[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Chapter 3 1st Example (fwd)
On 21 August, Polar Humenn writes: [xacml] Chapter 3 1st Example (fwd)
> The first example only states one rule that says anybody with an email
> address matching *@medico.com yields a Permit. There is no other rule.
>
> It states that with the Deny-overrides combinator, a result of "Deny" is
> returned for "bs@simpsons.com", and states the result that way. Yet, our
> deny-overrides combining rule states that this policy should result in
> NotApplicable.
>
> Do we have an issue here?
My bad. There are several errors in this example:
1. The MatchId should be "function:rfc822name-match"
2. The <AttributeValue of type rfc822Name" should be
"@medico.com", not "*@medico.com"
3. There should be no newline before or after <AttributeValue>
values.
4. Request and Response xml attributes need to include:
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
5. There should be no newline before or after <Decision> values.
6. The decision result is "NotApplicable", rather than "deny"
7. The paragraph describing the result should read:
As a result, there is no Rule in this Policy that returns a
"Permit" result for this request. The RuleCombiningAlgorithm
for this Policy specifies that, in this case, a result of
"NotApplicable" should be returned. In XACML, this response
looks as follows:
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC