xacml-dev message

Subject: Re: XACML RBAC Profile

From: Ali Ahmed <ali.fci@gmail.com>
To: xacml-dev@lists.oasis-open.org
Date: Mon, 10 Oct 2011 12:12:11 +0800

Hi all,
I have (with some help from David Brossard) corrected my policy file as in the attachment. I am having a coding problem at the moment using the JBoss library (i.e.PicketBox). I managed to have a ContextRequest Object filled with the role ID (i.e. SeniorAdmin1) but could not do the same with the threshold value. Thus, whenever I run the program it gives "org.jboss.security.xacml.sunxacml.finder.AttributeFinder findAttribute INFO: Failed to resolve any values for threshold java.lang.ClassCastException: org.jboss.security.xacml.sunxacml.attr.BagAttribute cannot be cast to org.jboss.security.xacml.sunxacml.attr.IntegerAttribute" exception.

I believe this is because no value for the threshold is passed. Does any body know how to accommodate the threshold in the RequestContext object similar to the Role one?

Best wishes
Ali

On Tue, Sep 27, 2011 at 4:17 PM, Ali Ahmed <ali.fci@gmail.com> wrote:

Dear All,

I have a small problem need to work out a solution for basically for my academic research. I am using an XACML policy file like this (the RBAC profile)

I need to add another data item called Threshold which is an integer number. Thus no SeniorAdmin1 role will be granted the resource unless bigger value than Threshold is provided.

Where Can I put that and how? Is there any implementation I can use?

Best wishes

Ali

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" 
Version="2.0" PolicyId="Server1Policy">
    <Target>
        <Resources>
            <Resource>
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>Server1</AttributeValue>
                    <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
                </ResourceMatch>
            </Resource>
        </Resources>
    </Target>    

    <Rule Effect="Permit" RuleId="_SwitchOn">
        <Target>
            <Actions>
                <Action>
                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>SwitchOn</AttributeValue>
                        <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                    </ActionMatch>
                </Action>
            </Actions>
        </Target>
        <Condition> 

	        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
	         
	         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
	           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>SeniorAdmin1</AttributeValue> 
               <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
            </Apply>
            
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>523</AttributeValue>            
               <ResourceAttributeDesignator  AttributeId="threshold" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
            </Apply>
            
          </Apply>
            
            
            
      </Condition>
    </Rule>    
</Policy>

Follow-Ups:
- Re: [xacml-dev] Re: XACML RBAC Profile
  - From: Rémon. Sinnema <rssinnema@yahoo.com>