Authzforce ABAC - 无法在域上启用结果后处理器扩展

Authzforce ABAC - Fail to Enable a Result Postprocessor extension on a domain

我按照 link

上的说明进行操作

1- 通过将类型替换为 'urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default'

从 'TestCombinedDecisionXacmlJaxbResultPostprocessor' class 创建扩展 jar 包

2- 将 jar 放在 /opt/authzforce-ce-server/webapp/WEB-INF/lib 目录下

3- 尝试启用扩展:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5">
 <feature 
 type="urn:ow2:authzforce:feature-type:pdp:result-postproc" 
 enabled="true">urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</feature>
 <rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpPropertiesUpdate>

并得到回复:

<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;
} h1, h2, h3, b {color:white;background-color:#525D76;
} h1 {font-size: 22px;
} h2 {font-size: 16px;
} h3 {font-size: 14px;
} p {font-size: 12px;
} a {color:black;
} .line {height: 1px;background-color:#525D76;border:none;
}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.54 (Debian)</h3></body></html>

在此之后,我收到域上所有请求的 HTTP-404。 你能建议我缺少什么吗?该问题的根本原因是什么?

扩展包源码分享:

public class PostprocessorLoader extends BaseXacmlJaxbResultPostprocessor  {
    private static final Set<String> FEATURES = ImmutableSet.of(DecisionResultPostprocessor.Features.XACML_MULTIPLE_DECISION_PROFILE_COMBINED_DECISION);
    private static final Response SIMPLE_INDETERMINATE_RESPONSE = new Response(
            Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(XacmlStatusCode.PROCESSING_ERROR.value(), Optional.<String>empty()), null, null, null, null)));
    // private static final List<Result> INDETERMINATE_RESULT_SINGLETON_LIST_BECAUSE_NO_INDIVIDUAL = Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(
    // StatusHelper.STATUS_PROCESSING_ERROR, "No <Result> to combine!"), null, null, null, null));
    private static final Response SIMPLE_PERMIT_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.PERMIT, StatusHelper.OK, null, null, null, null)));
    private static final Response SIMPLE_DENY_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.DENY, StatusHelper.OK, null, null, null, null)));
    private static final Response SIMPLE_NOT_APPLICABLE_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.NOT_APPLICABLE, StatusHelper.OK, null, null, null, null)));

    private PostprocessorLoader(final int clientRequestErrorVerbosityLevel) throws IllegalArgumentException {
        super(clientRequestErrorVerbosityLevel);
    }

    @Override
    public Set<String> getFeatures()
    {
        return FEATURES;
    }

    @Override
    public Response process(final Collection<Map.Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest)
    {
        System.out.println("#####################Inside process");
        if (resultsByRequest!=null){
            System.out.println(resultsByRequest.size());
        }else{
            System.out.println("#####################resultsByRequest is null!");
        }
        DecisionType combinedDecision = DecisionType.INDETERMINATE;
        for (final Map.Entry<? extends IndividualXacmlJaxbRequest, ? extends DecisionResult> resultEntry : resultsByRequest)
        {
            System.out.println("#####################resultEntry:"+resultEntry.getValue());
            final DecisionResult result = resultEntry.getValue();
            System.out.println("#####################getDecision:"+result.getDecision());
            if (result.getDecision() == DecisionType.INDETERMINATE)
            {
                // either all result must be indeterminate or we return Indeterminate as final result anyway
                return SIMPLE_INDETERMINATE_RESPONSE;
            }

            final ImmutableList<PepAction> pepActions = result.getPepActions();
            assert pepActions != null;

            if (!pepActions.isEmpty())
            {
                return SIMPLE_INDETERMINATE_RESPONSE;
            }

            final DecisionType individualDecision = result.getDecision();
            // if combinedDecision not initialized yet (indeterminate), set it to the result's decision
            if (combinedDecision == DecisionType.INDETERMINATE)
            {
                combinedDecision = individualDecision;
            } else
                // combinedDecision != Indeterminate
                if (individualDecision != combinedDecision)
                {
                    return SIMPLE_INDETERMINATE_RESPONSE;
                }
        }
        System.out.println("#####################Before CombinedDecision switch");
        try {
            System.out.printf("#####################process method!");
            //System.out.println(documentService.getIndividualHealthRoleByName("").toString());
        }catch(Exception ex){
            System.out.println("#####################process method err:"+ex.getCause());
        }

        switch (combinedDecision)
        {
            case PERMIT:
                return SIMPLE_PERMIT_RESPONSE;
            case DENY:
                return SIMPLE_DENY_RESPONSE;
            case NOT_APPLICABLE:
                return SIMPLE_NOT_APPLICABLE_RESPONSE;
            default:
                return SIMPLE_INDETERMINATE_RESPONSE;
        }
    }

    /**
     *
     * Factory for this type of result postprocessor filter that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0
     * core spec, §7.3.3).
     *
     */
    public static final class Factory extends BaseXacmlJaxbResultPostprocessor.Factory
    {
        /**
         * ID of this {@link PdpExtension}
         */
        public static final String ID = "urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default";

        /**
         * Constructor
         */
        public Factory()
        {
            super(ID);
        }

        @Override
        public DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> getInstance(final int clientRequestErrorVerbosityLevel)
        {
            return new PostprocessorLoader(clientRequestErrorVerbosityLevel);
        }

    }
}

注意: 当我将 jar 文件从 maven artifactId=authzforce-ce-core-pdp-testutils 放置到 lib 文件夹并尝试使用推荐的请求正文启用时发生了同样的事情上述link.

您正在尝试启用 ID 为 urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default 的后处理器,该后处理器已由 AuthzForce 保留并提供(用于根据 XACML 的 JSON 配置文件处理 JSON 响应)。因此,您不能为自己的实现使用相同的 ID

所以更改代码中的ID(这里只是一个例子,选择你自己的):

/**
  * ID of this {@link PdpExtension}
  */
public static final String ID = "my-own-postproc-id";

仅供参考,如果您只需要 XACML/XML 的 CombinedDecision 功能,看起来是这样(但我可能对您想要实现的目标有误),这已经由 class TestCombinedDecisionXacmlJaxbResultPostprocessor。您只需在 WEB-INF/lib 中部署 authzforce-ce-core-pdp-testutils JAR(与那里的 authzforce-ce-core-pdp-engine JAR 版本相同),重新启动,然后像在第 3 步,但特征 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-xml:multiple:test-combined-decision.