If Valerie is free to use XACML 3.0 syntax, David’s solution should work. (Note that he switched to integer comparison instead of string comparison, which may or may not match the original policy intent.)
However, in XACML 2 the Condition element must be used as in the original post. The results are still a mystery. I think you could interpret the spec to say this Condition should return “true” if either profile1 or profile2 were “20”; however the failure of “one-and-only” would throw in an Indeterminate, which might cause the observed behavior.
Valerie, can you post the entire policy, or at least enough of the parent Rules and Policies to see where the Deny and Permit are coming from? Also, do you intend to use string-comparisons? Note that “2” will be greater than “10” by this rule.
Regards,
--Paul
From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Thursday, January 27, 2011 10:46
To: valerie.bauche@bull.net
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Problem with an or function
Hi Valerie,
You need to define your original rule in a clearer way. What are you trying to achieve?
You claim profile1>10 gives Permit OR profile2>10 gives Permit.
What if profile1>10 and profile2<10? Do you also want Permit?
If you want to return Permit if at least one of the 2 statements is true regardless of what the other statement is, then create a simple rule as follows:
<xacml3:Rule RuleId="profile1-2" Effect="Permit" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>allow if either profile1 is greater than 10 or profile2 is greater than 10</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="profile2" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="profile1" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
With the rule expressed as above using a target and 2 All Of nodes inside an Any Off node, you do not need to use conditions making the rule simpler.
If you send profile1=5 you get NotApplicable
If you send profile2=5 you get NotApplicable
If you send profile1=5 and profile2=5 you get NotApplicable
If you send profile1=15 and profile2=5 you get Permit
If you send profile1=5 and profile2=15 you get Permit
If you send profile1=15 and profile2=15 you get Permit
You can get rid of NotApplicable by using the deny-unless-permit (3.0) combining algorithm.
I hope this helps,
David.
On Thu, Jan 27, 2011 at 5:32 PM, <valerie.bauche@bull.net> wrote:
Hello
I want to express a quite simple rule :
profile1>10 or profile2>10
Here is the corresponding XACML :
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile1" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile2" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
</Condition>
If I come with profile1=20 : the result is PERMIT
If I come with profile2=20 : the result is DENY !!!!!
I think that the following happened :
If I have profile2=20 and no profile1 at all, the function first try to evaluate the profile1 and string-one-and-only fails because profile1 does not exists. Then the evaluation cannot be done, the whole process fails and we don't even try to evaluate the second possibility with profile2.....
Am I right ?
What could be the solution to handle such a problem ?
Valerie
--
David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics