Authzforce ABAC - 无法在域上启用结果后处理器扩展
Posted
技术标签:
【中文标题】Authzforce ABAC - 无法在域上启用结果后处理器扩展【英文标题】:Authzforce ABAC - Fail to Enable a Result Postprocessor extension on a domain 【发布时间】:2020-05-24 23:58:46 【问题描述】:我按照link上的说明进行操作
1- 通过将类型替换为“urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default”,从“TestCombinedDecisionXacmlJaxbResultPostprocessor”类创建了扩展 jar 包
2-将jar放到/opt/authzforce-ce-server/webapp/WEB-INF/lib目录下
3- 尝试启用扩展:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5">
<feature
type="urn:ow2:authzforce:feature-type:pdp:result-postproc"
enabled="true">urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</feature>
<rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpPropertiesUpdate>
得到回应:
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body font-family:Tahoma,Arial,sans-serif;
h1, h2, h3, b color:white;background-color:#525D76;
h1 font-size: 22px;
h2 font-size: 16px;
h3 font-size: 14px;
p font-size: 12px;
a color:black;
.line height: 1px;background-color:#525D76;border:none;
</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.54 (Debian)</h3></body></html>
在此之后,我收到域上所有请求的 HTTP-404。 你能建议我错过什么吗?这个问题的根本原因是什么?
扩展包源码分享:
public class PostprocessorLoader extends BaseXacmlJaxbResultPostprocessor
private static final Set<String> FEATURES = ImmutableSet.of(DecisionResultPostprocessor.Features.XACML_MULTIPLE_DECISION_PROFILE_COMBINED_DECISION);
private static final Response SIMPLE_INDETERMINATE_RESPONSE = new Response(
Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(XacmlStatusCode.PROCESSING_ERROR.value(), Optional.<String>empty()), null, null, null, null)));
// private static final List<Result> INDETERMINATE_RESULT_SINGLETON_LIST_BECAUSE_NO_INDIVIDUAL = Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(
// StatusHelper.STATUS_PROCESSING_ERROR, "No <Result> to combine!"), null, null, null, null));
private static final Response SIMPLE_PERMIT_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.PERMIT, StatusHelper.OK, null, null, null, null)));
private static final Response SIMPLE_DENY_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.DENY, StatusHelper.OK, null, null, null, null)));
private static final Response SIMPLE_NOT_APPLICABLE_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.NOT_APPLICABLE, StatusHelper.OK, null, null, null, null)));
private PostprocessorLoader(final int clientRequestErrorVerbosityLevel) throws IllegalArgumentException
super(clientRequestErrorVerbosityLevel);
@Override
public Set<String> getFeatures()
return FEATURES;
@Override
public Response process(final Collection<Map.Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest)
System.out.println("#####################Inside process");
if (resultsByRequest!=null)
System.out.println(resultsByRequest.size());
else
System.out.println("#####################resultsByRequest is null!");
DecisionType combinedDecision = DecisionType.INDETERMINATE;
for (final Map.Entry<? extends IndividualXacmlJaxbRequest, ? extends DecisionResult> resultEntry : resultsByRequest)
System.out.println("#####################resultEntry:"+resultEntry.getValue());
final DecisionResult result = resultEntry.getValue();
System.out.println("#####################getDecision:"+result.getDecision());
if (result.getDecision() == DecisionType.INDETERMINATE)
// either all result must be indeterminate or we return Indeterminate as final result anyway
return SIMPLE_INDETERMINATE_RESPONSE;
final ImmutableList<PepAction> pepActions = result.getPepActions();
assert pepActions != null;
if (!pepActions.isEmpty())
return SIMPLE_INDETERMINATE_RESPONSE;
final DecisionType individualDecision = result.getDecision();
// if combinedDecision not initialized yet (indeterminate), set it to the result's decision
if (combinedDecision == DecisionType.INDETERMINATE)
combinedDecision = individualDecision;
else
// combinedDecision != Indeterminate
if (individualDecision != combinedDecision)
return SIMPLE_INDETERMINATE_RESPONSE;
System.out.println("#####################Before CombinedDecision switch");
try
System.out.printf("#####################process method!");
//System.out.println(documentService.getIndividualHealthRoleByName("").toString());
catch(Exception ex)
System.out.println("#####################process method err:"+ex.getCause());
switch (combinedDecision)
case PERMIT:
return SIMPLE_PERMIT_RESPONSE;
case DENY:
return SIMPLE_DENY_RESPONSE;
case NOT_APPLICABLE:
return SIMPLE_NOT_APPLICABLE_RESPONSE;
default:
return SIMPLE_INDETERMINATE_RESPONSE;
/**
*
* Factory for this type of result postprocessor filter that allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0
* core spec, §7.3.3).
*
*/
public static final class Factory extends BaseXacmlJaxbResultPostprocessor.Factory
/**
* ID of this @link PdpExtension
*/
public static final String ID = "urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default";
/**
* Constructor
*/
public Factory()
super(ID);
@Override
public DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> getInstance(final int clientRequestErrorVerbosityLevel)
return new PostprocessorLoader(clientRequestErrorVerbosityLevel);
注意:当我将 jar 文件从 maven artifactId=authzforce-ce-core-pdp-testutils 放入 lib 文件夹并尝试在上述链接中使用推荐的请求正文启用时,发生了同样的事情。
【问题讨论】:
@cdan 或许能帮上忙 第2步之后,你重启Tomcat了吗?您能否检查服务器日志(在 /var/log/tomcat8 中)以确保 authzforce webapp 成功部署且没有错误? 是的,我在 #2 之后重新启动了 tomcat。我在 /var/log/tomcat8/authzforce-ce/error.log 中看到一些错误:java.lang.IllegalArgumentException: Extension no.uio.sabac.bootstrap.PostprocessorLoader$Factory@c9b006 is conflicting with org.ow2.authzforce.core .pdp.io.xacml.json.BaseXacmlJsonResult Postprocessor$Factory@12402b6 使用相同的 ID 注册:urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default at org.ow2.authzforce.core.pdp。 impl.PdpExtensions.您正在尝试启用 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default
的后处理器,该后处理器已由 AuthzForce 保留并提供(用于根据 XACML 的 JSON 配置文件处理 JSON 响应)。因此,您不能为自己的实现使用相同的 ID!
所以改变你代码中的ID(这里只是一个例子,选择你自己的):
/**
* ID of this @link PdpExtension
*/
public static final String ID = "my-own-postproc-id";
仅供参考,如果您只需要 XACML/XML 的 CombinedDecision 功能,看起来确实如此(但我可能对您想要实现的目标有误),这已经由 TestCombinedDecisionXacmlJaxbResultPostprocessor
类实现。您只需在 WEB-INF/lib 中部署 authzforce-ce-core-pdp-testutils JAR(与那里的 authzforce-ce-core-pdp-engine JAR 版本相同),重新启动并启用它,就像您在第 3 步,但使用功能 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-xml:multiple:test-combined-decision
。
【讨论】:
以上是关于Authzforce ABAC - 无法在域上启用结果后处理器扩展的主要内容,如果未能解决你的问题,请参考以下文章