RE: [xacml-users] Newbie - problem with regexp-string-matchcondition

[<ohaya@cox.net>]

Hi All,

For the record, and to close off this thread, I wanted to report that Craig's suggestion of wrapping the EnvironmentAttributeDesignator in an Apply worked for me.

Thanks to all who responded, and esp. to Craig!

Jim



---- Craig Forster <cforster@au1.ibm.com> wrote: 
> Hi Jim,
> 
> I think the problem is that the "regexp-string-match" is expecting two
> arguments of type string, but the EnvironmentAttributeDesignator is
> returning a bag of strings.
> 
> Wrap the EnvironmentAttributeDesignator in an Apply with a FunctionId of
> "urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" and it should
> work fine.
> 
> Alternatively, if there may be multiple roles that need to compared you
> should be able to use the "any-of" function to perform the regular
> expression match on each element of the bag in turn.
> 
> Regards,
> Craig
> 
> ---------------------------------------------------------------
> Craig Forster
> Software Engineer | Australia Development Lab - Tivoli Gold Coast
> Blog | http://blogs.tap.ibm.com/weblogs/craigforster/
> Argus | https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
> ---------------------------------------------------------------
> 
> 
>                                                                                                                                  
>   From:       <ohaya@cox.net>                                                                                                    
>                                                                                                                                  
>   To:         xacml-users@lists.oasis-open.org                                                                                   
>                                                                                                                                  
>   Date:       14/02/2008 16:32                                                                                                   
>                                                                                                                                  
>   Subject:    RE: [xacml-users] Newbie - problem with regexp-string-match condition                                              
>                                                                                                                                  
> 
> 
> 
> 
> 
> Hi Nishen,
> 
> Thanks for responding.
> 
> My apologies, but I'm working with an appliance that has an embedded PEP
> and PDP, so I don't have direct access to the XACML request, and for
> various reasons, I can't post the entire XACML policy file.
> 
> Sorry :(!!
> 
> FYI, I did just notice something that I had missed in the appliance logs
> earlier, which might be pointing to the problem.  I am getting a warning
> that says (paraphrasing a little):
> 
> "Compilation warning: Illegal argument: incorrect type. Argument 2 should
> be of type string in call to function regexp-string-match, but instead it
> is of type bag of string"
> 
> I'm starting to think that whatever is in the appliance that is "compiling"
> the XACML policy file is having problems with the regular expression.
> 
> I am contacting the vendor to check on that, but in the meantime, does that
> section of the <Condition> look all right, or, at least "valid" (I'm not
> much of a regexp person either)?
> 
> Jim
> 
> 
> ---- Nishen Naidoo <nishen@melcoe.mq.edu.au> wrote:
> > Hi there,
> >
> > It seems you are using the 'EnvironmentAttributeDesignator' throughout.
> This
> > would imply that the attributes are being sent through in the
> 'Environment'
> > section of the XACML request. Just guessing from some of the names, I am
> > assuming that this might not necessarily be the case?
> >
> > Would it be possible to see the full policy as well as the XACML request
> you
> > are using as well?
> >
> > Thanks,
> > Nish
> >
> > ________________________________
> >
> > Nishen Naidoo
> > Research Coordinator
> > Macquarie E-Learning Centre of Excellence (MELCOE)
> > MACQUARIE UNIVERSITY NSW 2109
> >
> >
> > E-Mail: nishen@melcoe.mq.edu.au
> > Phone:  +61 (0)2 98506531
> > Mobile: +61 (0)4 30006783
> > Fax:    +61 (0)2 98506527
> > http://www.melcoe.mq.edu.au/
> >
> > CRICOS Provider No 00002J
> >
> > This message is intended for the addressee named and may contain
> > confidential information. If you are not the intended recipient, please
> > delete it and notify the sender. Views expressed in this message are
> those
> > of the individual sender, and are not necessarily the views of MELCOE or
> > Macquarie University.
> > -----Original Message-----
> > From: ohaya@cox.net [mailto:ohaya@cox.net]
> > Sent: Thursday, 14 February 2008 4:29 PM
> > To: xacml-users@lists.oasis-open.org
> > Subject: [xacml-users] Newbie - problem with regexp-string-match
> condition
> >
> > Hi,
> >
> > I am new to the list, and am trying to learn about XACML, but I've run
> into
> > a problem with some simple testing, and I hope that someone here can
> help.
> >
> > For testing, I had originally created a simple XACML policy file
> containing
> > a rule with just a simple function:and, with two attributes, i.e.:
> >
> > accesslevel=HIGH and location=USA.
> >
> > After  I got that original XACML working, then I extended it to include a
> > function:not with a 3rd attribute, i.e.:
> >
> > (accesslevel=HIGH and (location=USA and role <> BADGUY))
> >
> > I actually got that 2nd version working, but I found a problem with it,
> > because it was giving a PERMIT when the "role" attribute was empty (""),
> so
> > I thought that I'd try to use a function:regexp-string-match, using a
> > regular expression of ^BADGUY$.
> >
> > The problem is that I can't seem to get this last test to work.
> >
> > Here's my <Condition> with the function:regexp-string-match:
> >
> >       <Condition>
> >         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
> >           <Apply
> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> >             <AttributeValue
> > DataType="http://www.w3.org/2001/XMLSchema#string";>HIGH</AttributeValue>
> >             <EnvironmentAttributeDesignator
> > DataType="http://www.w3.org/2001/XMLSchema#string";
> AttributeId="accesslevel"
> > />
> >           </Apply>
> >           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
> >             <Apply
> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> >               <AttributeValue
> > DataType="http://www.w3.org/2001/XMLSchema#string";>USA</AttributeValue>
> >               <EnvironmentAttributeDesignator
> > DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="location"
> />
> >             </Apply>
> >             <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
> >               <Apply
> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
> >                 <AttributeValue
> > DataType="http://www.w3.org/2001/XMLSchema#string
> ">^BADGUY$</AttributeValue>
> >                 <EnvironmentAttributeDesignator
> > DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="role" />
> >               </Apply>
> >             </Apply>
> >           </Apply>
> >         </Apply>
> >       </Condition>
> >
> > Can anyone tell me what the problem might be with the above?
> >
> > Thanks,
> > Jim
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 
> 
>