2

2 つのポリシーがあります。1 つ目は許可を返し、2 つ目は拒否を返す必要がありますが、常にリクエストに対して拒否を返します。

これは PolicySet です。

 <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://axiomatics.com/alfa/identifier/test.testps1" Version="1.0" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">



<Target/> 
<Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="p2"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">


<Target>


<AnyOf>

<AllOf>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
C70001
</AttributeValue>

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Alise Ibrahem
</AttributeValue>

<AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
IT
</AttributeValue>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>



</AllOf>

</AnyOf>

</Target>


<Rule Effect="Deny" RuleId="Deny_Rule">

 <Target>
           <AnyOf>
             <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
                  >Employee</AttributeValue>
                 <AttributeDesignator  AttributeId="subjectJob" MustBePresent="false"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </Match>
             </AllOf>
           </AnyOf>
           <AnyOf>
             <AllOf>
               <Match
                 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                 <AttributeValue
                   DataType="http://www.w3.org/2001/XMLSchema#string"
                    >read</AttributeValue>
                 <AttributeDesignator
                   MustBePresent="false"
                   Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                   DataType="http://www.w3.org/2001/XMLSchema#string"/>
               </Match>
             </AllOf>
           </AnyOf>
         </Target>

   <AdviceExpressions>
    <AdviceExpression AdviceId="not-hr-employee" AppliesTo="Deny">
    <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">You are not allowed to get employees data</AttributeValue>
    </AttributeAssignmentExpression>
    </AdviceExpression>
    </AdviceExpressions>

</Rule>


</Policy>


<Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="p1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">



<Target>


<AnyOf>

<AllOf>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
C80001
</AttributeValue>

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Hadeel Neama
</AttributeValue>

<AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
HR
</AttributeValue>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>


</AllOf>

</AnyOf>

</Target>


<Rule Effect="Permit" RuleId="Permit_Rule">

 <Target>
           <AnyOf>
             <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
                  >Employee</AttributeValue>
                 <AttributeDesignator  AttributeId="subjectJob" MustBePresent="false"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </Match>
             </AllOf>
           </AnyOf>
           <AnyOf>
             <AllOf>
               <Match
                 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                 <AttributeValue
                   DataType="http://www.w3.org/2001/XMLSchema#string"
                    >read</AttributeValue>
                 <AttributeDesignator
                   MustBePresent="false"
                   Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                   DataType="http://www.w3.org/2001/XMLSchema#string"/>
               </Match>
             </AllOf>
           </AnyOf>
         </Target> 


</Rule>

</Policy>

</PolicySet>

XACML パーミット レスポンスが欲しいというリクエスト:

   <?xml version="1.0" encoding="UTF-8"?>
    <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectName" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectDep" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
</Request>

パーミット応答が必要であることを要求します。

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C70001</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-Name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alise Ibrahem</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectDep" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
</Request>

両方の要求への応答:

  <?xml version="1.0" encoding="UTF-8"?>
   <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result></Response>
===========================================================

 Result is "Deny"   

Advice :  
You are not allowed to get employees data

これは ALFA コードです:

namespace test {
    import Attributes.* 

policy testpolicy {
target clause subjectId == "C80001"
and subjectName=="Hadeel Neama"
and subjectDep=="HR"
and subjectJob=="Employee" 

apply permitOverrides


rule {

target clause job=="Employee"
and actionId == "read"

permit
}
}
}

これがルールに追加した条件です。

condition subjectDep=="HR"

条件付きのすべての試行が失敗する理由がわかりません! Deny_Rule でこの条件を試しました。

<Condition>

<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">

<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
HR
</AttributeValue>

</Apply>

</Condition>

しかし、リクエストを送信すると、次のように返されます。

مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request

======================== XACML Response ===================
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>
===========================================================

 Result is "Deny"

私がちょうど書いたとしても:

<Condition/>

!!!

4

1 に答える 1