Question

当使用WSO2 XML Web编辑器将一组义务添加到现有XACML策略中时，如OASIS XACML版本3语法的说明中所述，WSO2编辑器会抛出以下错误：

Entitlement policy is not updated. Error is :Invalid Entitlement Policy. Policy is not valid according to XACML schema

以下语句放在Policy定义末尾的标记之前，请参阅添加的行：

其他符合版本3的语法也会引发相同的错误。是否需要进一步配置，一些.xml或模式文件调整，以使编辑器将Obligation语句识别为有效语法？这是WSO2 IS版本5.

更新：错误的声明：

<Obligations>
  <Obligation ObligationId="send-email" FulfillOn="Deny">
    <AttributeAssignment AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string">myid@red.com</AttributeAssignment>
  </Obligation>
</Obligations>

更新在更正了Obligations语句的语法后，您可以在下面找到符合XACML V3的工作策略：

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="RedLDAPPolicySaoPaulo" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Singapore</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="Permit-Rule1">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</AttributeValue>
                  <AttributeDesignator AttributeId="http://w3.red.com/subject/employeeCountryCode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
   </Rule>
   <Rule Effect="Deny" RuleId="Deny-Rule"></Rule>
   <ObligationExpressions>
      <ObligationExpression FulfillOn="Permit" ObligationId="citycheck">
         <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The validation passed successfully</AttributeValue>
         </AttributeAssignmentExpression>
      </ObligationExpression>
      <ObligationExpression FulfillOn="Deny" ObligationId="countrycheck">
         <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The IDs country code is not valid</AttributeValue>
         </AttributeAssignmentExpression>
      </ObligationExpression>
   </ObligationExpressions>
</Policy>

Answer 1

从OASIS XACML版本3检查手册后，我发现错误是由于缺少语法合规性引起的。我已经将语句更新为最新的规范，下面打印的非常简单的示例开始执行，向结果添加带注释字符串的属性。

下面的代码示例：

  <ObligationExpressions>
      <ObligationExpression FulfillOn="Permit" ObligationId="citycheck">
         <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The validation passed sucessfully</AttributeValue>
         </AttributeAssignmentExpression>
      </ObligationExpression>
   </ObligationExpressions>

从WSO2复制的结果下面＆＃34;试一试＆＃34;控制台：

                     <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<Obligations>
<Obligation ObligationId="citycheck">
<AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
The validation passed successfully</AttributeAssignment>
</Obligation>
</Obligations>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
</Attribute>
</Attributes>
</Result>
</Response>

WSO2 Identity Server XACML PAP和义务

1 个答案: