[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Chapter 3 1st Example (fwd)
On 21 August, Polar Humenn writes: [xacml] Chapter 3 1st Example (fwd) > The first example only states one rule that says anybody with an email > address matching *@medico.com yields a Permit. There is no other rule. > > It states that with the Deny-overrides combinator, a result of "Deny" is > returned for "bs@simpsons.com", and states the result that way. Yet, our > deny-overrides combining rule states that this policy should result in > NotApplicable. > > Do we have an issue here? My bad. There are several errors in this example: 1. The MatchId should be "function:rfc822name-match" 2. The <AttributeValue of type rfc822Name" should be "@medico.com", not "*@medico.com" 3. There should be no newline before or after <AttributeValue> values. 4. Request and Response xml attributes need to include: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5. There should be no newline before or after <Decision> values. 6. The decision result is "NotApplicable", rather than "deny" 7. The paragraph describing the result should read: As a result, there is no Rule in this Policy that returns a "Permit" result for this request. The RuleCombiningAlgorithm for this Policy specifies that, in this case, a result of "NotApplicable" should be returned. In XACML, this response looks as follows: -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC