OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Sample with matching attributes of subj and resource



I'm a little puzzled by what you're trying to do here...my comments are 
inline. I'm fighting a nasty cold today, which is probably why I'm not 
getting it :)

Kuketayev, Argyn wrote:

> Thanks to Seth and Anne, I'm good now.
> 
> Ok, finally, this one worked:
> 
> ==================
>             <Condition
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
>                 <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                     <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
>                         <SubjectAttributeDesignator
>  
> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
>  
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>                     </Apply>
>                     <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
>                         <ResourceAttributeDesignator
>                             AttributeId="owner-id"
>  
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>                     </Apply>
>                 </Apply>
>             </Condition>
> ==================

That's a valid Condition, but of course the extra "or" function isn't 
needed, since "string-equal" returns a boolean, as you note in your next 
example...

> This one worked too:
> ==================
>             <Condition
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                 <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
>                     <SubjectAttributeDesignator
>  
> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
>  
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>                 </Apply>
>                 <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
>                     <ResourceAttributeDesignator
>                         AttributeId="owner-id"
>  
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>                 </Apply>
>             </Condition>
> ==================

Yup. This is really a better way to go. No need for the extra boolean 
function wrapping your "string-equal" block.

> The fist one has similar policies in conformance tests, the second one
> doesn't. I guess, that looking at schema one should understand that the
> second one is a valid condition.

I'm a little unclear why you think that the second example doesn't get 
tested, but the first one does. I don't think there are any Conditions 
in the tests that look exactly like your first example, are there? 
Basically, the goal of the conformance tests is to cover all the 
normative identifiers (datatypes, etc.) and all the forms of policies 
and Requests. So, no, there probably isn't a policy that looks exactly 
like what you've got above, but the tests only need to cover a Condition 
with a boolean function and some number of nested elements.

> Now, this one didn't work:
> ==================
>             <Condition
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                     <SubjectAttributeDesignator
>  
> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
>  
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>                     <ResourceAttributeDesignator
>                         AttributeId="owner-id"
>  
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>             </Condition>
> ==================
> 
> SunXACML complained for illegal types. Debugging shows that string-equal
> func expects single value, but gets a bag. So, the attr designator
> returns a bag. Surprise for me.

That's right. This shouldn't work. The spec is pretty clear that 
AttributeDesignators always return bags of values, even if there is only 
one (or none) matched values. This is why the *-one-and-only functions 
are provided.


seth


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]