Re: [xacml-dev] Handling repetitions of Attribute Category/Id/Issuer/DataType in XACML Request

[Steven Legg <steven.legg@viewds.com>]

Hi Cyril,

On 9/07/2015 9:35 AM, Cyril DANGERVILLE wrote:
> Hello,
> I have issues understanding what a conformant PDP should do in the cases described below according to the XACML Core specification. Could you please tell me what is the expected behavior?
>
> 1) If a given <Request> contains multiple <Attributes> elements with the same Category value, and the PDP does not support the Multiple Decision Profile? (Is the PDP supposed to merge them? Or consider it "unsupported functionality" (§7.19.1) and therefore return "Indeterminate"? Or?)

Merging the <Attributes> would not produce the effect that the PEP is expecting,
so the safe thing to do is to return Indeterminate. Better no answer than the
wrong answer.

> 2) If a given <Request> contains multiple <Attribute> elements with the same Category, AttributeId, DataType and Issuer (undefined or same value)? (Is the PDP supposed to merge the AttributeValues? Or consider it invalid syntax and therefore return "Indeterminate"? Or?)

The <Attribute> elements don't have a Category or DataType XML attribute. The
DataType XML attribute is on the <AttributeValue> element. Overall, the
specification isn't clear on whether multiple <Attribute> elements with the same
AttributeId and Issuer are permitted, except for Section 7.3.3:

    "If a single <Attribute> element in a request context contains multiple
     <AttributeValue> child elements, then the bag of values resulting from
     evaluation of the <Attribute> element MUST be identical to the bag of
     values that results from evaluating a context in which each <AttributeValue>
     element appears in a separate <Attribute> element, each carrying identical
     meta-data."

So it appears possible and on that basis I've implemented the attribute
designator to collect the values from all <Attribute> elements that match.

Regards,
Steven

> Thanks for your help.
>
> Regards,
> Cyril