OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Beginner query


Paul,

The Web Services Profile for XACML (WS-XACML) has a "must-be-present" 
function, but since it hasn't been implemented yet, that doesn't solve 
your problem.

With the existing implementations, you can write a condition that will 
accept any value for the Attribute, e.g. (I may have the exact syntax 
for these expressions wrong, but you can get the idea):

     <Apply FunctionId="...:regular-expression-match">
        <AttributeValue DataType="...#string">*</AttributeValue>
        <AttributeDesignature AttributeId="X" DataType="...#string"/>
     </Apply>

     <Apply FunctionId="...:or">
        <Apply FunctionId="...:integer-greater-than-or-equal">
            <AttributeDesignature AttributeId="X" DataType="...#string"/>
            <AttributeValue DataType="...#integer">0</AttributeValue>
         </Apply>
        <Apply FunctionId="...:integer-less-than">
            <AttributeDesignature AttributeId="X" DataType="...#string"/>
            <AttributeValue DataType="...#integer">0</AttributeValue>
         </Apply>
     </Apply>

Regards,
Anne Anderson


Paul Edwards wrote:

> Hi,
> 
> I hope I'm mailing the correct place. 
> 
> I am wanting to permit a request, provided certain attributes are
> present. I don't care about their value, just the fact that they are
> present. I cannot see any way of doing this without implementing my own
> match function. Is this correct or have I missed something? I believe my
> final policy doc would look like this:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> 
> xsi:schemaLocation="http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema=policy-01.xsd";
> 
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
>         
> 	<Description>Policy template for attribute checking</Description>
>         
>     <!-- This policy document applies to all requests -->      
>     <Target>
>       <Subjects>
>         <AnySubject/>
>       </Subjects>
>       <Resources>
>         <AnyResource/>
>       </Resources>
>       <Actions>
>         <AnyAction/>
>       </Actions>
>     </Target>      
>           
>     <!-- Rules for attributes -->      
>     <Rule RuleId="EmailRule" Effect="Permit">
>       <Description>Allow Email address</Description>
>       <Target>
>         <Subjects>
>           <Subject>
>             <ResourceMatch MatchId="isPresent">
>               <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";></AttributeValue>
>               <SubjectAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#anyURI";
>                                          AttributeId="emailAddress"/>
>             </SubjectMatch>
>           </Subject>
>         </Subjects>
>         <Resources>
>           <AnyResource/>
>         </Resources>
>         <Actions>
>           <AnyAction/>
>         </Actions>
>       </Target>
>     </Rule>
>  </Policy>
> 
> Thanks
> P.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]