OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML 2.0 Conformance Tests Questions


I've a question about XACML 2.0 conformance tests that
are published here:

This test suite is a great asset for those who wants
to evaluate their PDP implementations. I found/fixed a
great many bugs in my own XACMLight
implementation, however there are few tests from
mandatory suite that I want to ask you about. They

1. IIA002Request.xml
2. IIB010Request.xml
3. IIB021Request.xml
4. IIB028Request.xml
5. IIB037Request.xml

For #1 the suggested decision is Permit, but I think
that it should be "NotApplicable":
SubjectAttributeDesignator must return empty bag
because there is no attribute with *role ID in the
request. It means that there is no match for subject.

In #4 and #2 the multiple subjects are used in the
request. When I read XACML 2.0's section 2.4, I got an
impression that if multiple subjects are provided in
request, ALL of them must be evaluated and matched
against a SubjectMatch in the policy, because access
is granted to all of them or to none of them. In #4
and #2 only one subject is matched against target, but
suggested response for both cases is "Permit". I think
it should be "NotApplicable" in both cases.

in #5 and #3 the <Condition> is missing. According to
XACML 2.0 the rule with missing condition should be
evaluated to "true". Since Target is matched by
request in both cases the decision should be "Permit",
but the suggested decision is "NotApplicable".

Thanks & hope to read your comments soon.



Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]