OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Newbie - problem with regexp-string-match condition

Hi,

I am new to the list, and am trying to learn about XACML, but I've run into a problem with some simple testing, and I hope that someone here can help.

For testing, I had originally created a simple XACML policy file containing a rule with just a simple function:and, with two attributes, i.e.:

accesslevel=HIGH and location=USA.

After  I got that original XACML working, then I extended it to include a function:not with a 3rd attribute, i.e.:

(accesslevel=HIGH and (location=USA and role <> BADGUY))

I actually got that 2nd version working, but I found a problem with it, because it was giving a PERMIT when the "role" attribute was empty (""), so I thought that I'd try to use a function:regexp-string-match, using a regular expression of ^BADGUY$.

The problem is that I can't seem to get this last test to work.

Here's my <Condition> with the function:regexp-string-match:

      <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>HIGH</AttributeValue>
            <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="accesslevel" />
          </Apply>
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>USA</AttributeValue>
              <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="location" />
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>^BADGUY$</AttributeValue>
                <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="role" />
              </Apply>
            </Apply>
          </Apply>
        </Apply>
      </Condition>

Can anyone tell me what the problem might be with the above?

Thanks,
Jim

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]