OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] XACML Target matching question


Hi,

it depends - if the two are "connected" via a policy combining
algorithm, it is of course possible.

If the two policies are top level policies and there is no combining
algorithm, you should get an error from your PDP. If you have a look at,
e.g., sun's implementation, you will find the corresponding code in
com.sun.xacml.finder.PolicyFinder.findPolicy(EvaluationCtx context)
which raises an error, if there are several matching top level policies.
Thus, there is some kind of "default top level" Only-one-applicable
algorithm. Having a short look on the standard, I did not find a
statement how to handle it (but I may have overseen it), thus, it may be
the case that another implementation behaves inanother way (e.g.,
evaluating only the first matching policy, implementing a first
applicable algorithm).

Regards,
  Helmut

On 07/16/2011 11:43 AM, Security Developer wrote:
> Hi All,
> 
> I have a question regarding XACML target matching.
> 
> 1 - Is it possible that two policies have the same target in one PDP?
> suppose
> 
> *Policy-1*
> 
> <Policy>
>     <Target/>
> 
> </Policy>
> 
> *Policy-2*
> 
> <Policy>
>     <Target/>
> 
> </Policy>
> 
> Is the above case possible? if yes then which policy is selected by the PDP?
> 
> Thanks for your time.
> 
> Best Regards.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]