Authzforce ABAC - 无法在域上启用结果后处理器扩展

Posted 2023-04-13

【中文标题】Authzforce ABAC - 无法在域上启用结果后处理器扩展

【英文标题】：Authzforce ABAC - Fail to Enable a Result Postprocessor extension on a domain

【发布时间】：2020-05-24 23:58:46

【问题描述】：

我按照link上的说明进行操作

1- 通过将类型替换为“urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default”，从“TestCombinedDecisionXacmlJaxbResultPostprocessor”类创建了扩展 jar 包

2-将jar放到/opt/authzforce-ce-server/webapp/WEB-INF/lib目录下

3- 尝试启用扩展：

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5">
 <feature 
 type="urn:ow2:authzforce:feature-type:pdp:result-postproc" 
 enabled="true">urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</feature>
 <rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpPropertiesUpdate>

得到回应：

<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body font-family:Tahoma,Arial,sans-serif;
 h1, h2, h3, b color:white;background-color:#525D76;
 h1 font-size: 22px;
 h2 font-size: 16px;
 h3 font-size: 14px;
 p font-size: 12px;
 a color:black;
 .line height: 1px;background-color:#525D76;border:none;
</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.54 (Debian)</h3></body></html>

在此之后，我收到域上所有请求的 HTTP-404。 你能建议我错过什么吗？这个问题的根本原因是什么？

扩展包源码分享：

public class PostprocessorLoader extends BaseXacmlJaxbResultPostprocessor  
    private static final Set<String> FEATURES = ImmutableSet.of(DecisionResultPostprocessor.Features.XACML_MULTIPLE_DECISION_PROFILE_COMBINED_DECISION);
    private static final Response SIMPLE_INDETERMINATE_RESPONSE = new Response(
            Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(XacmlStatusCode.PROCESSING_ERROR.value(), Optional.<String>empty()), null, null, null, null)));
    // private static final List<Result> INDETERMINATE_RESULT_SINGLETON_LIST_BECAUSE_NO_INDIVIDUAL = Collections.singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(
    // StatusHelper.STATUS_PROCESSING_ERROR, "No <Result> to combine!"), null, null, null, null));
    private static final Response SIMPLE_PERMIT_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.PERMIT, StatusHelper.OK, null, null, null, null)));
    private static final Response SIMPLE_DENY_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.DENY, StatusHelper.OK, null, null, null, null)));
    private static final Response SIMPLE_NOT_APPLICABLE_RESPONSE = new Response(Collections.singletonList(new Result(DecisionType.NOT_APPLICABLE, StatusHelper.OK, null, null, null, null)));

    private PostprocessorLoader(final int clientRequestErrorVerbosityLevel) throws IllegalArgumentException 
        super(clientRequestErrorVerbosityLevel);
    

    @Override
    public Set<String> getFeatures()
    
        return FEATURES;
    

    @Override
    public Response process(final Collection<Map.Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest)
    
        System.out.println("#####################Inside process");
        if (resultsByRequest!=null)
            System.out.println(resultsByRequest.size());
        else
            System.out.println("#####################resultsByRequest is null!");
        
        DecisionType combinedDecision = DecisionType.INDETERMINATE;
        for (final Map.Entry<? extends IndividualXacmlJaxbRequest, ? extends DecisionResult> resultEntry : resultsByRequest)
        
            System.out.println("#####################resultEntry:"+resultEntry.getValue());
            final DecisionResult result = resultEntry.getValue();
            System.out.println("#####################getDecision:"+result.getDecision());
            if (result.getDecision() == DecisionType.INDETERMINATE)
            
                // either all result must be indeterminate or we return Indeterminate as final result anyway
                return SIMPLE_INDETERMINATE_RESPONSE;
            

            final ImmutableList<PepAction> pepActions = result.getPepActions();
            assert pepActions != null;

            if (!pepActions.isEmpty())
            
                return SIMPLE_INDETERMINATE_RESPONSE;
            

            final DecisionType individualDecision = result.getDecision();
            // if combinedDecision not initialized yet (indeterminate), set it to the result's decision
            if (combinedDecision == DecisionType.INDETERMINATE)
            
                combinedDecision = individualDecision;
             else
                // combinedDecision != Indeterminate
                if (individualDecision != combinedDecision)
                
                    return SIMPLE_INDETERMINATE_RESPONSE;
                
        
        System.out.println("#####################Before CombinedDecision switch");
        try 
            System.out.printf("#####################process method!");
            //System.out.println(documentService.getIndividualHealthRoleByName("").toString());
        catch(Exception ex)
            System.out.println("#####################process method err:"+ex.getCause());
        

        switch (combinedDecision)
        
            case PERMIT:
                return SIMPLE_PERMIT_RESPONSE;
            case DENY:
                return SIMPLE_DENY_RESPONSE;
            case NOT_APPLICABLE:
                return SIMPLE_NOT_APPLICABLE_RESPONSE;
            default:
                return SIMPLE_INDETERMINATE_RESPONSE;
        
    

    /**
     *
     * Factory for this type of result postprocessor filter that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0
     * core spec, §7.3.3).
     *
     */
    public static final class Factory extends BaseXacmlJaxbResultPostprocessor.Factory
    
        /**
         * ID of this @link PdpExtension
         */
        public static final String ID = "urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default";

        /**
         * Constructor
         */
        public Factory()
        
            super(ID);
        

        @Override
        public DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> getInstance(final int clientRequestErrorVerbosityLevel)
        
            return new PostprocessorLoader(clientRequestErrorVerbosityLevel);
        

    

注意：当我将 jar 文件从 maven artifactId=authzforce-ce-core-pdp-testutils 放入 lib 文件夹并尝试在上述链接中使用推荐的请求正文启用时，发生了同样的事情。

【问题讨论】：

@cdan 或许能帮上忙

第2步之后，你重启Tomcat了吗？您能否检查服务器日志（在 /var/log/tomcat8 中）以确保 authzforce webapp 成功部署且没有错误？

是的，我在 #2 之后重新启动了 tomcat。我在 /var/log/tomcat8/authzforce-ce/error.log 中看到一些错误：java.lang.IllegalArgumentException: Extension no.uio.sabac.bootstrap.PostprocessorLoader$Factory@c9b006 is conflicting with org.ow2.authzforce.core .pdp.io.xacml.json.BaseXacmlJsonResult Postprocessor$Factory@12402b6 使用相同的 ID 注册：urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default at org.ow2.authzforce.core.pdp。 impl.PdpExtensions.(PdpExtensions.java:110)

好的，现在看我的回答，你不能对 2 个不同的实现使用相同的 ID。

【参考方案1】：

您正在尝试启用 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default 的后处理器，该后处理器已由 AuthzForce 保留并提供（用于根据 XACML 的 JSON 配置文件处理 JSON 响应）。因此，您不能为自己的实现使用相同的 ID！

所以改变你代码中的ID（这里只是一个例子，选择你自己的）：

/**
  * ID of this @link PdpExtension
  */
public static final String ID = "my-own-postproc-id";

仅供参考，如果您只需要 XACML/XML 的 CombinedDecision 功能，看起来确实如此（但我可能对您想要实现的目标有误），这已经由 TestCombinedDecisionXacmlJaxbResultPostprocessor 类实现。您只需在 WEB-INF/lib 中部署 authzforce-ce-core-pdp-testutils JAR（与那里的 authzforce-ce-core-pdp-engine JAR 版本相同），重新启动并启用它，就像您在第 3 步，但使用功能 ID urn:ow2:authzforce:feature:pdp:result-postproc:xacml-xml:multiple:test-combined-decision。