[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Sample with matching attributes of subj and resource
I'm a little puzzled by what you're trying to do here...my comments are inline. I'm fighting a nasty cold today, which is probably why I'm not getting it :) Kuketayev, Argyn wrote: > Thanks to Seth and Anne, I'm good now. > > Ok, finally, this one worked: > > ================== > <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> > <SubjectAttributeDesignator > > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> > <ResourceAttributeDesignator > AttributeId="owner-id" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Apply> > </Condition> > ================== That's a valid Condition, but of course the extra "or" function isn't needed, since "string-equal" returns a boolean, as you note in your next example... > This one worked too: > ================== > <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> > <SubjectAttributeDesignator > > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> > <ResourceAttributeDesignator > AttributeId="owner-id" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Condition> > ================== Yup. This is really a better way to go. No need for the extra boolean function wrapping your "string-equal" block. > The fist one has similar policies in conformance tests, the second one > doesn't. I guess, that looking at schema one should understand that the > second one is a valid condition. I'm a little unclear why you think that the second example doesn't get tested, but the first one does. I don't think there are any Conditions in the tests that look exactly like your first example, are there? Basically, the goal of the conformance tests is to cover all the normative identifiers (datatypes, etc.) and all the forms of policies and Requests. So, no, there probably isn't a policy that looks exactly like what you've got above, but the tests only need to cover a Condition with a boolean function and some number of nested elements. > Now, this one didn't work: > ================== > <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <SubjectAttributeDesignator > > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > <ResourceAttributeDesignator > AttributeId="owner-id" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Condition> > ================== > > SunXACML complained for illegal types. Debugging shows that string-equal > func expects single value, but gets a bag. So, the attr designator > returns a bag. Surprise for me. That's right. This shouldn't work. The spec is pretty clear that AttributeDesignators always return bags of values, even if there is only one (or none) matched values. This is why the *-one-and-only functions are provided. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]