[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Re: [xacml-users] XACML 2.0 Conformance Tests Questions
Ludwig, Thanks for the answer, it's very helpful. I still have qs on multiple subjects and context handler. 1. Context Handler. ------------------- It looks like you consider context handler ability to fetch additional attributes as a mandatory XACML 2.0 feature, but the only requirement to context handler that I found was this: "...the context handler is responsible for obtaining and supplying the requested values by whatever means it deems appropriate." In general "whatever" is not a very good specification if you look at it from implementation point of view and it doesn't mean at all that context handler MUST have a mechanizm for resolving attributes that are missing in request. I can say that my "whatever" mechanizm is to look for attributes in request message only. That's why I think that IIA002 should be probably included to PIP/PEP tests, not to PDP tests. 2. Multiple Subjects in Request. --------------------- I think my qs was rather about understanding of concept of multiple subjects in request than about evaluating algorithm. I actually think that evaluating algorithm in 7.5 doesn't match well intentions described in non-normative section 2.4. Let us look at example that you have: 3 subjects and only one of them matches <SaubjectMatch>. Decision "Permit" means that ALL subjects are authorized to have an access to the resource (does it?). Looks like a potential security breach to me, becuase I can add 100 more subjects with different categories to this request and they all will be granted a permission to the resource too. Thanks again, Oleg. --- Ludwig Seitz <ludwig@sics.se> wrote: > > On Tue, 2008-04-22 at 11:07 -0700, Oleg Gryb wrote: > > Hi, > > > > I've a question about XACML 2.0 conformance tests > that > > are published here: > > > http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip > > > > This test suite is a great asset for those who > wants > > to evaluate their PDP implementations. I > found/fixed a > > great many bugs in my own XACMLight > > (http://sourceforge.net/projects/xacmllight) > > implementation, however there are few tests from > > mandatory suite that I want to ask you about. They > > are: > > > > 1. IIA002Request.xml > > Check the IIA002Special.txt file included in the > test suite. > > > 2. IIB010Request.xml > > 3. IIB021Request.xml > > 4. IIB028Request.xml > > 5. IIB037Request.xml > > > > In #4 and #2 the multiple subjects are used in the > > request. When I read XACML 2.0's section 2.4, I > got an > > impression that if multiple subjects are provided > in > > request, ALL of them must be evaluated and matched > > against a SubjectMatch in the policy, because > access > > is granted to all of them or to none of them. In > #4 > > and #2 only one subject is matched against target, > but > > suggested response for both cases is "Permit". I > think > > it should be "NotApplicable" in both cases. > > No you got that wrong. Read section 7.5 on how > SubjectMatch > is evaluated. > > > > > in #5 and #3 the <Condition> is missing. According > to > > XACML 2.0 the rule with missing condition should > be > > evaluated to "true". Since Target is matched by > > request in both cases the decision should be > "Permit", > > but the suggested decision is "NotApplicable". > > The target in #3 is not matched in the subject part, > since the attribute issuer in the request is: > Issuer="http://www.medico.com/certification-authority" > > and the required issuer in the policy is: > Issuer="http://www.medico.com" > > In #5 again the issuer is different (this time in > the Resource section) > Issuer="http://www.medico.com/Certification-Authority" > for the policy > and Issuer="http://www.medico.com/Cert-Auth" for the > request. > > > Cheers, > > Ludwig Seitz > > -- > Ludwig Seitz > Ph.D., Researcher > Security, Policy and Trust Laboratory (SPOT) > Swedish Institute of Computer Science (SICS) > homepage: http://www.sics.se/~ludwig > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > xacml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > xacml-dev-help@lists.oasis-open.org > > ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]