如何在实际应用中使用XACML和PIP? [英] How to use XACML and PIP in real application?

问题描述

如何使用XACML(带有WSO2 PDP)和PIP(如果需要)覆盖以下场景.

How to cover following scenario using XACML (with WSO2 PDP) and PIP (if required).

在二手车应用程序中，销售人员特别是在 允许查看-更新汽车价格.他们只能查看 分配给他们.

In Used Car application, in particular location, salesperson are allowed to view-update car price. They can only view cars which are assigned to them.

现在从 xacml 的问题中，我们可以为销售员角色创建策略，并根据位置隐藏特定菜单.

Now from a xacml prespective, we can create policy for salesperson role and based on location hide the particular menus.

但是使用getCarDetails(Object User){...}方法怎么办?

在此，根据UserID(销售人员)，我们将显示列表.

here based on UserID (salesperson) we will show the list.

如何使用 xacml 规范的问题进行设计?

How to design this with xacml Specifications?

我对此的理解是:我们可以使用 spring-security ，并在此方法的顶部添加销售人员"角色.但这只会限制其他用户担任不同的角色.从那里我感到困惑，我们应该按照传统应用程序的用户ID使用数据库调用并获取汽车列表，还是可以通过xacml进行细粒度访问?

My understanding for this is : We can use spring-security and add "salesperson" role on top of this method. But it will only restrict other users from different roles. from there I am confused that should we use database call as per our traditional applications with userid and get the list of cars or is there a way to get fine-grained access with xacml?

推荐答案

您的问题包含2个问题:

Your question contains 2 questions:

1. 如何为我的政策建模?
2. 如何保护我的应用程序? (执行决定)

首先，让我们在ALFA中为您的策略建模:

First of all, let's model your policy in ALFA:

规则:只有在汽车分配的销售人员标识符等于发出请求的用户的身份时，销售人员才能查看汽车.

Rule: A sales person can view a car if and only if the car's assigned salesperson identifier is equal to the requesting user's identity.

在ALFA中，它变为:

In ALFA, this becomes:

namespace com.axiomatics{
    /**
     * A sales person can view a car if and only if the car's assigned salesperson 
     * identifier is equal to the requesting user's identity.
     */
    policy viewCars{
        target clause user.role=="sales person" and actionId == "view" and objectType=="car"
        apply firstApplicable
        /**
         * 
         */
        rule allowAssignedUser{
            permit
            condition car.assignedSalesPerson==user.identifier
        }
    }
}

这是您的建模排序.

现在，关于第二个问题:如何执行授权?我会反对混合使用Spring Security和XACML策略管理的角色，除非您正确地记录它们.

Now, with respect to the second question: how do I enforce the authorization? I would argue against mixing roles managed by Spring Security and XACML policies unless you correctly document them.

您可以采用两种方法.

1. 使用多重决策配置文件-这是XACML 3.0可选配置文件集的一部分，或者
2. 使用反向查询方法-这仅适用于公理学.我不确定WSO2是否支持.

多重决策配置文件(MDP)定义了如何发送以 xacml 到使用单个请求的策略决策点(PDP).这样可以为您节省数次往返.您将收到的响应将包含与原始请求中的授权请求一样多的决策.您还可以节省运输时间和评估时间.当您知道要保护多少个物品并且该数目在1到1,000之间但不大于1的范围内时，请使用MDP(当然，总是值得尝试的).您可以在公理学博客上阅读有关MDP的更多信息. .在您的情况下，流程如下:

The Multiple Decision Profile (MDP) defines how you can send multiple authorization requests written in xacml to a Policy Decision Point (PDP) using a single request. This saves you several round-trips. The response you will receive will contain as many decisions as authorization requests in the original request sent. You save on transport time and on evaluation time too. Use the MDP when you know how many items you want to protect and when that number is anywhere between 1 and 1,000 but not greater (though, of course, it is always worth a try). You can read more on the MDP on the Axiomatics blog. In your case, the flow would be as follows:

1. 致电getCarDetails(Object user).
2. 调用基础数据库以检索所有汽车
3. 以MDP方式致电PDP以获取所有获得决定的记录
4. 仅返回您拥有许可证的那些记录

1. Call getCarDetails(Object user).
2. Call the underlying db to retrieve all the cars
3. Call the PDP in an MDP fashion for all the records found to get a decision
4. Return only those records for which you had a Permit

主要缺点是您可能最终会从数据库中接收成千上万条记录，即使不是数百万条记录.那么使用MDP是不切实际的.

The main drawback is that you may end up receiving thousands if not millions of records from the database. Using the MDP then is not practical.

反向查询方法很有趣，尽管它特定于公理学.它在XACML PDP之上定义了一个新接口，使您可以以相反的方式查询授权引擎.而不是问:

The Reverse Query approach is interesting albeit specific to Axiomatics. It defines a new interface on top of a XACML PDP which lets you query the authorization engine in a reverse way. Instead of asking:

• 爱丽丝可以看#123车吗?

反向查询让您发问

• 爱丽丝可以看哪辆车?

该响应不是诸如Permit或Deny的响应，而是诸如SQL语句之类的过滤器表达式.

Instead of the response being a Permit or Deny, the response is a filter expression such as a SQL statement e.g.

• 从分配了SP ='Alice'的汽车中选择ID；

然后您要做的就是对数据库使用SQL语句来查询它，并仅返回授权的数据.无论您的数据库中有多少数据，这都行得通.您可以通过

All you have to do then is use the SQL statement against your database to query it and return only the entitled data. This works no matter how much data you have in your database. You can find more information on the ARQ SQL via this webinar.

这篇关于如何在实际应用中使用XACML和PIP?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！