[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Newbie - problem with regexp-string-matchcondition
Yoichi,
I believe that it's "regexp-string-match" per A.3.13 from the specification?
As to your other question, I'm probably to new at this to speak, but it seems to me that if the regexp returns a match (so the function:not then returns a 'false'), and the Condition was function:and, that it should return a Deny?
Jim
---- Yoichi Takayama <yoichi@melcoe.mq.edu.au> wrote:
> I haven't run it but I can't fine regexp-string-match in XACML 2.0
> OS. Is it string-regexp-match?
>
> If the role value is "" or null, should it return "invalid" or
> "indeterminate"? :-) if it returns false, the result is a bit
> ambiguous???
>
> Yoichi
>
> ------------------------------------------------------------------------
> --
> Yoichi Takayama, PhD
> Senior Research Fellow
> RAMP Project
> MELCOE (Macquarie E-Learning Centre of Excellence)
> MACQUARIE UNIVERSITY
>
> Postal address:
> Dr Yoichi Takayama
> MELCOE
> E6A-248 Eastern Road
> Macquarie University, NSW 2109
> AUSTRALIA
>
> Phone: +61 (0)2 9850 9073
> Fax: +61 (0)2 9850 6527
> www.mq.edu.au
> www.melcoe.mq.edu.au/projects/RAMP/
> ------------------------------------------------------------------------
> --
> MACQUARIE UNIVERSITY: CRICOS Provider No 00002J
>
> This message is intended for the addressee named and may contain
> confidential information. If you are not the intended recipient,
> please delete it and notify the sender. Views expressed in this
> message are those of the individual sender, and are not necessarily
> the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or
> Macquarie University.
>
> On 14/02/2008, at 5:36 PM, Craig Forster wrote:
>
> > Hi Jim,
> >
> > I think the problem is that the "regexp-string-match" is expecting two
> > arguments of type string, but the EnvironmentAttributeDesignator is
> > returning a bag of strings.
> >
> > Wrap the EnvironmentAttributeDesignator in an Apply with a
> > FunctionId of
> > "urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" and it
> > should
> > work fine.
> >
> > Alternatively, if there may be multiple roles that need to compared
> > you
> > should be able to use the "any-of" function to perform the regular
> > expression match on each element of the bag in turn.
> >
> > Regards,
> > Craig
> >
> > ---------------------------------------------------------------
> > Craig Forster
> > Software Engineer | Australia Development Lab - Tivoli Gold Coast
> > Blog | http://blogs.tap.ibm.com/weblogs/craigforster/
> > Argus | https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
> > ---------------------------------------------------------------
> >
> >
> >
> > From: <ohaya@cox.net>
> >
> > To: xacml-users@lists.oasis-open.org
> >
> > Date: 14/02/2008 16:32
> >
> > Subject: RE: [xacml-users] Newbie - problem with regexp-string-
> > match condition
> >
> >
> >
> >
> >
> >
> > Hi Nishen,
> >
> > Thanks for responding.
> >
> > My apologies, but I'm working with an appliance that has an
> > embedded PEP
> > and PDP, so I don't have direct access to the XACML request, and for
> > various reasons, I can't post the entire XACML policy file.
> >
> > Sorry :(!!
> >
> > FYI, I did just notice something that I had missed in the appliance
> > logs
> > earlier, which might be pointing to the problem. I am getting a
> > warning
> > that says (paraphrasing a little):
> >
> > "Compilation warning: Illegal argument: incorrect type. Argument 2
> > should
> > be of type string in call to function regexp-string-match, but
> > instead it
> > is of type bag of string"
> >
> > I'm starting to think that whatever is in the appliance that is
> > "compiling"
> > the XACML policy file is having problems with the regular expression.
> >
> > I am contacting the vendor to check on that, but in the meantime,
> > does that
> > section of the <Condition> look all right, or, at least
> > "valid" (I'm not
> > much of a regexp person either)?
> >
> > Jim
> >
> >
> > ---- Nishen Naidoo <nishen@melcoe.mq.edu.au> wrote:
> >> Hi there,
> >>
> >> It seems you are using the 'EnvironmentAttributeDesignator'
> >> throughout.
> > This
> >> would imply that the attributes are being sent through in the
> > 'Environment'
> >> section of the XACML request. Just guessing from some of the
> >> names, I am
> >> assuming that this might not necessarily be the case?
> >>
> >> Would it be possible to see the full policy as well as the XACML
> >> request
> > you
> >> are using as well?
> >>
> >> Thanks,
> >> Nish
> >>
> >> ________________________________
> >>
> >> Nishen Naidoo
> >> Research Coordinator
> >> Macquarie E-Learning Centre of Excellence (MELCOE)
> >> MACQUARIE UNIVERSITY NSW 2109
> >>
> >>
> >> E-Mail: nishen@melcoe.mq.edu.au
> >> Phone: +61 (0)2 98506531
> >> Mobile: +61 (0)4 30006783
> >> Fax: +61 (0)2 98506527
> >> http://www.melcoe.mq.edu.au/
> >>
> >> CRICOS Provider No 00002J
> >>
> >> This message is intended for the addressee named and may contain
> >> confidential information. If you are not the intended recipient,
> >> please
> >> delete it and notify the sender. Views expressed in this message are
> > those
> >> of the individual sender, and are not necessarily the views of
> >> MELCOE or
> >> Macquarie University.
> >> -----Original Message-----
> >> From: ohaya@cox.net [mailto:ohaya@cox.net]
> >> Sent: Thursday, 14 February 2008 4:29 PM
> >> To: xacml-users@lists.oasis-open.org
> >> Subject: [xacml-users] Newbie - problem with regexp-string-match
> > condition
> >>
> >> Hi,
> >>
> >> I am new to the list, and am trying to learn about XACML, but I've
> >> run
> > into
> >> a problem with some simple testing, and I hope that someone here can
> > help.
> >>
> >> For testing, I had originally created a simple XACML policy file
> > containing
> >> a rule with just a simple function:and, with two attributes, i.e.:
> >>
> >> accesslevel=HIGH and location=USA.
> >>
> >> After I got that original XACML working, then I extended it to
> >> include a
> >> function:not with a 3rd attribute, i.e.:
> >>
> >> (accesslevel=HIGH and (location=USA and role <> BADGUY))
> >>
> >> I actually got that 2nd version working, but I found a problem
> >> with it,
> >> because it was giving a PERMIT when the "role" attribute was empty
> >> (""),
> > so
> >> I thought that I'd try to use a function:regexp-string-match, using a
> >> regular expression of ^BADGUY$.
> >>
> >> The problem is that I can't seem to get this last test to work.
> >>
> >> Here's my <Condition> with the function:regexp-string-match:
> >>
> >> <Condition>
> >> <Apply FunctionId="urn:oasis:names:tc:xacml:
> >> 1.0:function:and">
> >> <Apply
> >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string";>HIGH</
> >> AttributeValue>
> >> <EnvironmentAttributeDesignator
> >> DataType="http://www.w3.org/2001/XMLSchema#string";
> > AttributeId="accesslevel"
> >> />
> >> </Apply>
> >> <Apply FunctionId="urn:oasis:names:tc:xacml:
> >> 1.0:function:and">
> >> <Apply
> >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string";>USA</
> >> AttributeValue>
> >> <EnvironmentAttributeDesignator
> >> DataType="http://www.w3.org/2001/XMLSchema#string";
> >> AttributeId="location"
> > />
> >> </Apply>
> >> <Apply
> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
> >> <Apply
> >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-
> >> match">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string
> > ">^BADGUY$</AttributeValue>
> >> <EnvironmentAttributeDesignator
> >> DataType="http://www.w3.org/2001/XMLSchema#string";
> >> AttributeId="role" />
> >> </Apply>
> >> </Apply>
> >> </Apply>
> >> </Apply>
> >> </Condition>
> >>
> >> Can anyone tell me what the problem might be with the above?
> >>
> >> Thanks,
> >> Jim
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> >> For additional commands, e-mail: xacml-users-help@lists.oasis-
> >> open.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> >
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]