OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute


The attached are the policies and request I am using:


Best Regard


--- On Fri, 1/9/09, Oleg Gryb <oleg_gryb@yahoo.com> wrote:

> From: Oleg Gryb <oleg_gryb@yahoo.com>
> Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute
> To: xacml-users@lists.oasis-open.org, d95776@yahoo.com
> Date: Friday, January 9, 2009, 2:48 PM
> ... if you send your Policy to me, I can try it with
> XACMLight. Request seems to be correct from XSD point of
> view.
> 
> 
> --- On Fri, 1/9/09, hao chen <d95776@yahoo.com>
> wrote:
> 
> > From: hao chen <d95776@yahoo.com>
> > Subject: [xacml-users] does XACML v2 allow multiple
> values' attribute
> > To: xacml-users@lists.oasis-open.org
> > Date: Friday, January 9, 2009, 3:38 PM
> > Hi,
> > 
> > I use sun xacml implementation. When I use multiple
> > values' attribute, I got the following error:
> > Exception in thread "main"
> > com.sun.xacml.ParsingException: Too many values in
> Attribute
> > 
> > The request is as
> > <Request>
> >   <Subject
> >
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> >     <Attribute
> >
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
> >
> DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
> >    
> >
> <AttributeValue>account:manager:role</AttributeValue>
> >    
> >
> <AttributeValue>card:member:department:manager:role</AttributeValue>
> >     </Attribute>
> >   </Subject>
> >   <Resource>
> >     <Attribute
> >
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> >    
> >
> <AttributeValue>AccountInformation</AttributeValue>
> >     </Attribute>
> >   </Resource>
> >   <Action>
> >     <Attribute
> >
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> >    
> <AttributeValue>access</AttributeValue>
> >     </Attribute>
> >   </Action>
> > </Request>
> > 
> > The sun's java doc says only one value is allowed
> for a
> > attribute.
> > 
> > hao
> > 
> > 
> >       
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> > xacml-users-help@lists.oasis-open.org


      
<PolicySet 
	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides" 
	PolicySetId="RPS:account:manager:role">
  <Target>
  	<Subjects>
  		<Subject>
  			<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
  				<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>account:manager:role</AttributeValue>
  				<SubjectAttributeDesignator
  					DataType="http://www.w3.org/2001/XMLSchema#anyURI"; AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
  			</SubjectMatch>
  		</Subject>
  	</Subjects>
  	</Target>
  <PolicySetIdReference>PPS:account:manager:role</PolicySetIdReference>
</PolicySet>
<PolicySet 
	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides" 
	PolicySetId="RPS:card:member:department:manager:role" >
  <Target>
  	<Subjects>
  		<Subject>
  			<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
  				<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>card:member:department:manager:role</AttributeValue>
  				<SubjectAttributeDesignator
  					DataType="http://www.w3.org/2001/XMLSchema#anyURI"; AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
  			</SubjectMatch>
  		</Subject>
  	</Subjects>
  </Target>
  <PolicySetIdReference>PPS:card:member:department:manager:role</PolicySetIdReference>
</PolicySet>
<PolicySet 
	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides" 
	PolicySetId="PPS:account:manager:role" >
  <Target/>
  <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
  	PolicyId="Permissions:for:account:manager:role">
  	<Target/>
  	<Rule Effect="Permit" RuleId="Permission:account:information:access">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>
  							AccountInformation
  						</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:card:member:management:access">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>CardMemeberManagement</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:summary:access">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInformationSummary</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:status:access">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInformationStatus</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:card:member:information:access">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>CardMemberInformation</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:balance:view_modify">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationBalance</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:financial:charge:view_modify">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationFinancialCharge</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:external:status:view_modify">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationExternalStatus</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:internal:status:view_modify">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationInternalStatus</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:credit:limit:view">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationCreditLimit</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:information:credit:limit:modify">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationCreditLimit</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  </Policy>
</PolicySet>
<PolicySet 
	PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides" 
	PolicySetId="PPS:card:member:department:manager:role" 
	>
  <Target/>
  <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
  	PolicyId="Permissions:for:card:member:department:manager:role">
  	<Target/>
  	<Rule Effect="Permit" RuleId="Permission:card:member:and:account:assignment:access">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>
  							CardMemberAndAccountAssignment
  						</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  	<Rule Effect="Permit" RuleId="Permission:account:for:card:member:add">
  		<Target>
  			<Resources>
  				<Resource>
  					<ResourceMatch
  						MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>CardMemeberAccount</AttributeValue>
  						<ResourceAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
  					</ResourceMatch>
  				</Resource>
  			</Resources>
  			<Actions>
  				<Action>
  					<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  						<AttributeValue
  							DataType="http://www.w3.org/2001/XMLSchema#string";>add</AttributeValue>
  						<ActionAttributeDesignator
  							DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
  					</ActionMatch>
  				</Action>
  			</Actions>
  		</Target>
  	</Rule>
  </Policy>
  <PolicySetIdReference>PPS:account:manager:role</PolicySetIdReference>
</PolicySet>
<Request>
  <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
    <AttributeValue>account:manager:role</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
    <AttributeValue>card:member:department:manager:role</AttributeValue>
    </Attribute>
  </Subject>
  <Resource>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string";>
    <AttributeValue>AccountInformation</AttributeValue>
    </Attribute>
  </Resource>
  <Action>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string";>
    <AttributeValue>access</AttributeValue>
    </Attribute>
  </Action>
</Request>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]