OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] Conformance Tests for V1

I can't provide answers to all these, but I'll tell you what I know...

On Wed, 2004-10-20 at 16:52, diego gonzalez wrote:
> [...]
> *	IIIF005. Xpath compilation error. "//md:record[?]/..." I have an
> invalid token error, I think is the "?", this is probably related to the
> version of XPath supported by .Net. On the other hand, the Xpath version
> supported in XACML is 1.0 (as described in the XPathVersion element
> description) and quantifiers as predcates are not supported in Xpath
> 1.0, they were added in Xpath 2.0. Seems the conformance test is using
> an Xpath 2.0 feature.

I'm not an XPath expert, so I don't know what the answer is here. I've
mainly tested XPath handling using Apache's implementation, and I guess
I never paid attention to the ? predicate. Is anyone else on this list
able to comment?

> *	IIIF007. Context node issue. The xpath is
> "./xacml-context/Resource" which seems the context node (./) is the
> Resource element. In the spec says the context node will be Request
> element. So the Condition for the only Rule in this Policy will not find
> any node since all the Xpaths will fail. What do you do to pass this
> test?

In the version of the tests I'm looking at, all the paths in IIIF007 are
"./xacml-context:Resource" which is fine, since if the "context node" is
the Request, then the path refers to Request/Resource. I had to write a
little custom code to handle all the possible root/namespace cases, and
this definately bit me the first time around, but I think the path here
is correct.

> *	IIIA014. The result in the conformance test have 4 Obligations,
> and my implementation is returning 6. I'm passing all the other samples
> related to Obligations except this one. I{m not able to understand why I
> have to return 4 obligations in this test. Here's the execution steps:
> There are 3 policies within a policy set. Each policy have 4
> Obligations, 2 on Deny and 2 on Permit. The PolicySet also have 4
> Obligations 2 on Deny and 2 on Permit. Policy1 is NotApplicable which
> does not add any Obligation, Policy2 is Permit which adds 2 Obligations
> and Policy3 is Deny which adds 2 Obligations. Since the PolicySet is
> Deny it will add 2 Obligations which sums 6. The 6 Obligations that I'm
> returning are:
> policy2:obligation-1, policy2:obligation-2,  policy3:obligation-3,
> policy3:obligation-4, policyset:obligation3 and policyset:obligation4.
> The ConfotmanceTest does not have the policy2:obligation-1 and
> policy2:obligation-2. Can you tell me if the execution steps are
> incorrect?

I'm afriad your steps are slightly wrong. Specifically, you should only
return Obligations that have the same FulfillOn Effect as the Effect in
your Decision. In this case, the PDP is returning Deny, so only the Deny
Obligations are returned, and therefore you don't include the Policy2
Obligations (since they are Permit Obligations). Yeah, I know, it's not
obvious from reading the spec that this is the right behavior, but trust
me on this one :) In general, the way this works is that at each node in
the tree, you should only propigate up the Obligations that match the
Effect that you're returning at that node. Does this help?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]