WSO2身份驗證XACML - 支持條件聲明？

Question

在WSO2 XML編輯器內部遇到與XACML Version 3語法驗證程序有關的問題，該編輯器拒絕插入語句。我計劃添加一個屬性列表來代替單個屬性檢查。下面是得到由XACML語法驗證拒絕報表的打印輸出：

這個簡單的條件有「串袋」拋出一個模式錯誤：

<xacml3:Condition> 
<xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    <xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue> 
    <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue> 
    <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Belem</xacml3:AttributeValue> 
    </xacml3:Apply> 
<xacml3:AttributeDesignator Category=" urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator> 
</xacml3:Apply> 
</xacml3:Condition> 

顯示錯誤消息是：

使用

Entitlement policy is not updated. Error is :Invalid Entitlement Policy. Policy is not valid according to XACML schema 

此條件的 「或」 邏輯運算符工作正常：

<xacml3:Condition> 
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> 
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> 
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue> 
     <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator> 
    </xacml3:Apply> 
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue> 
     <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator> 
    </xacml3:Apply> 
</xacml3:Apply> 
</xacml3:Condition> 

如上所示，描述條件的語句恰好作爲該規則的最後一部分插入。

WSO2 PAP是否支持使用屬性列表，以及大小寫是否可以通過語法構造中的錯誤來解釋此錯誤？

在Web上尋找公共語法和模式驗證程序，這是一種實用工具，可以幫助您調試與XACML V3語法合規性類似的問題。

Answer 1

的公理化策略管理點告訴你的確切位置在你的病情的錯誤是：

org.xml.sax.SAXParseException; lineNumber: 13; columnNumber: 99; cvc-complex-type.3.2.2: Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'. 
    at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) 
    at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source) 
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) 
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) 
    at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source) 
    at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source) 
    at org.apache.xerces.impl.xs.XMLSchemaValidator.processAttributes(Unknown Source) 
    at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source) 
    at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source) 
    at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) 
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) 
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) 
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) 
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) 
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) 
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) 
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) 
    at javax.xml.parsers.DocumentBuilder.parse(Unknown Source) 
    at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importInputStream(PolicyImporter.java:285) 
    at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importFile(PolicyImporter.java:264) 

更具體地說，它說：

Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'.

這是一個XML驗證錯誤。 XACML架構不期望在XML元素Apply內部稱爲functionid的XML屬性。

而是預計FunctionId。你所要做的就是應用正確的大寫字母，然後像魅力一樣進行政策導入。

順便說一句你爲什麼使用urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of？

Answer 2

我已經在定義「string-bag」元素的語句序列中分離了XACML語法錯誤（請參閱下面的示例代碼）。隨着語法固定，病情現擔任驗證的選項列表中的城市的名稱：

<xacml3:Condition> 
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator> 
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Porto Alegre</xacml3:AttributeValue> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rio de Janeiro</xacml3:AttributeValue> 
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">São Paulo</xacml3:AttributeValue> 
    </xacml3:Apply> 
</xacml3:Apply>