search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.38k stars 461 forks source link

ArrayIndexOutOfBoundsException when combining ABAC and RBAC #311

Closed TraMiu closed 1 year ago

TraMiu commented 1 year ago

I want to combine ABAC and RBAC models for my project and this is my initial model: image

Where I enforce sub and obj as Objects; act and targetProperty as String. This is my test: image As you can see, the targetProperty is one of the properties of the obj that I want to check if sub can act on it. And filters are the requirements for other properties of the obj. For example, supervisor can read gpa of students whose birth place is "hcm".

Here is how I store policy database in MySQL: image

However, it came up with this OutOfBoundsException although I can load the policy successfully. image

While debugging, I tried to reduce the size of the matcher (just checking if actions match) image When I use e.enforce(bob, "read", "gpa", alice) => the result was true. But when I use e.enforce(bob, "eat", "gpa", alice) => the result was still the above error.

I have tried the examples for ABAC and RBAC models and they worked on my computer, but not this combined model. Could you show me a way to debug this or a better way to combine RABC and ABAC models?

Tell me if you need more information. Thank you

casbin-bot commented 1 year ago

@tangyang9464 @imp2002

OutOfEastGate commented 1 year ago

@TraMiu Thank you for your feedback. I've found the reason. picture As shown in the figure, the array initialization is three because of the vacancy of v0, but there are four when assigning values. I will solve this problem immediately

OutOfEastGate commented 1 year ago

@TraMiu picture Can you tell me how this null value is generated? And what adapter did you use?

OutOfEastGate commented 1 year ago

@TraMiu
This problem is caused by the fact that the eval expression is null. When defining the policy, you should assign a default value (true or false) to the eval expression so that OutOfBoundsException does not appear.

TraMiu commented 1 year ago

I got it now, thank you very much! In addition, I am working on the case where I have multiple object types and I stored all of the policies for those object in the same adapter. For example, if I have a new DummyResource here that does not have the .birthPlace attribute like object Student image This exception will occur: Exception in thread "main" com.googlecode.aviator.exception.ExpressionRuntimeException: Could not find variable r_obj.birthPlace I tried to workaround this situation by adding a new column (the resource role) to the database and checking the user roles and resource roles before evaluating the sub_rule in the matcher image Hoping that if the resource roles does not match, the matcher will skip that policy, so that the exception will not occure. However, it did not work.

Is there a better way to address this or I should have different enforcers for different object types?

hsluoyz commented 1 year ago

@TraMiu plz create a new issue for a new question, also, review the PR: https://github.com/casbin/jcasbin/pull/314 for this issue

github-actions[bot] commented 1 year ago

:tada: This issue has been resolved in version 1.31.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket: