[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Sample with matching attributes of subj and resource
> -----Original Message----- > From: Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM] > Sent: Wednesday, September 29, 2004 5:08 PM > To: Kuketayev, Argyn > Cc: xacml-users@lists.oasis-open.org > Subject: Re: [xacml-users] Sample with matching attributes of > subj and resource > > > > I'm a little puzzled by what you're trying to do here...my > comments are > inline. I'm fighting a nasty cold today, which is probably > why I'm not > getting it :) Actually, u got everything right, imho. > > Kuketayev, Argyn wrote: > > > Thanks to Seth and Anne, I'm good now. > > > > Ok, finally, this one worked: > > > > ================== > > <Condition > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > > <Apply > > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-a > nd-only"> > > <SubjectAttributeDesignator > > > > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > </Apply> > > <Apply > > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-a > nd-only"> > > <ResourceAttributeDesignator > > AttributeId="owner-id" > > > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > </Apply> > > </Apply> > > </Condition> > > ================== > > That's a valid Condition, but of course the extra "or" function isn't > needed, since "string-equal" returns a boolean, as you note > in your next > example... Right, but this is just a fragment of my rule, which I used to test the construct. The real rule has several <Apply> elements in <Condition>, and the result should be OR'ed in this case. [skip] > ... but the tests only need to cover > a Condition > with a boolean function and some number of nested elements. I understand that Condition is of the same type as Apply, according to Policy schema. So, if we have a test with Apply and "string-equal" function with two string arguments - which we have- then we should be fine with Condition and "string-equal" function, if XACML was implemented ina reasonable way. On the other hand, it's still a different element, and test wouldn't harm, imho. Anyways, I wouldn't insist that the test is necessary. It's just I'm using CTs when I look for examples to create my policies. It's nice to have a lot of examples, that's really it for me. > > > Now, this one didn't work: > > ================== > > <Condition > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > > <SubjectAttributeDesignator > > > > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > <ResourceAttributeDesignator > > AttributeId="owner-id" > > > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > </Condition> > > ================== > > > > SunXACML complained for illegal types. Debugging shows that > > string-equal func expects single value, but gets a bag. So, > the attr > > designator returns a bag. Surprise for me. > > That's right. This shouldn't work. The spec is pretty clear that > AttributeDesignators always return bags of values, even if > there is only > one (or none) matched values. This is why the *-one-and-only > functions > are provided. > I see, it's just so inconvinient to put these one-and-only everywhere. These are used often enough to think about how get rid of them :) Thanks, Argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]