OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] XACML 2.0 Conformance Tests Questions


On Tue, 2008-04-22 at 11:07 -0700, Oleg Gryb wrote:
> Hi,
> 
> I've a question about XACML 2.0 conformance tests that
> are published here:
> http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip
> 
> This test suite is a great asset for those who wants
> to evaluate their PDP implementations. I found/fixed a
> great many bugs in my own XACMLight
> (http://sourceforge.net/projects/xacmllight)
> implementation, however there are few tests from
> mandatory suite that I want to ask you about. They
> are:
> 
> 1. IIA002Request.xml

Check the IIA002Special.txt file included in the test suite.

> 2. IIB010Request.xml
> 3. IIB021Request.xml
> 4. IIB028Request.xml
> 5. IIB037Request.xml


> In #4 and #2 the multiple subjects are used in the
> request. When I read XACML 2.0's section 2.4, I got an
> impression that if multiple subjects are provided in
> request, ALL of them must be evaluated and matched
> against a SubjectMatch in the policy, because access
> is granted to all of them or to none of them. In #4
> and #2 only one subject is matched against target, but
> suggested response for both cases is "Permit". I think
> it should be "NotApplicable" in both cases.

No you got that wrong. Read section 7.5 on how SubjectMatch
is evaluated.

> 
> in #5 and #3 the <Condition> is missing. According to
> XACML 2.0 the rule with missing condition should be
> evaluated to "true". Since Target is matched by
> request in both cases the decision should be "Permit",
> but the suggested decision is "NotApplicable".

The target in #3 is not matched in the subject part,
since the attribute issuer in the request is:
Issuer="http://www.medico.com/certification-authority";

and the required issuer in the policy is:
Issuer="http://www.medico.com";

In #5 again the issuer is different (this time in the Resource section)
Issuer="http://www.medico.com/Certification-Authority"; for the policy
and Issuer="http://www.medico.com/Cert-Auth"; for the request.


Cheers,

Ludwig Seitz

-- 
Ludwig Seitz
Ph.D., Researcher
Security, Policy and Trust Laboratory (SPOT)
Swedish Institute of Computer Science (SICS)
homepage: http://www.sics.se/~ludwig

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]