Maybe the syntax to assign two Role values is wrong? It is not assigning two values to one Attribute in your example, but it is declaring two different assignments (doing it twice with different values). As I said, I did not check the syntax because it looked OK. This totally depends on what the syntax rule is.
The XACML RBAC document says that the Role assignment is an Action that XACML does not do (probably the system does), and it is out-of-scope.
Probably you have to write a system function to pack up the Role value (with two Roles in it) and retrieve it with PIP when the Policy is evaluated.
I am checking other examples to see whether there are ways to make a Bag Attribute from XACML request syntax.
Yoichi
--------------------------------------------------------------------------
Yoichi Takayama, PhD
Senior Research Fellow
RAMP Project
MELCOE (Macquarie E-Learning Centre of Excellence)
MACQUARIE UNIVERSITY
Phone: +61 (0)2 9850 9073
Fax: +61 (0)2 9850 6527
www.mq.edu.auwww.melcoe.mq.edu.au/projects/RAMP/
--------------------------------------------------------------------------
MACQUARIE UNIVERSITY: CRICOS Provider No 00002J
This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or Macquarie University.
On 09/01/2009, at 12:48 PM, Oleg Gryb wrote:
... if you send your Policy to me, I can try it with XACMLight. Request seems to be correct from XSD point of view.
--- On Fri, 1/9/09, hao chen <d95776@yahoo.com> wrote:
From: hao chen <d95776@yahoo.com>
Subject: [xacml-users] does XACML v2 allow multiple values' attribute
To: xacml-users@lists.oasis-open.org
Date: Friday, January 9, 2009, 3:38 PM
Hi,
I use sun xacml implementation. When I use multiple
values' attribute, I got the following error:
Exception in thread "main"
com.sun.xacml.ParsingException: Too many values in Attribute
The request is as
<Request>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>account:manager:role</AttributeValue>
<AttributeValue>card:member:department:manager:role</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>AccountInformation</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>access</AttributeValue>
</Attribute>
</Action>
</Request>
The sun's java doc says only one value is allowed for a
attribute.
hao
---------------------------------------------------------------------
To unsubscribe, e-mail:
xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail:
xacml-users-help@lists.oasis-open.org
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org