OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Re: XACML RBAC Profile

Ali,

The problem is in the following snippet of your policy:

            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">523</AttributeValue>           
               <ResourceAttributeDesignator  AttributeId="threshold" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
            </Apply>

The integer-greater-than function operates on integers, but the <ResourceAttributeDesignator> element returns a *bag of* integers (see section 5.39. "Element <ResourceAttributeDesignator>" of the XACML 2.0 spec [1]). So you need to convert the bag of integers to a single integer first. You can use the integer-one-and-only function for that. See section A.3.10 "Bag functions" of the XACML 2.0 spec.

Thanks,
Ray

[1] http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

From: Ali Ahmed <ali.fci@gmail.com>
To: xacml-dev@lists.oasis-open.org
Sent: Monday, October 10, 2011 6:12 AM
Subject: [xacml-dev] Re: XACML RBAC Profile

Hi all,
I have (with some help from David Brossard) corrected my policy file as in the attachment.  I am having a coding problem at the moment using the JBoss library (i.e.PicketBox). I managed to have a ContextRequest Object filled with the role ID (i.e. SeniorAdmin1) but could not do the same with the threshold value. Thus, whenever I run the program it gives "org.jboss.security.xacml.sunxacml.finder.AttributeFinder findAttribute  INFO: Failed to resolve any values for threshold java.lang.ClassCastException: org.jboss.security.xacml.sunxacml.attr.BagAttribute cannot be cast to org.jboss.security.xacml.sunxacml.attr.IntegerAttribute" exception.

I believe this is because no value for the threshold is passed. Does any body know how to accommodate the threshold in the RequestContext object similar to the Role one?

Best wishes
Ali


On Tue, Sep 27, 2011 at 4:17 PM, Ali Ahmed <ali.fci@gmail.com> wrote:
Dear All,
I have a small problem need to work out a solution for basically for my academic research. I am using an XACML policy file like this (the RBAC profile)


I need to add another data item called Threshold which is an integer number. Thus no SeniorAdmin1 role will be granted the resource unless bigger value than Threshold is provided.

Where Can I put that and how? Is there any implementation I can use?

Best wishes
Ali




---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]