RE: [xacml-users] Newbie - problem with regexp-string-match condition

[Craig Forster <cforster@au1.ibm.com>]

Hi Jim,

I think the problem is that the "regexp-string-match" is expecting two
arguments of type string, but the EnvironmentAttributeDesignator is
returning a bag of strings.

Wrap the EnvironmentAttributeDesignator in an Apply with a FunctionId of
"urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" and it should
work fine.

Alternatively, if there may be multiple roles that need to compared you
should be able to use the "any-of" function to perform the regular
expression match on each element of the bag in turn.

Regards,
Craig

---------------------------------------------------------------
Craig Forster
Software Engineer | Australia Development Lab - Tivoli Gold Coast
Blog | http://blogs.tap.ibm.com/weblogs/craigforster/
Argus | https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
---------------------------------------------------------------


                                                                                                                                 
  From:       <ohaya@cox.net>                                                                                                    
                                                                                                                                 
  To:         xacml-users@lists.oasis-open.org                                                                                   
                                                                                                                                 
  Date:       14/02/2008 16:32                                                                                                   
                                                                                                                                 
  Subject:    RE: [xacml-users] Newbie - problem with regexp-string-match condition                                              
                                                                                                                                 





Hi Nishen,

Thanks for responding.

My apologies, but I'm working with an appliance that has an embedded PEP
and PDP, so I don't have direct access to the XACML request, and for
various reasons, I can't post the entire XACML policy file.

Sorry :(!!

FYI, I did just notice something that I had missed in the appliance logs
earlier, which might be pointing to the problem.  I am getting a warning
that says (paraphrasing a little):

"Compilation warning: Illegal argument: incorrect type. Argument 2 should
be of type string in call to function regexp-string-match, but instead it
is of type bag of string"

I'm starting to think that whatever is in the appliance that is "compiling"
the XACML policy file is having problems with the regular expression.

I am contacting the vendor to check on that, but in the meantime, does that
section of the <Condition> look all right, or, at least "valid" (I'm not
much of a regexp person either)?

Jim


---- Nishen Naidoo <nishen@melcoe.mq.edu.au> wrote:
> Hi there,
>
> It seems you are using the 'EnvironmentAttributeDesignator' throughout.
This
> would imply that the attributes are being sent through in the
'Environment'
> section of the XACML request. Just guessing from some of the names, I am
> assuming that this might not necessarily be the case?
>
> Would it be possible to see the full policy as well as the XACML request
you
> are using as well?
>
> Thanks,
> Nish
>
> ________________________________
>
> Nishen Naidoo
> Research Coordinator
> Macquarie E-Learning Centre of Excellence (MELCOE)
> MACQUARIE UNIVERSITY NSW 2109
>
>
> E-Mail: nishen@melcoe.mq.edu.au
> Phone:  +61 (0)2 98506531
> Mobile: +61 (0)4 30006783
> Fax:    +61 (0)2 98506527
> http://www.melcoe.mq.edu.au/
>
> CRICOS Provider No 00002J
>
> This message is intended for the addressee named and may contain
> confidential information. If you are not the intended recipient, please
> delete it and notify the sender. Views expressed in this message are
those
> of the individual sender, and are not necessarily the views of MELCOE or
> Macquarie University.
> -----Original Message-----
> From: ohaya@cox.net [mailto:ohaya@cox.net]
> Sent: Thursday, 14 February 2008 4:29 PM
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] Newbie - problem with regexp-string-match
condition
>
> Hi,
>
> I am new to the list, and am trying to learn about XACML, but I've run
into
> a problem with some simple testing, and I hope that someone here can
help.
>
> For testing, I had originally created a simple XACML policy file
containing
> a rule with just a simple function:and, with two attributes, i.e.:
>
> accesslevel=HIGH and location=USA.
>
> After  I got that original XACML working, then I extended it to include a
> function:not with a 3rd attribute, i.e.:
>
> (accesslevel=HIGH and (location=USA and role <> BADGUY))
>
> I actually got that 2nd version working, but I found a problem with it,
> because it was giving a PERMIT when the "role" attribute was empty (""),
so
> I thought that I'd try to use a function:regexp-string-match, using a
> regular expression of ^BADGUY$.
>
> The problem is that I can't seem to get this last test to work.
>
> Here's my <Condition> with the function:regexp-string-match:
>
>       <Condition>
>         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>           <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>             <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>HIGH</AttributeValue>
>             <EnvironmentAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="accesslevel"
> />
>           </Apply>
>           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>             <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>               <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>USA</AttributeValue>
>               <EnvironmentAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="location"
/>
>             </Apply>
>             <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
>               <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
>                 <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string
">^BADGUY$</AttributeValue>
>                 <EnvironmentAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="role" />
>               </Apply>
>             </Apply>
>           </Apply>
>         </Apply>
>       </Condition>
>
> Can anyone tell me what the problem might be with the above?
>
> Thanks,
> Jim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org