OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-dev] Policy editor? Gui?


On Fri, 2004-11-12 at 11:03, Kuketayev, Argyn wrote:
> here's a policy, it's a part of my version of RBAC profile
> implementation
>  
> ======================
>  
> <?xml version="1.0" encoding="UTF-8"?>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
>     PolicySetId="RBAC:PPS:role:default"
>  
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algo
> rithm:permit-overrides">
>  
>     <Target/>
>     <Policy PolicyId="RBAC:Permissions:role:default"
>  
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorith
> m:permit-overrides">
>         <Target/>
>  
>         <Rule RuleId="FinalRule" Effect="Deny"/>
>     </Policy>
> </PolicySet>
> ======================

The problem is that this is not a valid 1.x policy. The Target may not
be empty. Instead, you need to specify all three Target sections with
the Any* elements (eg, <AnySubject/>). The SunXACML code doesn't
complain because it doesn't try to reproduce all the error-checking that
can be done using schema validation, which would recognize your policy
as invalid. Try running your policy through a schema checker and it
should complain.


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]