OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Handling repetitions of Attribute Category/Id/Issuer/DataType in XACML Request

Hello All,

Generally agree w what's been said.

Further clarification may come from section 2.6:
"2.6 Multi-valued attributes 344

The most common techniques for communicating attributes (LDAP, XPath, SAML, etc.)
 support multiple values per attribute.
Therefore, when an XACML PDP retrieves the value of a named attribute,
 the result may contain multiple values.

A collection of such values is called a bag.
A bag differs from a set in that it may contain duplicate values,
 whereas a set may not.
Sometimes this situation represents an error.
Sometimes the XACML rule is satisfied if any one of the attribute values
 meets the criteria expressed in the rule.

XACML provides a set of functions that allow a policy writer to be absolutely clear
 about how the PDP should handle the case of multiple attribute values.

These are the “higher-order” functions (see Section 352 A.3)."
So, effectively, the function defns implicitly define the capabilities.

Note: from my experience on the TC a lot of time and care has been
given to the definitions of functionality in the spec, and as a result
the definitions should be taken quite literally from a logical
perspective. In addition, implementation efforts have tested this
logic, and when inconsistencies have occurred, they have been
raised as issues and corrected.


On 8/22/2015 5:16 PM, Cyril DANGERVILLE wrote:
thanks Steven for your answer.
For the record, I also noticed a XACML 2.0 conformance test that confirms your answer to the second point, with an example. I assume the same holds true for XACML 3.0. This is test #24 in section A of section G on the XACML 2.0 conformance tests page [1]. Indeed, in the associated test request [2], the subject-id <Attribute> occurs twice:
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>Julius Hibbert</AttributeValue>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>Zaphod Beedlebrox</AttributeValue>
In the test policy [3], the description of the rule 'urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA024:rule3' reads (content omitted):
[...] (ERROR in passing multi-valued bag to one-and-only function) INDETERMINATE
The Apply with the one-and-only function that the description refers to:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
  <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"/>
So the conformance test is expecting an error because of a bag with too many values (two in this case) for the subject-id.
There might be other examples of such things in the conformance tests. I have not checked thoroughly, far from it.


On Thu, Jul 9, 2015 at 9:10 AM, David Brossard <david.brossard@axiomatics.com> wrote:

I agree with Steven on both accounts.

On Jul 9, 2015 7:53 AM, "Steven Legg" <steven.legg@viewds.com> wrote:

Hi Cyril,

On 9/07/2015 9:35 AM, Cyril DANGERVILLE wrote:
I have issues understanding what a conformant PDP should do in the cases described below according to the XACML Core specification. Could you please tell me what is the expected behavior?

1) If a given <Request> contains multiple <Attributes> elements with the same Category value, and the PDP does not support the Multiple Decision Profile? (Is the PDP supposed to merge them? Or consider it "unsupported functionality" (§7.19.1) and therefore return "Indeterminate"? Or?)

Merging the <Attributes> would not produce the effect that the PEP is expecting,
so the safe thing to do is to return Indeterminate. Better no answer than the
wrong answer.

2) If a given <Request> contains multiple <Attribute> elements with the same Category, AttributeId, DataType and Issuer (undefined or same value)? (Is the PDP supposed to merge the AttributeValues? Or consider it invalid syntax and therefore return "Indeterminate"? Or?)

The <Attribute> elements don't have a Category or DataType XML attribute. The
DataType XML attribute is on the <AttributeValue> element. Overall, the
specification isn't clear on whether multiple <Attribute> elements with the same
AttributeId and Issuer are permitted, except for Section 7.3.3:

    "If a single <Attribute> element in a request context contains multiple
     <AttributeValue> child elements, then the bag of values resulting from
     evaluation of the <Attribute> element MUST be identical to the bag of
     values that results from evaluating a context in which each <AttributeValue>
     element appears in a separate <Attribute> element, each carrying identical

So it appears possible and on that basis I've implemented the attribute
designator to collect the values from all <Attribute> elements that match.


Thanks for your help.


To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org

Thanks, Rich

Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803

            Oracle Oracle is committed to developing practices and products that help protect the environment

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]