[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] XACML Target matching question
Hi, it depends - if the two are "connected" via a policy combining algorithm, it is of course possible. If the two policies are top level policies and there is no combining algorithm, you should get an error from your PDP. If you have a look at, e.g., sun's implementation, you will find the corresponding code in com.sun.xacml.finder.PolicyFinder.findPolicy(EvaluationCtx context) which raises an error, if there are several matching top level policies. Thus, there is some kind of "default top level" Only-one-applicable algorithm. Having a short look on the standard, I did not find a statement how to handle it (but I may have overseen it), thus, it may be the case that another implementation behaves inanother way (e.g., evaluating only the first matching policy, implementing a first applicable algorithm). Regards, Helmut On 07/16/2011 11:43 AM, Security Developer wrote: > Hi All, > > I have a question regarding XACML target matching. > > 1 - Is it possible that two policies have the same target in one PDP? > suppose > > *Policy-1* > > <Policy> > <Target/> > > </Policy> > > *Policy-2* > > <Policy> > <Target/> > > </Policy> > > Is the above case possible? if yes then which policy is selected by the PDP? > > Thanks for your time. > > Best Regards.