OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] Policy editor? Gui?

On Fri, 2004-11-12 at 11:03, Kuketayev, Argyn wrote:
> here's a policy, it's a part of my version of RBAC profile
> implementation
> ======================
> <?xml version="1.0" encoding="UTF-8"?>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
>     PolicySetId="RBAC:PPS:role:default"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algo
> rithm:permit-overrides">
>     <Target/>
>     <Policy PolicyId="RBAC:Permissions:role:default"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorith
> m:permit-overrides">
>         <Target/>
>         <Rule RuleId="FinalRule" Effect="Deny"/>
>     </Policy>
> </PolicySet>
> ======================

The problem is that this is not a valid 1.x policy. The Target may not
be empty. Instead, you need to specify all three Target sections with
the Any* elements (eg, <AnySubject/>). The SunXACML code doesn't
complain because it doesn't try to reproduce all the error-checking that
can be done using schema validation, which would recognize your policy
as invalid. Try running your policy through a schema checker and it
should complain.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]