[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Policy editor? Gui?
I was suspecting that. First I copied policies from RBAC profile doc. They didn't work with SunXACML, because of Target elements incomplete. So, I put all Any* stuff there, it started working. Then I removed elements one by one until it stopped working. That's how I got my minimal policy :) > -----Original Message----- > From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] > Sent: Friday, November 12, 2004 11:30 AM > To: Kuketayev, Argyn > Cc: diego gonzalez; xacml-dev@lists.oasis-open.org > Subject: RE: [xacml-dev] Policy editor? Gui? > > > On Fri, 2004-11-12 at 11:03, Kuketayev, Argyn wrote: > > here's a policy, it's a part of my version of RBAC profile > > implementation > > > > ====================== > > > > <?xml version="1.0" encoding="UTF-8"?> > > <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" > > PolicySetId="RBAC:PPS:role:default" > > > > > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-al > > go > > rithm:permit-overrides"> > > > > <Target/> > > <Policy PolicyId="RBAC:Permissions:role:default" > > > > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algori > > th > > m:permit-overrides"> > > <Target/> > > > > <Rule RuleId="FinalRule" Effect="Deny"/> > > </Policy> > > </PolicySet> > > ====================== > > The problem is that this is not a valid 1.x policy. The > Target may not be empty. Instead, you need to specify all > three Target sections with the Any* elements (eg, > <AnySubject/>). The SunXACML code doesn't complain because it > doesn't try to reproduce all the error-checking that can be > done using schema validation, which would recognize your > policy as invalid. Try running your policy through a schema > checker and it should complain. > > > seth > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]