaseXacmlJaxbResultPostprocessor.Factory
{
/**
* ID of this {@link PdpExtension}
*/
public static final String ID = "urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default";
/**
* Constructor
*/
public Factory()
{
super(ID);
}
@Override
public DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> getInstance(final int clientRequestErrorVerbosityLevel)
{
return new PostprocessorLoader(clientRequestErrorVerbosityLevel);
}
}
}
注意: 当我将 jar 文件从 maven artifactId=authzforce-ce-core-pdp-testutils 放置到 lib 文件夹并尝试使用推荐的请求正文启用时发生了同样的事情上述link.
您正在尝试启用 ID 为 urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default 的后处理器,该后处理器已由 AuthzForce 保留并提供(用于根据 XACML 的 JSON 配置文件处理 JSON 响应)。因此,您不能为自己的实现使用相同的 ID!
所以更改代码中的ID(这里只是一个例子,选择你自己的):
/**
* ID of this {@link PdpExtension}
*/
public static final String ID = "my-own-postproc-id";
仅供参考,如果您只需要 XACML/XML 的 CombinedDecision 功能,看起来是这样(但我可能对您想要实现的目标有误),这已经由 class TestCombinedDecisionXacmlJaxbResultPostprocessor。您只需在 WEB-INF/lib 中部署 authzforce-ce-core-pdp-testutils JAR(与那里的 authzforce-ce-core-pdp-engine JAR 版本相同),重新启动,然后像在第 3 步,但特征 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-xml:multiple:test-combined-decision.