[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Newbie - problem with regexp-string-matchcondition
Yoichi, I believe that it's "regexp-string-match" per A.3.13 from the specification? As to your other question, I'm probably to new at this to speak, but it seems to me that if the regexp returns a match (so the function:not then returns a 'false'), and the Condition was function:and, that it should return a Deny? Jim ---- Yoichi Takayama <yoichi@melcoe.mq.edu.au> wrote: > I haven't run it but I can't fine regexp-string-match in XACML 2.0 > OS. Is it string-regexp-match? > > If the role value is "" or null, should it return "invalid" or > "indeterminate"? :-) if it returns false, the result is a bit > ambiguous??? > > Yoichi > > ------------------------------------------------------------------------ > -- > Yoichi Takayama, PhD > Senior Research Fellow > RAMP Project > MELCOE (Macquarie E-Learning Centre of Excellence) > MACQUARIE UNIVERSITY > > Postal address: > Dr Yoichi Takayama > MELCOE > E6A-248 Eastern Road > Macquarie University, NSW 2109 > AUSTRALIA > > Phone: +61 (0)2 9850 9073 > Fax: +61 (0)2 9850 6527 > www.mq.edu.au > www.melcoe.mq.edu.au/projects/RAMP/ > ------------------------------------------------------------------------ > -- > MACQUARIE UNIVERSITY: CRICOS Provider No 00002J > > This message is intended for the addressee named and may contain > confidential information. If you are not the intended recipient, > please delete it and notify the sender. Views expressed in this > message are those of the individual sender, and are not necessarily > the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or > Macquarie University. > > On 14/02/2008, at 5:36 PM, Craig Forster wrote: > > > Hi Jim, > > > > I think the problem is that the "regexp-string-match" is expecting two > > arguments of type string, but the EnvironmentAttributeDesignator is > > returning a bag of strings. > > > > Wrap the EnvironmentAttributeDesignator in an Apply with a > > FunctionId of > > "urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" and it > > should > > work fine. > > > > Alternatively, if there may be multiple roles that need to compared > > you > > should be able to use the "any-of" function to perform the regular > > expression match on each element of the bag in turn. > > > > Regards, > > Craig > > > > --------------------------------------------------------------- > > Craig Forster > > Software Engineer | Australia Development Lab - Tivoli Gold Coast > > Blog | http://blogs.tap.ibm.com/weblogs/craigforster/ > > Argus | https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home > > --------------------------------------------------------------- > > > > > > > > From: <ohaya@cox.net> > > > > To: xacml-users@lists.oasis-open.org > > > > Date: 14/02/2008 16:32 > > > > Subject: RE: [xacml-users] Newbie - problem with regexp-string- > > match condition > > > > > > > > > > > > > > Hi Nishen, > > > > Thanks for responding. > > > > My apologies, but I'm working with an appliance that has an > > embedded PEP > > and PDP, so I don't have direct access to the XACML request, and for > > various reasons, I can't post the entire XACML policy file. > > > > Sorry :(!! > > > > FYI, I did just notice something that I had missed in the appliance > > logs > > earlier, which might be pointing to the problem. I am getting a > > warning > > that says (paraphrasing a little): > > > > "Compilation warning: Illegal argument: incorrect type. Argument 2 > > should > > be of type string in call to function regexp-string-match, but > > instead it > > is of type bag of string" > > > > I'm starting to think that whatever is in the appliance that is > > "compiling" > > the XACML policy file is having problems with the regular expression. > > > > I am contacting the vendor to check on that, but in the meantime, > > does that > > section of the <Condition> look all right, or, at least > > "valid" (I'm not > > much of a regexp person either)? > > > > Jim > > > > > > ---- Nishen Naidoo <nishen@melcoe.mq.edu.au> wrote: > >> Hi there, > >> > >> It seems you are using the 'EnvironmentAttributeDesignator' > >> throughout. > > This > >> would imply that the attributes are being sent through in the > > 'Environment' > >> section of the XACML request. Just guessing from some of the > >> names, I am > >> assuming that this might not necessarily be the case? > >> > >> Would it be possible to see the full policy as well as the XACML > >> request > > you > >> are using as well? > >> > >> Thanks, > >> Nish > >> > >> ________________________________ > >> > >> Nishen Naidoo > >> Research Coordinator > >> Macquarie E-Learning Centre of Excellence (MELCOE) > >> MACQUARIE UNIVERSITY NSW 2109 > >> > >> > >> E-Mail: nishen@melcoe.mq.edu.au > >> Phone: +61 (0)2 98506531 > >> Mobile: +61 (0)4 30006783 > >> Fax: +61 (0)2 98506527 > >> http://www.melcoe.mq.edu.au/ > >> > >> CRICOS Provider No 00002J > >> > >> This message is intended for the addressee named and may contain > >> confidential information. If you are not the intended recipient, > >> please > >> delete it and notify the sender. Views expressed in this message are > > those > >> of the individual sender, and are not necessarily the views of > >> MELCOE or > >> Macquarie University. > >> -----Original Message----- > >> From: ohaya@cox.net [mailto:ohaya@cox.net] > >> Sent: Thursday, 14 February 2008 4:29 PM > >> To: xacml-users@lists.oasis-open.org > >> Subject: [xacml-users] Newbie - problem with regexp-string-match > > condition > >> > >> Hi, > >> > >> I am new to the list, and am trying to learn about XACML, but I've > >> run > > into > >> a problem with some simple testing, and I hope that someone here can > > help. > >> > >> For testing, I had originally created a simple XACML policy file > > containing > >> a rule with just a simple function:and, with two attributes, i.e.: > >> > >> accesslevel=HIGH and location=USA. > >> > >> After I got that original XACML working, then I extended it to > >> include a > >> function:not with a 3rd attribute, i.e.: > >> > >> (accesslevel=HIGH and (location=USA and role <> BADGUY)) > >> > >> I actually got that 2nd version working, but I found a problem > >> with it, > >> because it was giving a PERMIT when the "role" attribute was empty > >> (""), > > so > >> I thought that I'd try to use a function:regexp-string-match, using a > >> regular expression of ^BADGUY$. > >> > >> The problem is that I can't seem to get this last test to work. > >> > >> Here's my <Condition> with the function:regexp-string-match: > >> > >> <Condition> > >> <Apply FunctionId="urn:oasis:names:tc:xacml: > >> 1.0:function:and"> > >> <Apply > >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string">HIGH</ > >> AttributeValue> > >> <EnvironmentAttributeDesignator > >> DataType="http://www.w3.org/2001/XMLSchema#string" > > AttributeId="accesslevel" > >> /> > >> </Apply> > >> <Apply FunctionId="urn:oasis:names:tc:xacml: > >> 1.0:function:and"> > >> <Apply > >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string">USA</ > >> AttributeValue> > >> <EnvironmentAttributeDesignator > >> DataType="http://www.w3.org/2001/XMLSchema#string" > >> AttributeId="location" > > /> > >> </Apply> > >> <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > >> <Apply > >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string- > >> match"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string > > ">^BADGUY$</AttributeValue> > >> <EnvironmentAttributeDesignator > >> DataType="http://www.w3.org/2001/XMLSchema#string" > >> AttributeId="role" /> > >> </Apply> > >> </Apply> > >> </Apply> > >> </Apply> > >> </Condition> > >> > >> Can anyone tell me what the problem might be with the above? > >> > >> Thanks, > >> Jim > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > >> For additional commands, e-mail: xacml-users-help@lists.oasis- > >> open.org > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]