xacml3

问题 I am writing some administrative policies on ALFA plugin but I find out there's no such function of it. Does anyone know this aspect? 回答1: You would have to generate the issuer element separately using an ant script and some logic to generate the value of the issuer field e.g. by adding the dn of a certificate. It all depends on how your XACML engine implements delegation. ALFA itself doesn't do anything to the issuer field. Cheers, David. 来源： https://stackoverflow.com/questions/25128025/how

问题 I am writing some administrative policies on ALFA plugin but I find out there's no such function of it. Does anyone know this aspect? 回答1: You would have to generate the issuer element separately using an ant script and some logic to generate the value of the issuer field e.g. by adding the dn of a certificate. It all depends on how your XACML engine implements delegation. ALFA itself doesn't do anything to the issuer field. Cheers, David. 来源： https://stackoverflow.com/questions/25128025/how

问题 I am working with distributed scenario in which I have multiple instances of PEP and PDP , in such a scenario how PDP will validate that XACML request is coming from my trusted PEP. 回答1: There are can be different ways to trust the PEP. It is not clearly mentioned in the spec. But it is mentioned that you must use SSL and authentication mechanism (such as Basic/Digest authentication). Also there is a SAML-XACML profile that talks about PEP-PDP communication. But I guess, following two simple

问题 What is the XACML type for a bag? My condition function is string-at-least-one-member-of , and I'm using the string-bag function in my request. What data type DataType do I give the AttributeDesignator for the bag? My condition is: <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml

问题 I have requirement to write a policy for the particular user it will return the xacml response like this : This policy is based on single user : bob FirstName: Create= true , Read = true, Update = true, Delete = false MiddleName: Create= true , Read = true, Update = true, Delete = false LastName: Create= true , Read = true, Update = true, Delete = false How to write a xacml policy for such requirement and how the request will look like for the same policy. How to achieve this policy using

问题 I am using IS WSO2 for authorization with XACML. I am am able to achieve authorization for static resource. But I am not sure with the design when it comes to granularization. Example : if I have method like getCarDetails(Object User) where I should get only those cars which are assigned to this particular user, then how to deal this with XACMl? Wso2 provides support for PIP where we can use custom classes which can fetch data from database. But I am not sure if we should either make copy of

问题 How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP Thanks ---EDIT--- Example from the author's comment: <ObligationExpressions> <ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit"> <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text"> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject

问题 first I would like to mention that this certainly a novice question, but I was looking for hours now and I do not have an answer. I just started trying XACML for academic purposes. I use the editor provided with wso2-is to write some policies and to evaluate them against some requests. I created this policy to express that the subject u can read or write from a resource d <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="test-bis" RuleCombiningAlgId="urn:oasis:names:tc

问题 How to cover following scenario using XACML (with WSO2 PDP) and PIP (if required). In Used Car application, in particular location, salesperson are allowed to view-update car price. They can only view cars which are assigned to them. Now from a xacml prespective, we can create policy for salesperson role and based on location hide the particular menus. But what to do with the method getCarDetails(Object User){...} ? here based on UserID (salesperson) we will show the list. How to design this

问题 The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets": <Rule Effect="Permit" RuleId="PermitRule"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category=