在XACML中,您可以编写考虑到任何属性的策略。属性本质上是描述情况的标签。例如角色,公民身份,年龄和许可都是用户属性。页面URL,分类和位置是资源的属性(即用户试图访问的内容)。您可以拥有关于该操作的属性(编辑,查看,删除...),甚至是关于环境的属性。
在你的例子中,你提到你想要控制对网页的访问,并且你想要考虑一天的时间。要做到这一点,您需要编写一个XACML策略,您可以在其中检查页面的URL页面和一天的时间。
伪代码,这将是:
Permit if resource-id=='/pages/MyPage.jsp' AND current-time>09:00AM AND current-time<05:00PM
在ALFA,用于XACML的速记符号,这将是:
namespace com.stackoverflow.xacml{
import Attributes.*
policy accessPages{
apply firstApplicable
rule accessPage1{
target clause resourceId=="/pages/MyPage.jspx"
and currentTime>"09:00:00":time
and currentTime<"17:00:00":time
permit
}
}
}
的ALFA的Eclipse插件 - 一个免费的工具 - 将产生这到XACML 3.0代码:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages.accessPage1">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">/pages/MyPage.jspx</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
然后,所有你需要做的是发送正确的授权任务离开/请求从您的应用程序到XACML PDP。基本上你会问的是:
Can user Alice access page /pages/MyPage.jsp?
然后,PDP将答复许可证,拒绝或不适用。
您可以查看本博客中解释的多样化规则示例,该示例将帮助您了解如何根据条件限制用户:http://pushpalankajaya.blogspot.in/2013/06/writing-xacml-30-policies -diverse-rules.html http://pushpalankajaya.blogspot.in/2013/06/xacml-30-policies-restricting.html – Utsav