[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML 2.0 conformance tests: questions and suggestions
Hi, I've a question about XACML 2.0 conformance tests that are published here: http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip This test suite is a great asset for those who wants to evaluate their PDP implementations. I found/fixed a great many bugs in my own XACMLight (http://sourceforge.net/projects/xacmllight) implementation, however there are few tests from mandatory suite that I want to ask you about. They are: 1. IIA002Request.xml 2. IIB010Request.xml 3. IIB021Request.xml 4. IIB028Request.xml 5. IIB037Request.xml For #1 the suggested decision is Permit, but I think that it should be "NotApplicable": SubjectAttributeDesignator must return empty bag because there is no attribute with *role ID in the request. It means that there is no match for subject. In #4 and #2 the multiple subjects are used in the request. When I read XACML 2.0's section 2.4, I got an impression that if multiple subjects are provided in request, ALL of them must be evaluated and matched against a SubjectMatch in the policy, because access is granted to all of them or to none of them. In #4 and #2 only one subject is matched against target, but suggested response for both cases is "Permit". I think it should be "NotApplicable" in both cases. in #5 and #3 the <Condition> is missing. According to XACML 2.0 the rule with missing condition should be evaluated to "true". Since Target is matched by request in both cases the decision should be "Permit", but the suggested decision is "NotApplicable". Thanks & hope to read your comments soon. Oleg. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]