OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Bug in conformance test?

Hi Remon,

I believe that if the PDP is configured to retrieve certain attributes from a PIP, it will try to retrieve them regardless of the value of MustBePresent. In that case, the PIP would return an attribute and therefore the rule would match leading to a Permit.

The conformance test here aims at testing the correct attribute retrieval via a PIP, not the effect of MustBePresent. If the PDP / PIP interaction fails or if the mapping is incorrect, an empty bag is returned indeed. That leads to NotApplicable which is correct. If MustBePresent were used, then the behavior would change in the sense that an empty bag would lead to Indeterminate being returned (as defined in the XACML 3.0 spec - section 5.29: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf) and section 7.3.5 in particular.

What do you reckon?


On Wed, Jul 6, 2011 at 8:27 PM, <remon.sinnema@emc.com> wrote:

The policy for test IIA002 [1] doesn't specify MustBePresent for the urn:oasis:names:tc:xacml:1.0:example:attribute:role attribute. According to section 7.2.5. Attribute Retrieval of the 2.0 spec, the default value for MustBePresent is "False", and therefore an empty bag should be returned for the attribute value. This will result in the one rule not matching and therefore a decision of NotApplicable.

However, the expected response [2] is Permit, since the purpose of the test is to invoke the PIP [3].

I think this is a bug in the policy that should be fixed by adding MustBePresent="True".


[1] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Policy.xml
[2] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Response.xml
[3] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Special.txt

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]