OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute<-- It works now


I found the reason why the decision was "NotApplicable" - in your policy set with ID 'PPS:account:manager:role' you had spaces around 'AccountInformation':

<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
                AccountInformation
</AttributeValue>

I've changed it to:
<AttributeValue
                     DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInformation</AttributeValue>

After that I ran the same request again and got decision 'Permit'. I think this is what you've expected...

<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Body><urn:Response xmlns:urn="urn:oasis:names:tc:xacml:2.0:context:schema:os"><urn:Result ResourceId="AccountInformation"><urn:Decision>Permit</urn:Decision><urn:Status><urn:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></urn:Status></urn:Result></urn:Response></soapenv:Body></soapenv:Envelope>

--- On Fri, 1/9/09, Oleg Gryb <oleg_gryb@yahoo.com> wrote:

> From: Oleg Gryb <oleg_gryb@yahoo.com>
> Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute
> To: xacml-users@lists.oasis-open.org, "hao chen" <d95776@yahoo.com>
> Date: Friday, January 9, 2009, 6:42 PM
> I've checked your example with XACMLight and it
> didn't through the  error, but Decision was
> "NotApplicable". Is it what you've expected
> for the given request? 
> 
> If not, I can investigate it further. I had to change the
> following errors in your request and in policies to make
> them compliant with OASIS XSD:
> 
> 1. Added namespaces to both policies and to request
> 2. Added a required <Environment/> element to Request
> 
> I've also created a config file for XACMLight and
> converted the Request to a SOAP message (both are attached).
> 
> Response:
> <?xml version='1.0'
> encoding='UTF-8'?><soapenv:Envelope
> xmlns:soapenv="http://sc
> hemas.xmlsoap.org/soap/envelope/"><soapenv:Body><urn:Response
> xmlns:urn="urn:oas
> is:names:tc:xacml:2.0:context:schema:os"><urn:Result
> ResourceId="AccountInformat
> ion"><urn:Decision>NotApplicable</urn:Decision><urn:Status><urn:StatusCode
> Value
> ="urn:oasis:names:tc:xacml:1.0:status:ok"/></urn:Status></urn:Result></urn:Respo
> nse></soapenv:Body></soapenv:Envelope>
> 
> 
> --- On Fri, 1/9/09, hao chen <d95776@yahoo.com> wrote
> > From: hao chen <d95776@yahoo.com>
> > Subject: Re: [xacml-users] does XACML v2 allow
> multiple values' attribute
> > To: xacml-users@lists.oasis-open.org, oleg@gryb.info
> > Date: Friday, January 9, 2009, 4:37 PM
> > Sorry, I sent you a wrong version of request. The
> attached
> > should be the multi values attr.
> > 
> > Best Regard
> > hao
> > 
> > --- On Fri, 1/9/09, Oleg Gryb
> <oleg_gryb@yahoo.com>
> > wrote:
> > 
> > > From: Oleg Gryb <oleg_gryb@yahoo.com>
> > > Subject: Re: [xacml-users] does XACML v2 allow
> > multiple values' attribute
> > > To: xacml-users@lists.oasis-open.org, "hao
> > chen" <d95776@yahoo.com>
> > > Date: Friday, January 9, 2009, 3:31 PM
> > > OK, thanks, I'll try it later today and let
> you
> > know
> > > about the results.
> > > 
> > > 
> > > --- On Fri, 1/9/09, hao chen
> <d95776@yahoo.com>
> > > wrote:
> > > 
> > > > From: hao chen <d95776@yahoo.com>
> > > > Subject: Re: [xacml-users] does XACML v2
> allow
> > > multiple values' attribute
> > > > To: xacml-users@lists.oasis-open.org,
> > oleg@gryb.info
> > > > Date: Friday, January 9, 2009, 4:28 PM
> > > > The attached are the policies and request I
> am
> > using:
> > > > 
> > > > 
> > > > Best Regard
> > > > 
> > > > 
> > > > --- On Fri, 1/9/09, Oleg Gryb
> > > <oleg_gryb@yahoo.com>
> > > > wrote:
> > > > 
> > > > > From: Oleg Gryb
> <oleg_gryb@yahoo.com>
> > > > > Subject: Re: [xacml-users] does XACML
> v2
> > allow
> > > > multiple values' attribute
> > > > > To: xacml-users@lists.oasis-open.org,
> > > d95776@yahoo.com
> > > > > Date: Friday, January 9, 2009, 2:48 PM
> > > > > ... if you send your Policy to me, I
> can try
> > it
> > > with
> > > > > XACMLight. Request seems to be correct
> from
> > XSD
> > > point
> > > > of
> > > > > view.
> > > > > 
> > > > > 
> > > > > --- On Fri, 1/9/09, hao chen
> > > <d95776@yahoo.com>
> > > > > wrote:
> > > > > 
> > > > > > From: hao chen
> <d95776@yahoo.com>
> > > > > > Subject: [xacml-users] does XACML
> v2
> > allow
> > > > multiple
> > > > > values' attribute
> > > > > > To:
> xacml-users@lists.oasis-open.org
> > > > > > Date: Friday, January 9, 2009,
> 3:38 PM
> > > > > > Hi,
> > > > > > 
> > > > > > I use sun xacml implementation.
> When I
> > use
> > > > multiple
> > > > > > values' attribute, I got the
> > following
> > > error:
> > > > > > Exception in thread
> "main"
> > > > > > com.sun.xacml.ParsingException:
> Too
> > many
> > > values
> > > > in
> > > > > Attribute
> > > > > > 
> > > > > > The request is as
> > > > > > <Request>
> > > > > >   <Subject
> > > > > >
> > > > >
> > > >
> > >
> >
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> > > > > >     <Attribute
> > > > > >
> > > > >
> > > >
> > >
> >
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
> > > > > >
> > > > >
> > > >
> > >
> >
> DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
> > > > > >    
> > > > > >
> > > > >
> > > >
> > >
> >
> <AttributeValue>account:manager:role</AttributeValue>
> > > > > >    
> > > > > >
> > > > >
> > > >
> > >
> >
> <AttributeValue>card:member:department:manager:role</AttributeValue>
> > > > > >     </Attribute>
> > > > > >   </Subject>
> > > > > >   <Resource>
> > > > > >     <Attribute
> > > > > >
> > > > >
> > > >
> > >
> >
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> > > > > >
> > > > >
> > > >
> > >
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> > > > > >    
> > > > > >
> > > > >
> > > >
> > >
> >
> <AttributeValue>AccountInformation</AttributeValue>
> > > > > >     </Attribute>
> > > > > >   </Resource>
> > > > > >   <Action>
> > > > > >     <Attribute
> > > > > >
> > > > >
> > > >
> > >
> >
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
> > > > > >
> > > > >
> > > >
> > >
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> > > > > >    
> > > > >
> > >
> <AttributeValue>access</AttributeValue>
> > > > > >     </Attribute>
> > > > > >   </Action>
> > > > > > </Request>
> > > > > > 
> > > > > > The sun's java doc says only
> one
> > value
> > > is
> > > > allowed
> > > > > for a
> > > > > > attribute.
> > > > > > 
> > > > > > hao
> > > > > > 
> > > > > > 
> > > > > >       
> > > > > > 
> > > > > >
> > > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail:
> > > > > >
> > xacml-users-unsubscribe@lists.oasis-open.org
> > > > > > For additional commands, e-mail:
> > > > > >
> xacml-users-help@lists.oasis-open.org
> > > > 
> > > > 
> > > >      
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> > > > xacml-users-unsubscribe@lists.oasis-open.org
> > > > For additional commands, e-mail:
> > > > xacml-users-help@lists.oasis-open.org
> > 
> > 
> >      
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> > xacml-users-help@lists.oasis-open.org


      


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]