xacml-users message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml-users] Problem with an or function
- From: David Brossard <david.brossard@axiomatics.com>
- To: valerie.bauche@bull.net
- Date: Thu, 27 Jan 2011 17:46:29 +0100
Hi Valerie,
You need to define your original rule in a clearer way. What are you trying to achieve?
You claim profile1>10 gives Permit OR profile2>10 gives Permit.
What if profile1>10 and profile2<10? Do you also want Permit?
If you want to return Permit if at least one of the 2 statements is true regardless of what the other statement is, then create a simple rule as follows:
<xacml3:Rule RuleId="profile1-2" Effect="Permit" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>allow if either profile1 is greater than 10 or profile2 is greater than 10</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="profile2" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="profile1" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
With the rule expressed as above using a target and 2 All Of nodes inside an Any Off node, you do not need to use conditions making the rule simpler.
If you send profile1=5 you get NotApplicable
If you send profile2=5 you get NotApplicable
If you send profile1=5 and profile2=5 you get NotApplicable
If you send profile1=15 and profile2=5 you get Permit
If you send profile1=5 and profile2=15 you get Permit
If you send profile1=15 and profile2=15 you get Permit
You can get rid of NotApplicable by using the deny-unless-permit (3.0) combining algorithm.
I hope this helps,
David.
On Thu, Jan 27, 2011 at 5:32 PM,
<valerie.bauche@bull.net> wrote:
Hello
I want to express a quite simple rule :
profile1>10 or profile2>10
Here is the corresponding XACML :
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile1" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile2" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
</Condition>
If I come with profile1=20 : the result is PERMIT
If I come with profile2=20 : the result is DENY !!!!!
I think that the following happened :
If I have profile2=20 and no profile1 at all, the function first try to evaluate the profile1 and string-one-and-only fails because profile1 does not exists. Then the evaluation cannot be done, the whole process fails and we don't even try to evaluate the second possibility with profile2.....
Am I right ?
What could be the solution to handle such a problem ?
Valerie
--
David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]