OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Newbie - problem with regexp-string-matchcondition

Hi Nishen,

Thanks for responding.

My apologies, but I'm working with an appliance that has an embedded PEP and PDP, so I don't have direct access to the XACML request, and for various reasons, I can't post the entire XACML policy file.

Sorry :(!!

FYI, I did just notice something that I had missed in the appliance logs earlier, which might be pointing to the problem.  I am getting a warning that says (paraphrasing a little):

"Compilation warning: Illegal argument: incorrect type. Argument 2 should be of type string in call to function regexp-string-match, but instead it is of type bag of string"

I'm starting to think that whatever is in the appliance that is "compiling" the XACML policy file is having problems with the regular expression.

I am contacting the vendor to check on that, but in the meantime, does that section of the <Condition> look all right, or, at least "valid" (I'm not much of a regexp person either)?


---- Nishen Naidoo <nishen@melcoe.mq.edu.au> wrote: 
> Hi there,
> It seems you are using the 'EnvironmentAttributeDesignator' throughout. This
> would imply that the attributes are being sent through in the 'Environment'
> section of the XACML request. Just guessing from some of the names, I am
> assuming that this might not necessarily be the case?
> Would it be possible to see the full policy as well as the XACML request you
> are using as well?
> Thanks,
> Nish
> ________________________________
> Nishen Naidoo
> Research Coordinator
> Macquarie E-Learning Centre of Excellence (MELCOE)
> E-Mail: nishen@melcoe.mq.edu.au
> Phone:  +61 (0)2 98506531
> Mobile: +61 (0)4 30006783
> Fax:    +61 (0)2 98506527
> http://www.melcoe.mq.edu.au/
> CRICOS Provider No 00002J
> This message is intended for the addressee named and may contain
> confidential information. If you are not the intended recipient, please
> delete it and notify the sender. Views expressed in this message are those
> of the individual sender, and are not necessarily the views of MELCOE or
> Macquarie University.
> -----Original Message-----
> From: ohaya@cox.net [mailto:ohaya@cox.net] 
> Sent: Thursday, 14 February 2008 4:29 PM
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] Newbie - problem with regexp-string-match condition
> Hi,
> I am new to the list, and am trying to learn about XACML, but I've run into
> a problem with some simple testing, and I hope that someone here can help.
> For testing, I had originally created a simple XACML policy file containing
> a rule with just a simple function:and, with two attributes, i.e.:
> accesslevel=HIGH and location=USA.
> After  I got that original XACML working, then I extended it to include a
> function:not with a 3rd attribute, i.e.:
> (accesslevel=HIGH and (location=USA and role <> BADGUY))
> I actually got that 2nd version working, but I found a problem with it,
> because it was giving a PERMIT when the "role" attribute was empty (""), so
> I thought that I'd try to use a function:regexp-string-match, using a
> regular expression of ^BADGUY$.
> The problem is that I can't seem to get this last test to work.
> Here's my <Condition> with the function:regexp-string-match:
>       <Condition>
>         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>           <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>             <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>HIGH</AttributeValue>
>             <EnvironmentAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="accesslevel"
> />
>           </Apply>
>           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>             <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>               <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>USA</AttributeValue>
>               <EnvironmentAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="location" />
>             </Apply>
>             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
>               <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
>                 <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>^BADGUY$</AttributeValue>
>                 <EnvironmentAttributeDesignator
> DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="role" />
>               </Apply>
>             </Apply>
>           </Apply>
>         </Apply>
>       </Condition>
> Can anyone tell me what the problem might be with the above?
> Thanks,
> Jim
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]