OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Sample with matching attributes of subj and resource

Thanks to Seth and Anne, I'm good now.

Ok, finally, this one worked:

==================
            <Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                        <SubjectAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </Apply>
                    <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                        <ResourceAttributeDesignator
                            AttributeId="owner-id"
 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </Apply>
                </Apply>
            </Condition>
==================

This one worked too:
==================
            <Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <SubjectAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
                </Apply>
                <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <ResourceAttributeDesignator
                        AttributeId="owner-id"
 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
                </Apply>
            </Condition>
==================

The fist one has similar policies in conformance tests, the second one
doesn't. I guess, that looking at schema one should understand that the
second one is a valid condition.

Now, this one didn't work:
==================
            <Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <SubjectAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    <ResourceAttributeDesignator
                        AttributeId="owner-id"
 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </Condition>
==================

SunXACML complained for illegal types. Debugging shows that string-equal
func expects single value, but gets a bag. So, the attr designator
returns a bag. Surprise for me.

Thanks,
Argyn





> -----Original Message-----
> From: Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM] 
> Sent: Wednesday, September 29, 2004 12:21 PM
> To: Anne.Anderson@Sun.COM
> Cc: Kuketayev, Argyn; xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] Sample with matching attributes of 
> subj and resource
> 
> 
> 
> > For XACML 1.0/1.1, use function Id 
> > urn:oasis:names:tc:xacml:1.0:function:boolean-equal
> > and remove the <Apply ...> and </Apply> tags.
> 
> Actually, I think you want to remove the Condition element and change 
> the remaining top-level Apply into Condition:
> 
>    <Condition 
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>      ...
> 
> 
> seth
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]