[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute
Hello Hao,
I believe the problem is that Sun's ref impl is based on XACML 1.1,
where only a single AttributeValue was allowed in an Attribute element.
In XACML 2.0 this was changed to unbounded AttributeValues. However, I
do not think that Sun ever updated the implementation to be fully XACML
2.0 capable.
Thanks,
Rich
Yoichi Takayama wrote:
> The example I can find is:
>
> <Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:any-of”>
> 4576
> <Function
> FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-equal”/>
> 4577
> <AttributeValue
> 4578
> DataType=”http://www.w3.org/2001/XMLSchema#string”;>Paul</AttributeValue>
> 4579
> <Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-bag”>
> 4580
> <AttributeValue
> 4581
> DataType=”http://www.w3.org/2001/XMLSchema#string”;>John</AttributeValue>
> 4582
> <AttributeValue
> 4583
> DataType=”http://www.w3.org/2001/XMLSchema#string”;>Paul</AttributeValue>
> 4584
> <AttributeValue
> 4585
> DataType=”http://www.w3.org/2001/XMLSchema#string”;>George</AttributeValue>
>
> 4586
> <AttributeValue
> 4587
> DataType=”http://www.w3.org/2001/XMLSchema#string”;>Ringo</AttributeValue>
> 4588
> </Apply>
> 4589
> </Apply>
> 4590
>
>
> As compared with yours (below), it seems you have to put the two
> values in a function called "string-bag" as above. So, I think that it
> may not be a SunXACML engine error.
>
> Also, XACML 2.0 RBAC recommends to use &roles;account-manager and
> &roles;department-manager, etc. than what you have there.
>
>
> <Request>
> <Subject
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
>
> <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
> DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
> <AttributeValue>account:manager:role</AttributeValue>
> <AttributeValue>card:member:department:manager:role</AttributeValue>
> </Attribute>
> </Subject>
> <Resource>
> <Attribute
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> <AttributeValue>AccountInformation</AttributeValue>
> </Attribute>
> </Resource>
> <Action>
> <Attribute
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> <AttributeValue>access</AttributeValue>
> </Attribute>
> </Action>
> </Request>
>
>
>
>
> --------------------------------------------------------------------------
>
> Yoichi Takayama, PhD
> Senior Research Fellow
> RAMP Project
> MELCOE (Macquarie E-Learning Centre of Excellence)
> MACQUARIE UNIVERSITY
>
> Phone: +61 (0)2 9850 9073
> Fax: +61 (0)2 9850 6527
> www.mq.edu.au
> www.melcoe.mq.edu.au/projects/RAMP/
> --------------------------------------------------------------------------
>
> MACQUARIE UNIVERSITY: CRICOS Provider No 00002J
>
> This message is intended for the addressee named and may contain
> confidential information. If you are not the intended recipient,
> please delete it and notify the sender. Views expressed in this
> message are those of the individual sender, and are not necessarily
> the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or
> Macquarie University.
>
> On 09/01/2009, at 1:37 PM, hao chen wrote:
>
>> Sorry, I sent you a wrong version of request. The attached should be
>> the multi values attr.
>>
>> Best Regard
>> hao
>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]