[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Newbie - problem with regexp-string-matchcondition
Hi All, For the record, and to close off this thread, I wanted to report that Craig's suggestion of wrapping the EnvironmentAttributeDesignator in an Apply worked for me. Thanks to all who responded, and esp. to Craig! Jim ---- Craig Forster <cforster@au1.ibm.com> wrote: > Hi Jim, > > I think the problem is that the "regexp-string-match" is expecting two > arguments of type string, but the EnvironmentAttributeDesignator is > returning a bag of strings. > > Wrap the EnvironmentAttributeDesignator in an Apply with a FunctionId of > "urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" and it should > work fine. > > Alternatively, if there may be multiple roles that need to compared you > should be able to use the "any-of" function to perform the regular > expression match on each element of the bag in turn. > > Regards, > Craig > > --------------------------------------------------------------- > Craig Forster > Software Engineer | Australia Development Lab - Tivoli Gold Coast > Blog | http://blogs.tap.ibm.com/weblogs/craigforster/ > Argus | https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home > --------------------------------------------------------------- > > > > From: <ohaya@cox.net> > > To: xacml-users@lists.oasis-open.org > > Date: 14/02/2008 16:32 > > Subject: RE: [xacml-users] Newbie - problem with regexp-string-match condition > > > > > > > Hi Nishen, > > Thanks for responding. > > My apologies, but I'm working with an appliance that has an embedded PEP > and PDP, so I don't have direct access to the XACML request, and for > various reasons, I can't post the entire XACML policy file. > > Sorry :(!! > > FYI, I did just notice something that I had missed in the appliance logs > earlier, which might be pointing to the problem. I am getting a warning > that says (paraphrasing a little): > > "Compilation warning: Illegal argument: incorrect type. Argument 2 should > be of type string in call to function regexp-string-match, but instead it > is of type bag of string" > > I'm starting to think that whatever is in the appliance that is "compiling" > the XACML policy file is having problems with the regular expression. > > I am contacting the vendor to check on that, but in the meantime, does that > section of the <Condition> look all right, or, at least "valid" (I'm not > much of a regexp person either)? > > Jim > > > ---- Nishen Naidoo <nishen@melcoe.mq.edu.au> wrote: > > Hi there, > > > > It seems you are using the 'EnvironmentAttributeDesignator' throughout. > This > > would imply that the attributes are being sent through in the > 'Environment' > > section of the XACML request. Just guessing from some of the names, I am > > assuming that this might not necessarily be the case? > > > > Would it be possible to see the full policy as well as the XACML request > you > > are using as well? > > > > Thanks, > > Nish > > > > ________________________________ > > > > Nishen Naidoo > > Research Coordinator > > Macquarie E-Learning Centre of Excellence (MELCOE) > > MACQUARIE UNIVERSITY NSW 2109 > > > > > > E-Mail: nishen@melcoe.mq.edu.au > > Phone: +61 (0)2 98506531 > > Mobile: +61 (0)4 30006783 > > Fax: +61 (0)2 98506527 > > http://www.melcoe.mq.edu.au/ > > > > CRICOS Provider No 00002J > > > > This message is intended for the addressee named and may contain > > confidential information. If you are not the intended recipient, please > > delete it and notify the sender. Views expressed in this message are > those > > of the individual sender, and are not necessarily the views of MELCOE or > > Macquarie University. > > -----Original Message----- > > From: ohaya@cox.net [mailto:ohaya@cox.net] > > Sent: Thursday, 14 February 2008 4:29 PM > > To: xacml-users@lists.oasis-open.org > > Subject: [xacml-users] Newbie - problem with regexp-string-match > condition > > > > Hi, > > > > I am new to the list, and am trying to learn about XACML, but I've run > into > > a problem with some simple testing, and I hope that someone here can > help. > > > > For testing, I had originally created a simple XACML policy file > containing > > a rule with just a simple function:and, with two attributes, i.e.: > > > > accesslevel=HIGH and location=USA. > > > > After I got that original XACML working, then I extended it to include a > > function:not with a 3rd attribute, i.e.: > > > > (accesslevel=HIGH and (location=USA and role <> BADGUY)) > > > > I actually got that 2nd version working, but I found a problem with it, > > because it was giving a PERMIT when the "role" attribute was empty (""), > so > > I thought that I'd try to use a function:regexp-string-match, using a > > regular expression of ^BADGUY$. > > > > The problem is that I can't seem to get this last test to work. > > > > Here's my <Condition> with the function:regexp-string-match: > > > > <Condition> > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > > <AttributeValue > > DataType="http://www.w3.org/2001/XMLSchema#string">HIGH</AttributeValue> > > <EnvironmentAttributeDesignator > > DataType="http://www.w3.org/2001/XMLSchema#string" > AttributeId="accesslevel" > > /> > > </Apply> > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > > <AttributeValue > > DataType="http://www.w3.org/2001/XMLSchema#string">USA</AttributeValue> > > <EnvironmentAttributeDesignator > > DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="location" > /> > > </Apply> > > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> > > <AttributeValue > > DataType="http://www.w3.org/2001/XMLSchema#string > ">^BADGUY$</AttributeValue> > > <EnvironmentAttributeDesignator > > DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="role" /> > > </Apply> > > </Apply> > > </Apply> > > </Apply> > > </Condition> > > > > Can anyone tell me what the problem might be with the above? > > > > Thanks, > > Jim > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]