我正在尝试使用REST API评估XACML请求。我使用JSON请求来获取“root”下所有资源的决策。 WSO2给了我结果,但我没有得到结果中的相应资源
https://docs.wso2.com/display/IS530/Using+REST+APIs+via+XACML+to+Manage+Entitlement
{
"Request": {
"Action": {
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "POST"
}
]
},
"Resource": {
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "root"
}, {
"AttributeId": "urn:oasis:names:tc:xacml:2.0:resource:scope",
"Value": "Children"
}
]
},
"AccessSubject": {
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "customer"
}
]
}
}
}
{
"Response": [{
"Decision": "Deny",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
}
}, {
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0: status: ok "
}
}
}
]
}
我没有得到任何结果的资源。我将如何关联结果?
答案 0 :(得分:0)
您的请求中有几个问题。
首先,您尝试使用 XACML的多个决策配置文件(即一次性询问多个问题并同时获得多个回复的方法)。您正在使用名为urn:oasis:names:tc:xacml:2.0:resource:scope xacml的特殊属性。该属性实际上属于称为Multiple resource profile of XACML v2.0的 XACML 的多个决策配置文件的旧版本。这是你的第一个错误。 XACML的JSON配置文件仅适用于XACML 3.0。因此,您不能仅使用适用于XACML 2.0的旧配置文件。你在哪里找到这个例子?
其次,让我们假设请求确实经过了一秒钟。正如您所写的那样,您的请求永远不应该触发多个决策响应。它应该失败或返回单个响应。这是因为您没有在资源属性中指明子项。所以你无法获得回应。
展望未来,我建议您阅读JSON Profile of XACML,其中介绍了如何生成多个决策请求和响应。这是一个例子:
{
"Request": {
"AccessSubject": {
"Attribute": [{
"AttributeId": "com.axiomatics.username",
"Value": "Alice"
}
]
},
"Action": [{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view"
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "edit"
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "delete"
}
]
}],
"Resource": {
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "123"
}, {
"AttributeId": "resource-type",
"Value": "document"
}
]
}
}
}
回复:
{"Response": [
{
"Decision": "Deny",
"Status": {"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
}}
},
{
"Decision": "Deny",
"Status": {"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
}}
},
{
"Decision": "Deny",
"Status": {"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
}}
}
]}
现在,如果您要将请求与响应相关联,则每个属性都有一个名为IncludeInResult的标记,默认为false,可以切换为true。
这是一个例子
{
"Request": {
"AccessSubject": {
"Attribute": [{
"AttributeId": "com.axiomatics.username",
"Value": "Alice"
}
]
},
"Action": [{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view",
"IncludeInResult": true
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "edit",
"IncludeInResult": true
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "delete",
"IncludeInResult": true
}
]
}],
"Resource": {
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "123"
}, {
"AttributeId": "resource-type",
"Value": "document"
}
]
}
}
}
{"Response": [
{
"Decision": "Deny",
"Status": {"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
}},
"Category": {
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": {
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "delete",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
}
},
{
"Decision": "Deny",
"Status": {"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
}},
"Category": {
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": {
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "edit",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
}
},
{
"Decision": "Deny",
"Status": {"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode": {"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"}
}},
"Category": {
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": {
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
}
}
]}
答案 1 :(得分:0)
使用XML完全支持XACML 3.0规范的WSO2-IS。使用IS 5.6.0里程碑2,WSO2支持使用JSON
的多决策配置文件答案 2 :(得分:0)
如果您尝试XACML JSON请求应如下所示:
{
"Request": {
"http://wso2.org/identity/user": [
{
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "adminUser",
"IncludeInResult": true,
"DataType": "string"
}
]
},{
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "publicUser",
"IncludeInResult": true,
"DataType": "string"
}
]
} ],
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": true,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Action": [{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-welcome",
"IncludeInResult": true,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-status",
"IncludeInResult": true,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-summary",
"IncludeInResult": true,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},{
"Attribute": [{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "modify-welcome",
"IncludeInResult": true,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
} ]
}
}
相关回复如下,
{
"Response": [
{
"Decision": "Deny",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"Id": "fail_to_permit",
"AttributeAssignments": [
{
"AttributeId": "obligation-id",
"Value": "You can not access the resource index.jsp",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "adminUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-status",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Deny",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"Id": "fail_to_permit",
"AttributeAssignments": [
{
"AttributeId": "obligation-id",
"Value": "You can not access the resource index.jsp",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "adminUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-summary",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-welcome",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "publicUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-summary",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "publicUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Deny",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"Id": "fail_to_permit",
"AttributeAssignments": [
{
"AttributeId": "obligation-id",
"Value": "You can not access the resource index.jsp",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "adminUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-welcome",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Deny",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"Id": "fail_to_permit",
"AttributeAssignments": [
{
"AttributeId": "obligation-id",
"Value": "You can not access the resource index.jsp",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "view-status",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "publicUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Deny",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"Id": "fail_to_permit",
"AttributeAssignments": [
{
"AttributeId": "obligation-id",
"Value": "You can not access the resource index.jsp",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "modify-welcome",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "publicUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
},
{
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Resource": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "index.jsp",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"http://wso2.org/identity/user": {
"Attribute": [
{
"AttributeId": "http://wso2.org/identity/user/username",
"Value": "adminUser",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "modify-welcome",
"IncludeInResult": "true",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
}
]
}
在XACML的多决策配置文件中 - 结果将提供可针对特定主题或资源所有者对资源执行操作的所有决策组合。
“IncludeInResult”,属性将在响应中包含这些参数,您可以通过将其设为false来缩短响应。
在WSO2身份服务器中,您可以添加自定义类别,例如“http://wso2.org/identity/user”,并将用户声明作为AttributeId添加:例如“http://wso2.org/identity/user/username”
WSO2是JSON中的多决策配置文件,也支持JSON简化格式以及XAML标准URI。你可以尝试两者。
例如:urn:oasis:names:tc:xacml:1.0:action:action-id - >动作id