Hi Jorge, Can you try setting the following property to false in repository/conf/identity/entitlement.properties file.
PDP.SchemaValidation.Enable=false The issue is due to IS and IS-KM using different implementations for schema validation and it is already tracked under [1]. Note that setting the above config will disable schema validation at policy creation. If you are concerned about policy validation, you can create the policy in an IS instance and upload it to IS-KM using the policy uploader. [1] - https://wso2.org/jira/browse/IDENTITY-3482 Reards, Omindu On Mon, Nov 6, 2017 at 1:52 PM, Jorge <[email protected]> wrote: > Hi all. > > I´m using wso2is-km-5.3.0 to integrate IS as a key manager with WSO2 AM > 2.1.0 and also I want to create some XACML policies to ESB proxies in WSO2 > Enterprise Integrator. > > If I use the Simple Policy Editor for a simple policy I get errors like > this: > > [2017-11-06 16:17:42,332] ERROR > {org.wso2.carbon.identity.entitlement.EntitlementUtil} > - XACML policy is not valid according to the schema > :cvc-complex-type.2.4.a: Invalid content was > found starting with element 'Target'. One of > '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:oasis: > names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected. > > [2017-11-06 16:24:09,688] ERROR > {org.wso2.carbon.identity.entitlement.EntitlementUtil} > - XACML policy is not valid according to the schema > :cvc-complex-type.2.4.a: Invalid content was > found starting with element 'Description'. One of > '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:o > asis:names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected. > > [2017-11-06 16:30:50,896] ERROR > {org.wso2.carbon.identity.entitlement.EntitlementUtil} > - XACML policy is not valid according to the schema > :cvc-complex-type.2.4.a: Invalid content was > found starting with element 'Target'. One of > '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:oasis: > names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected. > > [2017-11-06 16:34:55,077] ERROR > {org.wso2.carbon.identity.entitlement.EntitlementUtil} > - XACML policy is not valid according to the schema > :cvc-complex-type.2.4.a: Invalid content was > found starting with element 'Target'. One of > '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:oasis: > names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected. > > [2017-11-06 16:37:04,133] ERROR > {org.wso2.carbon.identity.entitlement.EntitlementUtil} > - XACML policy is not valid according to the schema > :cvc-complex-type.2.4.a: Invalid content was > found starting with element 'Target'. One of > '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:oasis: > names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, > "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected. > > > If I use the wso2is-5.3.0 for the same policy, all work OK... > > > Any idea why? > > Regards, > Jorge. > > > Sample policy: > > <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" > PolicyId="AccesoAdmin" RuleCombiningAlgId="urn:oasis: > names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" > Version="1.0"> > <Target> > <AnyOf> > <AllOf> > <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string- > equal"> > <AttributeValue DataType="http://www.w3.org/ > 2001/XMLSchema#string">https://WorkSoftDevelop:8245/services/getUserDataPS > </AttributeValue> > <AttributeDesignator AttributeId="urn:oasis:names: > tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc: > xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/ > 2001/XMLSchema#string" MustBePresent="true"/> > </Match> > </AllOf> > </AnyOf> > </Target> > <Rule Effect="Permit" RuleId="Rule-1"> > <Target> > <AnyOf> > <AllOf> > <Match MatchId="urn:oasis:names:tc: > xacml:1.0:function:string-equal"> > <AttributeValue DataType="http://www.w3.org/ > 2001/XMLSchema#string">read</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> > </Match> > </AllOf> > </AnyOf> > </Target> > <Condition> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> > <Function FunctionId="urn:oasis:names: > tc:xacml:1.0:function:string-equal"/> > <AttributeValue DataType="http://www.w3.org/ > 2001/XMLSchema#string">admin</AttributeValue> > <AttributeDesignator AttributeId="http://wso2.org/claims/role"; > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> > </Apply> > </Condition> > </Rule> > <Rule Effect="Permit" RuleId="Rule-2"> > <Target> > <AnyOf> > <AllOf> > <Match MatchId="urn:oasis:names:tc: > xacml:1.0:function:string-equal"> > <AttributeValue DataType="http://www.w3.org/ > 2001/XMLSchema#string">read</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> > </Match> > </AllOf> > </AnyOf> > </Target> > <Condition> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> > <Function FunctionId="urn:oasis:names: > tc:xacml:1.0:function:string-equal"/> > <AttributeValue DataType="http://www.w3.org/ > 2001/XMLSchema#string">admin</AttributeValue> > <AttributeDesignator AttributeId="urn:oasis:names: > tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc: > xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/ > 2001/XMLSchema#string" MustBePresent="true"/> > </Apply> > </Condition> > </Rule> > <Rule Effect="Deny" RuleId="Deny-Rule"/> > </Policy> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Omindu Rathnaweera Senior Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
