Thanks Omindu. It work. But just for case I switch to WSO2 IS 5.3.0 until
the bug it's fixed
Regards,
Jorge.
2017-11-06 17:33 GMT-05:00 Omindu Rathnaweera <[email protected]>:
> Hi Jorge,
>
> Can you try setting the following property to false in
> repository/conf/identity/entitlement.properties file.
>
> PDP.SchemaValidation.Enable=false
>
> The issue is due to IS and IS-KM using different implementations for
> schema validation and it is already tracked under [1]. Note that setting
> the above config will disable schema validation at policy creation. If you
> are concerned about policy validation, you can create the policy in an IS
> instance and upload it to IS-KM using the policy uploader.
>
> [1] - https://wso2.org/jira/browse/IDENTITY-3482
>
> Reards,
> Omindu
>
> On Mon, Nov 6, 2017 at 1:52 PM, Jorge <[email protected]> wrote:
>
>> Hi all.
>>
>> I´m using wso2is-km-5.3.0 to integrate IS as a key manager with WSO2 AM
>> 2.1.0 and also I want to create some XACML policies to ESB proxies in WSO2
>> Enterprise Integrator.
>>
>> If I use the Simple Policy Editor for a simple policy I get errors like
>> this:
>>
>> [2017-11-06 16:17:42,332] ERROR
>> {org.wso2.carbon.identity.entitlement.EntitlementUtil}
>> - XACML policy is not valid according to the schema
>> :cvc-complex-type.2.4.a: Invalid content was
>> found starting with element 'Target'. One of
>> '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer,
>> "urn:oasis:
>> names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.
>>
>> [2017-11-06 16:24:09,688] ERROR
>> {org.wso2.carbon.identity.entitlement.EntitlementUtil}
>> - XACML policy is not valid according to the schema
>> :cvc-complex-type.2.4.a: Invalid content was
>> found starting with element 'Description'. One of
>> '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:o
>> asis:names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.
>>
>> [2017-11-06 16:30:50,896] ERROR
>> {org.wso2.carbon.identity.entitlement.EntitlementUtil}
>> - XACML policy is not valid according to the schema
>> :cvc-complex-type.2.4.a: Invalid content was
>> found starting with element 'Target'. One of
>> '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer,
>> "urn:oasis:
>> names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.
>>
>> [2017-11-06 16:34:55,077] ERROR
>> {org.wso2.carbon.identity.entitlement.EntitlementUtil}
>> - XACML policy is not valid according to the schema
>> :cvc-complex-type.2.4.a: Invalid content was
>> found starting with element 'Target'. One of
>> '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer,
>> "urn:oasis:
>> names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.
>>
>> [2017-11-06 16:37:04,133] ERROR
>> {org.wso2.carbon.identity.entitlement.EntitlementUtil}
>> - XACML policy is not valid according to the schema
>> :cvc-complex-type.2.4.a: Invalid content was
>> found starting with element 'Target'. One of
>> '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer,
>> "urn:oasis:
>> names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults,
>> "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.
>>
>>
>> If I use the wso2is-5.3.0 for the same policy, all work OK...
>>
>>
>> Any idea why?
>>
>> Regards,
>> Jorge.
>>
>>
>> Sample policy:
>>
>> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>> PolicyId="AccesoAdmin" RuleCombiningAlgId="urn:oasis:
>> names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>> Version="1.0">
>> <Target>
>> <AnyOf>
>> <AllOf>
>> <Match MatchId="urn:oasis:names:tc:xa
>> cml:1.0:function:string-equal">
>> <AttributeValue DataType="http://www.w3.org/20
>> 01/XMLSchema#string">https://WorkSoftDevelop:8245/services/getUserDataPS
>> </AttributeValue>
>> <AttributeDesignator AttributeId="urn:oasis:names:t
>> c:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:x
>> acml:3.0:attribute-category:resource" DataType="http://www.w3.org/20
>> 01/XMLSchema#string" MustBePresent="true"/>
>> </Match>
>> </AllOf>
>> </AnyOf>
>> </Target>
>> <Rule Effect="Permit" RuleId="Rule-1">
>> <Target>
>> <AnyOf>
>> <AllOf>
>> <Match MatchId="urn:oasis:names:tc:xa
>> cml:1.0:function:string-equal">
>> <AttributeValue DataType="http://www.w3.org/20
>> 01/XMLSchema#string">read</AttributeValue>
>> <AttributeDesignator
>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>> </Match>
>> </AllOf>
>> </AnyOf>
>> </Target>
>> <Condition>
>> <Apply FunctionId="urn:oasis:names:tc
>> :xacml:1.0:function:any-of">
>> <Function FunctionId="urn:oasis:names:tc
>> :xacml:1.0:function:string-equal"/>
>> <AttributeValue DataType="http://www.w3.org/20
>> 01/XMLSchema#string">admin</AttributeValue>
>> <AttributeDesignator AttributeId="http://wso2.org/claims/role";
>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>> </Apply>
>> </Condition>
>> </Rule>
>> <Rule Effect="Permit" RuleId="Rule-2">
>> <Target>
>> <AnyOf>
>> <AllOf>
>> <Match MatchId="urn:oasis:names:tc:xa
>> cml:1.0:function:string-equal">
>> <AttributeValue DataType="http://www.w3.org/20
>> 01/XMLSchema#string">read</AttributeValue>
>> <AttributeDesignator
>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
>> </Match>
>> </AllOf>
>> </AnyOf>
>> </Target>
>> <Condition>
>> <Apply FunctionId="urn:oasis:names:tc
>> :xacml:1.0:function:any-of">
>> <Function FunctionId="urn:oasis:names:tc
>> :xacml:1.0:function:string-equal"/>
>> <AttributeValue DataType="http://www.w3.org/20
>> 01/XMLSchema#string">admin</AttributeValue>
>> <AttributeDesignator AttributeId="urn:oasis:names:t
>> c:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:x
>> acml:1.0:subject-category:access-subject" DataType="http://www.w3.org/20
>> 01/XMLSchema#string" MustBePresent="true"/>
>> </Apply>
>> </Condition>
>> </Rule>
>> <Rule Effect="Deny" RuleId="Deny-Rule"/>
>> </Policy>
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
> Mobile: +94 771 197 211
>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
