search

wso2 / balana

Apache License 2.0
122 stars 110 forks source link

Unable to create XACML policy in WSO2 IS Key Manager #99

Closed sanchit31 closed 5 years ago

sanchit31 commented 6 years ago

Hi,

We're trying to add a policy in WSO2 Identity Server Key Manager and facing this error: Error while adding entitlement policy. Invalid Entitlement Policy. Policy is not valid according to XACML schema issue-99

Description: The issue occurs due to the invalid format of XACML policy created by Saxon XSLT processor

The Utils class file in balana module (balana\modules\balana-utils\src\main\java\org\wso2\balana\utils) determines which XSLT processor would be used for creating the XML document.

If we keep Saxon-he-9.4 jar at \wso2is-km-5.3.0\lib\endorsed\ • javax.xml.transform.TransformerFactory creates a Saxon Processor instance • It also adds an additional attribute xmlns=”“ in as well as tag in the xml document leading an invalid XML format for policy. So we're unable to add/create policy

If we remove the Saxon-he-9.4 jar • javax.xml.transform.TransformerFactory creates a Xalan Processor instance • The XML created for policy is valid and the policy is added successfully.

Product Version : WSO2 IS - KM - 5.3.0

Steps to reproduce: 1) Log in to WSO2 IS Key Manager 2) In the Main tab on the Home panel on the left, under the Entitlement section, click on Policy administration. 3) Click on Add new Entitlement policy. Refer to the following URL on creating a XACML policy https://docs.wso2.com/display/IS510/Creating+a+XACML+Policy 4) Click on Simple Policy Editor 4) Fill in the form fields and click on Finish.

This issue has also been reported at https://wso2.org/jira/browse/IDENTITY-3482

piraveena commented 4 years ago

This issue is reproducible in IS-km-5.7.0 as well. When running in openjdk only ,this issue is reproducible. I tested in oraclejdk-8 and adoptopenjdk-8 a well. But it is not reproducible there.

The following error logs were observed in the carbon console.

XACML policy is not valid according to the schema :cvc-complex-type.2.4.a: Invalid content was found starting with element 'Target'. One of '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.

DMHP commented 4 years ago

[IS 5.7.0] https://github.com/wso2-support/balana/pull/6/files