OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: policy guarding


Hello,

I have an problem concerning the guarding of policy(sets). I set up an 
RBAC scneario, where i have a policyset for a client role, which 
references two policy sets, one for requests and one for responses on 
specific actions. The request policies defaults to deny, the responses 
defaults to permit. Now, i encounter the problem, that if the request 
policy denies a request, the evaluation result returns "permit", because 
the response policy defaults to permit.
Now, i tried to solve the problem guarding the request and response 
policy sets within the targets of the policy sets allowing only specific 
actions for request or responses respectively. So that only those 
request actions can pass to the request policy rules, and response 
requests to the response policy rules, which are predefined. But, it 
does not work. I ever get the result "not applicable", even if I send a 
request including an action attribute stated in the policy set target. 
Did I completely misunderstood something ?

Any hints are welcome
Lutz

P.S.:Here are the policy files and a request and result:
____________________
Top level policy set client:

<PolicySet PolicySetId="biocase:role:client" 
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>biocase:role_values:client</AttributeValue>
          <SubjectAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
        </SubjectMatch>
      </Subject>
    </Subjects>
    <Resources>
      <AnyResource/>
    </Resources>
    <Actions>
      <AnyAction/>
    </Actions>
  </Target>
  
<PolicySetIdReference>biocase:rolepermissions:client-request</PolicySetIdReference>
  
<PolicySetIdReference>biocase:rolepermissions:client-response</PolicySetIdReference>
</PolicySet>
________________________________
client request policy set:
<PolicySet PolicySetId="biocase:rolepermissions:client-request" 
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Resources>
      <AnyResource/>
    </Resources>
    <Actions>
        <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>scan-request</AttributeValue>
          <ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ActionMatch>
    </Actions>
  </Target>
  <Policy PolicyId="biocase:permissions:client-request" 
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <AnyResource/>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>
    <Rule RuleId="biocase:permission:permit_capabilities" Effect="Permit">
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <Resource>
            <ResourceMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>any</AttributeValue>
              <ResourceAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ResourceMatch>
          </Resource>
        </Resources>
        <Actions>
          <Action>
            <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>capabilities-request</AttributeValue>
              <ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ActionMatch>
          </Action>
        </Actions>
      </Target>
    </Rule>
    <Rule RuleId="biocase:permission:permit_scan" Effect="Permit">
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <Resource>
            <ResourceMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>/DataSets/DataSet/Units/Unit/Identifications/Identification/TaxonIdentified/ScientificNameAtomized/Botanical/Genus</AttributeValue>
              <ResourceAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ResourceMatch>
          </Resource>
        </Resources>
        <Actions>
          <Action>
            <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>scan-request</AttributeValue>
              <ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ActionMatch>
          </Action>
        </Actions>
      </Target>
    </Rule>
    <Rule RuleId="permission:DefaultRule" Effect="Deny">
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <AnyResource/>
        </Resources>
        <Actions>
          <AnyAction/>
        </Actions>
      </Target>
    </Rule>
  </Policy>
</PolicySet>
___________________________
client response policy set:
<PolicySet PolicySetId="biocase:rolepermissions:client-response" 
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Resources>
      <AnyResource/>
    </Resources>
    <Actions>
        <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>scan-response</AttributeValue>
          <ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ActionMatch>
    </Actions>
  </Target>
  <Policy PolicyId="biocase:permissions:client-response" 
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <AnyResource/>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>
    <Rule RuleId="biocase:permission:permit_scan_response" Effect="Permit">
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <Resource>
            <ResourceMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>any</AttributeValue>
              <ResourceAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ResourceMatch>
          </Resource>
        </Resources>
        <Actions>
          <Action>
            <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>scan-response</AttributeValue>
              <ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ActionMatch>
          </Action>
        </Actions>
      </Target>
    </Rule>
    <Rule RuleId="biocase:permission:permit_capabilities_response" 
Effect="Permit">
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <Resource>
            <ResourceMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>any</AttributeValue>
              <ResourceAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ResourceMatch>
          </Resource>
        </Resources>
        <Actions>
          <Action>
            <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>capabilities-response</AttributeValue>
              <ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ActionMatch>
          </Action>
        </Actions>
      </Target>
    </Rule>
    <Rule RuleId="permission:DefaultRule" Effect="Permit">
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <AnyResource/>
        </Resources>
        <Actions>
          <AnyAction/>
        </Actions>
      </Target>
    </Rule>
  </Policy>
</PolicySet>
________________________________________
request:
<Request>
<Subject 
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 
DataType="http://www.w3.org/2001/XMLSchema#anyURI";><AttributeValue>biocase:role_values:client</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>/DataSets/DataSet/Units/Unit/Identifications/Identification/TaxonIdentified/ScientificNameAtomized/Botanical/Genus</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>scan-request</AttributeValue></Attribute>
</Action>
</Request>
______________________
result:
<Result 
ResourceID="/DataSets/DataSet/Units/Unit/Identifications/Identification/TaxonIdentified/ScientificNameAtomized/Botanical/Genus">
<Decision>NotApplicable</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]