使用XACML启用基于角色的访问控制-评估策略时发生错误

时间:2019-05-28 07:09:30

标签: wso2 wso2is wso2-am xacml

我遵循了Enabling Role-Based Access Control Using XACML。我可以设置所有而没有任何问题。但是,调用API时,它会发出以下错误响应。

<am:fault xmlns:am="http://wso2.org/apimanager"><am:code>0</am:code><am:type>Status report</am:type><am:message>Runtime Error</am:message><am:description>Error occurred while evaluating the policy</am:description></am:fault>

在APIM日志中,我可以看到以下错误。我在同一台机器上运行APIM 2.6和IS 5.3,其AM偏移为2。看来问题出在Given Guide步骤14中提到的EntitlementMediator.xml中的remoteServiceUrl="https://127.0.0.1:9443/services"网址。

  

[2019-05-28 12:33:05,162]信息-HTTPSender无法将ViaPost发送到   网址[https://127.0.0.1:9443/services/EntitlementService]   javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证   sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)     在   org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)     在   org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)     在   org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)     在   org.apache.commons.httpclient.MultiThreadedHttpConnectionManager $ HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)     在   org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)     在   org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)     在   org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)     在   org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)     在   org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)     在   org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)     在   org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)     在   org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)     在org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)处   org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)     在   org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)     在   org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)     在   org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836)     在   org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259)     在   org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123)     在   org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94)     在   org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66)     在   org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203)     在   org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)     在   org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)     在   org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)     在   org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66)     在   org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75)     在org.apache.synapse.rest.API.process(API.java:325)处   org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)     在   org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)     在   org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)     在   org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)     在   org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)     在org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)     在   org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)     在   org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)     在   org.apache.axis2.transport.base.threads.NativeWorkerPool $ 1.run(NativeWorkerPool.java:172)     在   java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)     在   java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)     在java.lang.Thread.run(Thread.java:745)[2019-05-28 12:33:05,164]   错误-评估策略时发生EntitlementMediator错误   org.apache.axis2.AxisFault:对等方未通过身份验证   org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)位于   org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:203)     在   org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)     在   org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)     在   org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)     在org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)处   org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)     在   org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)     在   org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)     在   org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836)     在   org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259)     在   org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123)     在   org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94)     在   org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66)     在   org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203)     在   org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)     在   org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)     在   org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)     在   org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66)     在   org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75)     在org.apache.synapse.rest.API.process(API.java:325)处   org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)     在   org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)     在   org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)     在   org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)     在   org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)     在org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)     在   org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)     在   org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)     在   org.apache.axis2.transport.base.threads.NativeWorkerPool $ 1.run(NativeWorkerPool.java:172)     在   java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)     在   java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)     在java.lang.Thread.run(Thread.java:745)造成原因:   javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证   sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)     在   org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)     在   org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)     在   org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)     在   org.apache.commons.httpclient.MultiThreadedHttpConnectionManager $ HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)     在   org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)     在   org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)     在   org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)     在   org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)     在   org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)     ... 31更多[2019-05-28 12:33:05,172]信息-LogMediator状态=   执行默认的“故障”序列,ERROR_CODE = 0,ERROR_MESSAGE =   评估政策时发生错误

1 个答案:

答案 0 :(得分:2)

当权利调解员尝试调用WSO2 IS公开的EntitlementService时,存在主机名验证问题。

您需要从APIM正确导出公共证书,然后导入到WSO2 IS信任库。在公共证书中,CN值应等于主机名或IP地址。

我记得APIM 2.6.0和IS 5.3.0中的主密钥存储密钥长度不同。但是,上述步骤应该可以解决您的问题。

如果您使用的WSO2 IS版本高于5.3.0,且具有默认的主机名和默认的公共证书,则应该可以立即使用。