Hi Jim,
I think the problem is that the "regexp-string-match" is expecting two
arguments of type string, but the EnvironmentAttributeDesignator is
returning a bag of strings.
Wrap the EnvironmentAttributeDesignator in an Apply with a FunctionId of
"
urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" and it should
work fine.
Alternatively, if there may be multiple roles that need to compared you
should be able to use the "any-of" function to perform the regular
expression match on each element of the bag in turn.
Regards,
Craig
---------------------------------------------------------------
Craig Forster
Software Engineer | Australia Development Lab - Tivoli Gold Coast
---------------------------------------------------------------
Date: 14/02/2008 16:32
Subject: RE: [xacml-users] Newbie - problem with regexp-string-match condition
Hi Nishen,
Thanks for responding.
My apologies, but I'm working with an appliance that has an embedded PEP
and PDP, so I don't have direct access to the XACML request, and for
various reasons, I can't post the entire XACML policy file.
Sorry :(!!
FYI, I did just notice something that I had missed in the appliance logs
earlier, which might be pointing to the problem. I am getting a warning
that says (paraphrasing a little):
"Compilation warning: Illegal argument: incorrect type. Argument 2 should
be of type string in call to function regexp-string-match, but instead it
is of type bag of string"
I'm starting to think that whatever is in the appliance that is "compiling"
the XACML policy file is having problems with the regular expression.
I am contacting the vendor to check on that, but in the meantime, does that
section of the <Condition> look all right, or, at least "valid" (I'm not
much of a regexp person either)?
Jim
Hi there,
It seems you are using the 'EnvironmentAttributeDesignator' throughout.
This
would imply that the attributes are being sent through in the
'Environment'
section of the XACML request. Just guessing from some of the names, I am
assuming that this might not necessarily be the case?
Would it be possible to see the full policy as well as the XACML request
you
are using as well?
Thanks,
Nish
________________________________
Nishen Naidoo
Research Coordinator
Macquarie E-Learning Centre of Excellence (MELCOE)
MACQUARIE UNIVERSITY NSW 2109
Phone: +61 (0)2 98506531
Mobile: +61 (0)4 30006783
Fax: +61 (0)2 98506527
CRICOS Provider No 00002J
This message is intended for the addressee named and may contain
confidential information. If you are not the intended recipient, please
delete it and notify the sender. Views expressed in this message are
those
of the individual sender, and are not necessarily the views of MELCOE or
Macquarie University.
-----Original Message-----
Sent: Thursday, 14 February 2008 4:29 PM
Subject: [xacml-users] Newbie - problem with regexp-string-match
condition
Hi,
I am new to the list, and am trying to learn about XACML, but I've run
into
a problem with some simple testing, and I hope that someone here can
help.
For testing, I had originally created a simple XACML policy file
containing
a rule with just a simple function:and, with two attributes, i.e.:
accesslevel=HIGH and location=USA.
After I got that original XACML working, then I extended it to include a
function:not with a 3rd attribute, i.e.:
(accesslevel=HIGH and (location=USA and role <> BADGUY))
I actually got that 2nd version working, but I found a problem with it,
because it was giving a PERMIT when the "role" attribute was empty (""),
so
I thought that I'd try to use a function:regexp-string-match, using a
regular expression of ^BADGUY$.
The problem is that I can't seem to get this last test to work.
Here's my <Condition> with the function:regexp-string-match:
<Condition>
<Apply FunctionId="
urn:oasis:names:tc:xacml:1.0:function:and">
FunctionId="
urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<EnvironmentAttributeDesignator
AttributeId="accesslevel"
/>
</Apply>
<Apply FunctionId="
urn:oasis:names:tc:xacml:1.0:function:and">
FunctionId="
urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<EnvironmentAttributeDesignator
/>
</Apply>
FunctionId="
urn:oasis:names:tc:xacml:1.0:function:not">
FunctionId="
urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
">^BADGUY$</AttributeValue>
<EnvironmentAttributeDesignator
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
Can anyone tell me what the problem might be with the above?
Thanks,
Jim
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------