WSO2IS - 具有自定义属性的XACML策略正在返回"无法找到AttributeDesignator"

时间:2017-03-28 20:49:14

标签: wso2is xacml

我在WSO2IS中创建了以下政策:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="check-blacklist-users-in-login" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
    <AnyOf>
        <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue>
                <AttributeDesignator AttributeId="urn:custom:company:1.0:operation:login-id"
                                     Category="urn:custom:company:1.0:attribute-category:operation"
                                     DataType="http://www.w3.org/2001/XMLSchema#string"
                                     MustBePresent="true"/>
            </Match>
        </AllOf>
    </AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit-blacklisted-users-with-step-up">
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">vip</AttributeValue>
                    <AttributeDesignator AttributeId="urn:custom:company:1.0:user-group:vip-id"
                                         Category="urn:custom:company:1.0:attribute-category:user-group"
                                         DataType="http://www.w3.org/2001/XMLSchema#string"
                                         MustBePresent="true"/>
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <AttributeDesignator AttributeId="urn:custom:company:1.0:is-user-in-blacklist:is-user-in-blacklist-id"
                                     Category="urn:custom:company:1.0:attribute-category:is-user-in-blacklist"
                                     DataType="http://www.w3.org/2001/XMLSchema#string"
                                     MustBePresent="true"/>
            </Apply>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">true</AttributeValue>
        </Apply>
    </Condition>
    <ObligationExpressions>
        <ObligationExpression FulfillOn="Permit" ObligationId="extra-email">
            <AttributeAssignmentExpression AttributeId="extra-email">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">send-email</AttributeValue>
            </AttributeAssignmentExpression>
        </ObligationExpression>
    </ObligationExpressions>
</Rule>
</Policy>

但是当我发送以下XACML请求时:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">

<Attributes Category="urn:custom:company:1.0:attribute-category:operation">
    <Attribute AttributeId="urn:custom:company:1.0:operation:login-id" IncludeInResult="false">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue>
    </Attribute>
</Attributes>

<Attributes Category="urn:custom:company:1.0:attribute-category:user-group">
    <Attribute AttributeId="urn:custom:company:1.0:user-group:vip-id" IncludeInResult="false">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">vip</AttributeValue>
    </Attribute>
</Attributes>

<Attributes Category="urn:custom:company:1.0:attribute-category:is-user-in-blacklist">
        <Attribute AttributeId="urn:custom:company:1.0:users:user-id" IncludeInResult="false">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">userJon</AttributeValue>
    </Attribute>
</Attributes>
</Request>

我总是收到有关AttributeDesignator的不确定错误:

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
    <Decision>Indeterminate</Decision>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
        <StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
    </Status>
</Result>
</Response>

我已使用以下代码创建了自定义PIPAttributeFinder:

    public class DatabaseAttributeFinder extends LoginDBAttributeFinder {

    private DataSource dataSource;
    private Set<String> supportedAttributes = new HashSet<String>();
    private static Log log = LogFactory.getLog(DatabaseAttributeFinder.class);

    private static final String BLACKLISTED_USER_ID = "urn:custom:company:1.0:is-user-in-blacklist:is-user-in-blacklist-id";

    @Override
    public void init(Properties properties) throws Exception {
        String dataSourceName = (String) properties.get("DataSourceName");

        if(dataSourceName == null || dataSourceName.trim().length() == 0){
            throw new Exception("Data source name can not be null. Please configure it in the entitlement.properties file.");
        }

        dataSource = (DataSource) InitialContext.doLookup(dataSourceName);

        supportedAttributes.add(BLACKLISTED_USER_ID);
    }

... (other code)

类LoginDBAttributeFinder,如下所示:

public abstract class LoginDBAttributeFinder implements PIPAttributeFinder {

    protected int tenantId;
    private boolean isAbstractAttributeCachingEnabled = false;
    private PIPAbstractAttributeCache abstractAttributeFinderCache = null;
    private static Log log = LogFactory.getLog(LoginDBAttributeFinder.class);

    public LoginDBAttributeFinder() {
    }

    public abstract Set<String> getAttributeValues(String blacklistUserId,
                                                   String attributeId,
                                                   String issuer) throws Exception;

    @Override
    public Set<String> getAttributeValues(URI attributeType, URI attributeId, URI category, String issuer, EvaluationCtx evaluationCtx) throws Exception {
        String blacklistUserId = null;
        Set attributeValues = null;
        this.tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();

        EvaluationResult blacklistUser = evaluationCtx.getAttribute(new URI("http://www.w3.org/2001/XMLSchema#string"), new URI("urn:custom:company:1.0:users:user-id"), issuer, new URI("urn:custom:company:1.0:attribute-category:is-user-in-blacklist"));

        attributeValues = this.getAttributeValues(blacklistUserId, attributeId.toString(), issuer);

        return attributeValues;

... (other code)

我已经在WSO2IS中成功注册了jar(它显示在管理控制台中),每当我转到TryIt选项,并测试特定策略(check-blacklist-users-in-login)时它返回Permit,但是当我转到菜单&#34;工具&#34;在WSO2IS&#39;控制台,并使用一般&#34; TryIt&#34;工具,它返回Indeterminate(无法找到AttributeDesignator)。

似乎无法找到策略,因此AttributeDesignator与此策略的受支持属性相关。

我也尝试使用REST API(https://WSO2ISIP:4443/api/identity/entitlement/decision/pdp),而且我得到:Indeterminate(无法找到AttributeDesignator)

有关如何解决此问题的任何想法?

2 个答案:

答案 0 :(得分:1)

我通过以下步骤找到了解决方案:

  1. 停止WSO2IS服务器
  2. 在文件中注释customAttributeFinder的类(在我的例子中是DatabaseAttributeFinder): <WSO2IS_HOME>/repository/conf/identity/entitlement.properties
  3. 启动WSO2IS服务器
  4. 转到管理控制台,检查权利的“扩展”部分中是否没有加载customAttributeFinder。
  5. 停止WSO2IS服务器
  6. 在步骤2的文件中取消注释customAttributeFinder
  7. 启动WSO2IS
  8. 通过魔术,一切都应该可以正常工作。

    9. 在WSO2IS中似乎是一个错误,每当我修改标准策略编辑器的任何内容时,XACML引擎就会以非常奇怪的方式开始运行。

    我已经看到几个StackOverFlow答案,只需重新启动服务器即可解决所有问题。

    如果您不想让WSO2IS慢慢开始疯狂,请远离XACML政策编辑。

    如果您需要证明,请查看此Jira问题(特别是在评论部分):https://wso2.org/jira/browse/IDENTITY-5447

答案 1 :(得分:0)

在我的情况下,我的策略之一是使用名称空间错误的属性,因此基本上XACML引擎找不到该属性,然后出现了此错误。有趣的是,当我发出不需要此策略(在命名空间中有错字)但需要另一个策略进行评估的请求时,也会发生这种情况。

因此,如果有人遇到此问题,我建议您检查以下内容。 1.所有策略中的属性名称正确。 2.验证属性的名称空间,该属性实际上属于已定义的名称空间。

相关问题
最新问题