[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] XACML 2.0 Conformance Tests Questions
On Tue, 2008-04-22 at 11:07 -0700, Oleg Gryb wrote: > Hi, > > I've a question about XACML 2.0 conformance tests that > are published here: > http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip > > This test suite is a great asset for those who wants > to evaluate their PDP implementations. I found/fixed a > great many bugs in my own XACMLight > (http://sourceforge.net/projects/xacmllight) > implementation, however there are few tests from > mandatory suite that I want to ask you about. They > are: > > 1. IIA002Request.xml Check the IIA002Special.txt file included in the test suite. > 2. IIB010Request.xml > 3. IIB021Request.xml > 4. IIB028Request.xml > 5. IIB037Request.xml > In #4 and #2 the multiple subjects are used in the > request. When I read XACML 2.0's section 2.4, I got an > impression that if multiple subjects are provided in > request, ALL of them must be evaluated and matched > against a SubjectMatch in the policy, because access > is granted to all of them or to none of them. In #4 > and #2 only one subject is matched against target, but > suggested response for both cases is "Permit". I think > it should be "NotApplicable" in both cases. No you got that wrong. Read section 7.5 on how SubjectMatch is evaluated. > > in #5 and #3 the <Condition> is missing. According to > XACML 2.0 the rule with missing condition should be > evaluated to "true". Since Target is matched by > request in both cases the decision should be "Permit", > but the suggested decision is "NotApplicable". The target in #3 is not matched in the subject part, since the attribute issuer in the request is: Issuer="http://www.medico.com/certification-authority" and the required issuer in the policy is: Issuer="http://www.medico.com" In #5 again the issuer is different (this time in the Resource section) Issuer="http://www.medico.com/Certification-Authority" for the policy and Issuer="http://www.medico.com/Cert-Auth" for the request. Cheers, Ludwig Seitz -- Ludwig Seitz Ph.D., Researcher Security, Policy and Trust Laboratory (SPOT) Swedish Institute of Computer Science (SICS) homepage: http://www.sics.se/~ludwig
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]