Question

我想知道在XACML V.3下是否有机会共同放置在同一规则中的<Condition>和<Target>部分。看起来XLS架构验证拒绝这样的构造。这个错误可以用语句序列来解释，还是这样的结构简单或预见，或者可能？

Answer 1

在仔细审查了几个博客并审核了我的XACML源代码构建之后，我能够加入＆lt;目标＆gt;和＆lt;条件＆gt;单一规则中的陈述。我的发现是＆lt;目标＆gt;始终应该在＆lt;条件＆gt;声明。请参阅以下示例政策：

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="TestCityCountry" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
   <xacml3:PolicyDefaults>
      <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
   </xacml3:PolicyDefaults>
   <xacml3:Target></xacml3:Target>
   <!--deny all other conditions-->
      <xacml3:Rule Effect="Deny" RuleId="Deny-Rule2"></xacml3:Rule>
      <xacml3:Rule RuleId="Permit-Rule1" Effect="Permit">
         <xacml3:Target>
            <xacml3:AnyOf>
               <xacml3:AllOf>
                  <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">631</xacml3:AttributeValue>
                     <xacml3:AttributeDesignator AttributeId="http://w3.red.com/subject/employeeCountryCode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
                  </xacml3:Match>
               </xacml3:AllOf>
            </xacml3:AnyOf>
            <xacml3:AnyOf>
               <xacml3:AllOf>
                  <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</xacml3:AttributeValue>
                     <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
                  </xacml3:Match>
               </xacml3:AllOf>
            </xacml3:AnyOf>
            <xacml3:AnyOf>
               <xacml3:AllOf>
                  <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                     <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
                  </xacml3:Match>
               </xacml3:AllOf>
            </xacml3:AnyOf>
         </xacml3:Target>
         <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
               <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
               <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Porto Alegre</xacml3:AttributeValue>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rio de Janeiro</xacml3:AttributeValue>
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">São Paulo</xacml3:AttributeValue>
               </xacml3:Apply>
            </xacml3:Apply>
         </xacml3:Condition>
         <xacml3:ObligationExpressions>
            <xacml3:ObligationExpression FulfillOn="Permit" ObligationId="citycountrycheck">
               <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1: The city and country validation passed successfully</xacml3:AttributeValue>
               </xacml3:AttributeAssignmentExpression>
            </xacml3:ObligationExpression>
         </xacml3:ObligationExpressions>
         <xacml3:AdviceExpressions>
            <xacml3:AdviceExpression AdviceId="city-country-validated" AppliesTo="Permit">
               <xacml3:AttributeAssignmentExpression AttributeId="city-country-validated">
                  <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CityCountryValidated</xacml3:AttributeValue>
               </xacml3:AttributeAssignmentExpression>
            </xacml3:AdviceExpression>
         </xacml3:AdviceExpressions>
      </xacml3:Rule>
      <xacml3:ObligationExpressions>
         <xacml3:ObligationExpression FulfillOn="Permit" ObligationId="allchecks">
            <xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The overall validation passed successfully</xacml3:AttributeValue>
            </xacml3:AttributeAssignmentExpression>
         </xacml3:ObligationExpression>
      </xacml3:ObligationExpressions>
   </xacml3:Policy>

XACML - 条件和目标可以在同一规则中共存吗？

1 个答案: