Hi All,
The XACML policy schema validation was recently added to the trunk. We did
not have this validation in previous releases. The <AnySubject/> ,
<AnyResource/> , <AnyAction/> elements are not valid XACML 2.0 schema
elements. However these elements were acceptable by previous IS releases.
To overcome the issue you can completely get rid of the <Subjects> ,
<Resources> or <Actions> elements if their content is <AnySubject/> ,
<AnyResource/> or </AnyAction> respectively. I've attached the corrected
version herewith.
Most of the articles on the web containing XACML policies do not comply
100% with the schema. The Sun XACML implementation which we used in IS also
was not too strict on following the schema to the dot.
Regards,
Johann.
On Wed, Jul 11, 2012 at 7:17 PM, Andun Gunawardena <[email protected]> wrote:
> Hi,
>
> Policy file is attached. It has been directly downloaded form
> [1]<http://wso2.org/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform>OT
> article.
>
> Thanks
> AndunSLG
>
> [1] -
> http://wso2.org/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform
>
>
> On Wed, Jul 11, 2012 at 7:15 PM, Johann Nallathamby <[email protected]>wrote:
>
>> Hi Andun,
>>
>> Can you please attach your XACML policy file to this thread to be
>> verified.
>>
>> Johann.
>>
>> On Wed, Jul 11, 2012 at 6:55 PM, Andun Gunawardena <[email protected]>wrote:
>>
>>> Hi All,
>>>
>>> When I tried to import a Valid XACML Policy to IS, in the
>>> console following error is show. Please look in to that.
>>>
>>> Thanks
>>> AndunSLG
>>>
>>> [2012-07-11 18:51:20,989] INFO
>>> {org.wso2.carbon.identity.entitlement.EntitlementUtil} - XML validation
>>> failed :cvc-complex-type.2.4.a: Invalid content was found starting with
>>> element 'AnySubject'. One of
>>> '{"urn:oasis:names:tc:xacml:2.0:policy:schema:os":Subject}' is expected.
>>> [2012-07-11 18:51:20,990] ERROR
>>> {org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver} - XML Validation
>>> failed : cvc-complex-type.2.4.a: Invalid content was found starting with
>>> element 'AnySubject'. One of
>>> '{"urn:oasis:names:tc:xacml:2.0:policy:schema:os":Subject}' is expected.
>>> org.wso2.carbon.identity.base.IdentityException: XML Validation failed :
>>> cvc-complex-type.2.4.a: Invalid content was found starting with element
>>> 'AnySubject'. One of
>>> '{"urn:oasis:names:tc:xacml:2.0:policy:schema:os":Subject}' is expected.
>>> at
>>> org.wso2.carbon.identity.entitlement.EntitlementUtil.validatePolicy(EntitlementUtil.java:441)
>>> at
>>> org.wso2.carbon.identity.entitlement.EntitlementPolicyAdminService.addPolicy(EntitlementPolicyAdminService.java:86)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>> at
>>> org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
>>> at
>>> org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver.invokeBusinessLogic(RPCInOnlyMessageReceiver.java:66)
>>> at
>>> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
>>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:181)
>>> at
>>> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
>>> at
>>> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
>>> at
>>> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:205)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>>> at
>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
>>> at
>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
>>> at
>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>>> at
>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:45)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>> at
>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>>> at
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
>>> at
>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:140)
>>> at
>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
>>> at
>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
>>> at
>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:49)
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001)
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
>>> at
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>>> at java.lang.Thread.run(Thread.java:662)
>>> [2012-07-11 18:51:20,999] ERROR
>>> {org.wso2.carbon.identity.entitlement.ui.client.EntitlementPolicyAdminServiceClient}
>>> - XML Validation failed : cvc-complex-type.2.4.a: Invalid content was
>>> found starting with element 'AnySubject'. One of
>>> '{"urn:oasis:names:tc:xacml:2.0:policy:schema:os":Subject}' is expected.
>>> org.apache.axis2.AxisFault: XML Validation failed :
>>> cvc-complex-type.2.4.a: Invalid content was found starting with element
>>> 'AnySubject'. One of
>>> '{"urn:oasis:names:tc:xacml:2.0:policy:schema:os":Subject}' is expected.
>>> at
>>> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
>>> at
>>> org.apache.axis2.description.RobustOutOnlyAxisOperation$RobustOutOnlyOperationClient.handleResponse(RobustOutOnlyAxisOperation.java:91)
>>> at
>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
>>> at
>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
>>> at
>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
>>> at
>>> org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceStub.addPolicy(EntitlementPolicyAdminServiceStub.java:1095)
>>> at
>>> org.wso2.carbon.identity.entitlement.ui.client.EntitlementPolicyAdminServiceClient.uploadPolicy(EntitlementPolicyAdminServiceClient.java:196)
>>> at
>>> org.wso2.carbon.identity.entitlement.ui.client.EntitlementPolicyUploadExecutor.execute(EntitlementPolicyUploadExecutor.java:86)
>>> at
>>> org.wso2.carbon.ui.transports.fileupload.AbstractFileUploadExecutor.executeGeneric(AbstractFileUploadExecutor.java:107)
>>> at
>>> org.wso2.carbon.ui.transports.fileupload.FileUploadExecutorManager$CarbonXmlFileUploadExecHandler.execute(FileUploadExecutorManager.java:392)
>>> at
>>> org.wso2.carbon.ui.transports.fileupload.FileUploadExecutorManager$FileUploadExecutionHandlerManager.startExec(FileUploadExecutorManager.java:276)
>>> at
>>> org.wso2.carbon.ui.transports.fileupload.FileUploadExecutorManager.execute(FileUploadExecutorManager.java:125)
>>> at
>>> org.wso2.carbon.ui.transports.FileUploadServlet.doPost(FileUploadServlet.java:57)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>>> at
>>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:36)
>>> at
>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
>>> at
>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
>>> at
>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>>> at
>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:45)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>> at
>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>>> at
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
>>> at
>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:140)
>>> at
>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
>>> at
>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
>>> at
>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:49)
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001)
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
>>> at
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>>> at java.lang.Thread.run(Thread.java:662)
>>> [2012-07-11 18:51:21,012] ERROR
>>> {org.wso2.carbon.ui.transports.fileupload.AbstractFileUploadExecutor} -
>>> Policy uploading failed. XML Validation failed : cvc-complex-type.2.4.a:
>>> Invalid content was found starting with element 'AnySubject'. One of
>>> '{"urn:oasis:names:tc:xacml:2.0:policy:schema:os":Subject}' is expected.
>>>
>>>
>>>
>>
>
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Description>Sample XACML Authorization Policy</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>http://localhost:8280/services/echo/echoString</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule Effect="Permit" RuleId="primary-group-rule">
<Target>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue>
<SubjectAttributeDesignator AttributeId="http://wso2.org/claims/role"; DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
