OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Problem with an or function



Hello

I want to express a quite simple rule :
profile1>10 or profile2>10

Here is the corresponding XACML :

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
  <Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
      <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile1" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
    </Apply>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
  </Apply>
  <Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
      <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile2" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
    </Apply>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
  </Apply>
</Condition>

If I come with profile1=20 : the result is PERMIT

If I come with profile2=20 : the result is DENY !!!!!

I think that the following happened :
If I have profile2=20 and no profile1 at all, the function first try to evaluate the profile1 and string-one-and-only  fails because profile1 does not exists. Then the evaluation cannot be done, the whole process fails and we don't even try to evaluate the second possibility with profile2.....

Am I right ?

What could be the solution to handle such a problem ?

Valerie

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]