1. 首頁
  2. 問答
  3. 帶有XPath 2.0的XPathVersion的WSO2 Identity Server XACML策略

帶有XPath 2.0的XPathVersion的WSO2 Identity Server XACML策略

2013-12-13 57 views
1

我已經編寫了一個使用XPath 2.0功能的策略(包含下文),用於WSO2 Identity Server。我在XPathVersion元素中指定了正確的值,但我仍然收到指向XPath表達式的錯誤,而XPath表達式沒有被評估爲XPath 2.0。帶有XPath 2.0的XPathVersion的WSO2 Identity Server XACML策略

我非常確定WSO2 Identity Server沒有使用XPathVersion元素的值,因爲當我將其更改爲某些無效的元素(例如「this-is-not-a-valid-xpath-version」)時它沒有抱怨,仍然計算XPath表達式

我的政策(雖然作爲的XPath 1.0):

<Policy PolicyId="application-dashu" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> 
    <PolicyDefaults> 
    <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion> 
    </PolicyDefaults> 
    <Target> 
    <AnyOf> 
     <AllOf> 
     <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:siphon-io:schema:application:dashu</AttributeValue> 
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/> 
     </Match> 
     </AllOf> 
    </AnyOf> 
    </Target> 
    <Rule Effect="Permit" RuleId="permit-index"> 
    <Condition> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> 
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> 
      </Apply> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index</AttributeValue> 
     </Apply> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"> 
      <AttributeSelector 
      MustBePresent="false" 
      Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
      Path="/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Instance']/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Tag']/concat('{', attribute::Name, '}', text())" 
      DataType="http://www.w3.org/2001/XMLSchema#string" 
      /> 
      <AttributeSelector 
      MustBePresent="false" 
      Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
      Path="/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Assertion']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeStatement']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Attribute']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeValue']/concat('{', parent::node()/attribute::Name, '}', text())" 
      DataType="http://www.w3.org/2001/XMLSchema#string" 
      /> 
     </Apply> 
     </Apply> 
    </Condition> 
    </Rule> 
</Policy>

我的要求:

<p0:Request CombinedDecision="false" ReturnPolicyIdList="false" xmlns:p0="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> 
    <p0:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> 
    <p0:Content> 
     <saml:Assertion ID="_u5Ik0MW0G5jNlnFsYG6DGvl7j0WEmBJR" IssueInstant="2013-12-12T23:11:02.354Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> 
     <saml:Issuer>urn:movingdata.auth0.com</saml:Issuer> 
     <saml:Subject> 
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|b939821bd143c2d075e2feaf0220b6ed09212cc9</saml:NameID> 
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
      <saml:SubjectConfirmationData InResponseTo="request-1386889754280-nusav-zotop-rizul" NotOnOrAfter="2013-12-13T00:11:02.354Z" Recipient="http://dashboard.dbsu.com/auth/saml2/sso/post"/> 
      </saml:SubjectConfirmation> 
     </saml:Subject> 
     <saml:Conditions NotBefore="2013-12-12T23:11:02.354Z" NotOnOrAfter="2013-12-13T00:11:02.354Z"> 
      <saml:AudienceRestriction/> 
     </saml:Conditions> 
     <saml:AttributeStatement> 
      <saml:Attribute Name="urn:siphon-io:customer:dbsu:project"> 
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">99-101</saml:AttributeValue> 
      </saml:Attribute> 
      <saml:Attribute Name="urn:siphon-io:customer:dbsu:project"> 
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">99-102</saml:AttributeValue> 
      </saml:Attribute> 
      <saml:Attribute Name="urn:siphon-io:customer:dbsu:project"> 
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">99-103</saml:AttributeValue> 
      </saml:Attribute> 
     </saml:AttributeStatement> 
     <saml:AuthnStatement AuthnInstant="2013-12-12T23:11:02.354Z"> 
      <saml:AuthnContext> 
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> 
      </saml:AuthnContext> 
     </saml:AuthnStatement> 
     </saml:Assertion> 
    </p0:Content> 
    </p0:Attributes> 
    <p0:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 
    <p0:Content> 
     <p1:Instance xmlns:p1="urn:siphon-io:schema:application:dashu" Host="dashboard.dbsu.com" ID="81ffe0de0ab298abf33f582e3909b9c6de1f7e97"> 
     <p1:Tag Name="urn:siphon-io:customer:dbsu:project">99-101</p1:Tag> 
     </p1:Instance> 
    </p0:Content> 
    <p0:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" IncludeInResult="false"> 
     <p0:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:siphon-io:schema:application:dashu</p0:AttributeValue> 
    </p0:Attribute> 
    </p0:Attributes> 
    <p0:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> 
    <p0:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> 
     <p0:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index</p0:AttributeValue> 
    </p0:Attribute> 
    </p0:Attributes> 
</p0:Request>

來源

2013-12-13 deoxxa

回答

0

WSO2身份服務器附帶的Xalan 2.7。 1(哪個可以在/ lib/endorsed找到)而xalan 2.7.1不支持XPath 2.0。因此Identity Server不支持Xpath 2.0。這是Identity Server的一個知識。我想,我們可以從發行版中刪除xalan 2.7.1,並使用像撒克遜這樣的東西。 (我沒有嘗試它)。我想,這將在不久的將來發布。但是,我嘗試了您的政策並要求使用最新版本4.5.0。但是,「concat」函數存在一些問題,可能是由於XPath 2.0問題,正如您所提到的。一旦我刪除「concat」,它按預期工作。以下是我修改後的政策,並將您預期的結果作爲「許可」返回給您。

<Policy PolicyId="application-dashu" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> 
    <PolicyDefaults> 
    <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion> 
    </PolicyDefaults> 
    <Target> 
    <AnyOf> 
     <AllOf> 
     <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:siphon-io:schema:application:dashu</AttributeValue> 
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/> 
     </Match> 
     </AllOf> 
    </AnyOf> 
    </Target> 
    <Rule Effect="Permit" RuleId="permit-index"> 
    <Condition> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> 
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> 
      </Apply> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index</AttributeValue> 
     </Apply> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"> 
      <AttributeSelector 
      MustBePresent="false" 
      Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
      Path="/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Instance']/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Tag']/text()" 
      DataType="http://www.w3.org/2001/XMLSchema#string" 
      /> 
      <AttributeSelector 
      MustBePresent="false" 
      Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
      Path="/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Assertion']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeStatement']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Attribute']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeValue']/text()" 
      DataType="http://www.w3.org/2001/XMLSchema#string" 
      /> 
     </Apply> 
     </Apply> 
    </Condition> 
    </Rule> 
</Policy>

來源

2013-12-13 13:31:42 Asela

+0

是的,這基本上是我目前所掌握的。問題在於它不考慮SAML屬性或實例標籤的名稱,我使用這些名稱來簡化用戶配置文件和應用程序實例的委派管理。 我想答案只是「是的,這是行不通的。」 – deoxxa

相關問題

 相關問題