xacml

问题 We are using WSO2 Identity Server 5.1.0 . We have a location hierarchy like Plant1->Area1->unit1. Now if a user is having attribute for the Plant1, he should get access to unit1 as well (all children of the parent in a tree). Can we specify this in XACML? We have the hierarchy stored in DB. We can provide the list of hierarchical elements as a list of attributes also if so required. Problem explained in sample : A user bob has been given access to area2 as shown below : Plant1 |--Area1 |-

问题 I am novice to XACML policies. Can you specify me how to implement XACML policies. I have tried different API's. But for my project I need to implement XACML evaluation engine. So, can you help me providing the implementation details. Which language will be best suitable for implementing the evaluation engine . Thanks in Advance. 回答1: I guess, Implementing a XACML evaluation engine is not an easy task. You need to go through XACML specification at https://www.oasis-open.org/committees/xacml/

问题 I am writing some administrative policies on ALFA plugin but I find out there's no such function of it. Does anyone know this aspect? 回答1: You would have to generate the issuer element separately using an ant script and some logic to generate the value of the issuer field e.g. by adding the dn of a certificate. It all depends on how your XACML engine implements delegation. ALFA itself doesn't do anything to the issuer field. Cheers, David. 来源： https://stackoverflow.com/questions/25128025/how

问题 I am writing some administrative policies on ALFA plugin but I find out there's no such function of it. Does anyone know this aspect? 回答1: You would have to generate the issuer element separately using an ant script and some logic to generate the value of the issuer field e.g. by adding the dn of a certificate. It all depends on how your XACML engine implements delegation. ALFA itself doesn't do anything to the issuer field. Cheers, David. 来源： https://stackoverflow.com/questions/25128025/how

问题 I am working with distributed scenario in which I have multiple instances of PEP and PDP , in such a scenario how PDP will validate that XACML request is coming from my trusted PEP. 回答1: There are can be different ways to trust the PEP. It is not clearly mentioned in the spec. But it is mentioned that you must use SSL and authentication mechanism (such as Basic/Digest authentication). Also there is a SAML-XACML profile that talks about PEP-PDP communication. But I guess, following two simple

问题 I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization. What comes to my mind is to either: Implement my own authorization mechanism and sql tables for my .net application Use/implement a standard mechanism, like a software that has implemented XACML (for instance Axiomatics) The

问题 I've deployed an application based on Fiware generic enablers, in Docker. The versions are: Orion 1.14 Cygnus 1.9.0 Authzforce 5.4.1 Keyrock: the latest Pep-proxy: 7.0.1 but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info , or to specify only the resource prefix like: /resource2/<whatever> . Really exists the syntax for the dynamic resource and authzforce can

问题 I have requirement to write a policy for the particular user it will return the xacml response like this : This policy is based on single user : bob FirstName: Create= true , Read = true, Update = true, Delete = false MiddleName: Create= true , Read = true, Update = true, Delete = false LastName: Create= true , Read = true, Update = true, Delete = false How to write a xacml policy for such requirement and how the request will look like for the same policy. How to achieve this policy using

问题 I am using IS WSO2 for authorization with XACML. I am am able to achieve authorization for static resource. But I am not sure with the design when it comes to granularization. Example : if I have method like getCarDetails(Object User) where I should get only those cars which are assigned to this particular user, then how to deal this with XACMl? Wso2 provides support for PIP where we can use custom classes which can fetch data from database. But I am not sure if we should either make copy of

问题 When running XACML-PAP-ADMIN and XACML-PAP-REST on Windows 10. Java jdk1.8.0_144. I get next error: Error scanning entry META-INF/versions/9/module-info.class from jar file:///D:/Projects/XACML/XACML-PAP-ADMIN/target/xacml-pap-admin-2.0.0-SNAPSHOT/WEB-INF/lib/log4j-api-2.11.0.jar 回答1: That could be linked to your version of Jetty, considering it fails on log4j 2.11 jar. See this question: log4j 2.9 and later are multi-release jars for Java 9. Make sure to use a Jetty compatible with that, or