比较 XACML 策略中的两个多元素属性
Posted
技术标签:
【中文标题】比较 XACML 策略中的两个多元素属性【英文标题】:Compare two multi-element attributes in XACML policy 【发布时间】:2019-05-31 13:36:49 【问题描述】:考虑一个主题和对象都具有如下定义的标签:
subject/object label = [i1, i2, ..., in]
,其中i
是另一个主题的subjectId
。
在策略 (ALFA/XACML) 中,我如何对主题和对象标签进行比较,以使两个列表中的元素都不相同。
例如:
subject_label = [i2, i4, i9]
object_label = [i1, i3, i7, i9]
结果将是DENY
,因为两个标签都包含i9
。如果在任何列表中均未找到匹配项,则访问结果将为 PERMIT
。
【问题讨论】:
【参考方案1】:您希望使用的是stringAtLeastOneMemberOf
(或其他数据类型的等价物)。这个函数有两个参数:
如果第一个包中至少有一个值等于第二个包中的一个值,则返回 true。对于字符串,比较区分大小写。
namespace com.axiomatics
/**
* Ths policy will checks the contents of the user label and the the resource label.
* It will deny access if there is at least one value in the user label equal to at least
* one value in the resource label.
*/
policy denyIfSameContent
apply firstApplicable
/**
* This rule will deny access is user.label contains at least 1 value that is also present
* in object.label
*/
rule denyIfSameContent
deny
condition stringAtLeastOneMemberOf(user.label, object.label)
这里是 XACML/XML 表示:
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Ths policy will checks the contents of the user
label and the the resource label.
It will deny access if there is at least one value in the user label
equal to at least
one value in the resource label.
</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Deny"
RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
<xacml3:Description>This rule will deny access is user.label contains
at least 1 value that is also present
in object.label
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.label"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.object.label"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
【讨论】:
Eclipse 插件(alfa-to-xacml)似乎无法识别您在示例中的apply firstApplicable
您是否在 Eclipse 项目中包含了 system.alfa?
是的,我做到了。问题是我之前定义了denyOverrides
。问题已解决,谢谢!
这是一篇关于算法组合的好文章:axiomatics.com/blog/understanding-xacml-combining-algorithms以上是关于比较 XACML 策略中的两个多元素属性的主要内容,如果未能解决你的问题,请参考以下文章
即使策略规则中缺少该属性,具有附加属性的 XACML 3.0 请求也匹配
WSO2IS - 具有自定义属性的 XACML 策略返回“找不到 AttributeDesignator”