xacml-users message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Problem with an or function
- From: valerie.bauche@bull.net
- To: xacml-users@lists.oasis-open.org
- Date: Thu, 27 Jan 2011 17:32:13 +0100
Hello
I want to express a quite simple rule :
profile1>10 or profile2>10
Here is the corresponding XACML :
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile1" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile2" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
</Condition>
If I come with profile1=20 : the result is PERMIT
If I come with profile2=20 : the result is DENY !!!!!
I think that the following happened :
If I have profile2=20 and no profile1 at all, the function first try to evaluate the profile1 and string-one-and-only fails because profile1 does not exists. Then the evaluation cannot be done, the whole process fails and we don't even try to evaluate the second possibility with profile2.....
Am I right ?
What could be the solution to handle such a problem ?
Valerie
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]