[Dev] XACML Policy Evaluation request with multiple attribute values.

Thu, 08 Nov 2012 23:17:04 -0800 

Hi,

I have the following policy, which I am going to evaluate with multiple
values for subject attribute.

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="Entitlement_Filter_Sample_Policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
   <Target></Target>
   <Rule Effect="Permit" RuleId="Rule1">
      <Target>
         <AnyOf>
            <AllOf>
               <Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>/twitter/*</AttributeValue>
                  <AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
               </Match>
               <Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>GET</AttributeValue>
                  <AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="
http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
               </Match>
               <Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>everyone</AttributeValue>
                  <AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
   </Rule>
   <Rule Effect="Deny" RuleId="Rule2"></Rule>
</Policy>

When I send admin, everone as Subject Names the decision is 'Deny'. But If
I send everyone, admin , the decision is 'Permit'.

I debugged the balana code and found that it only retrieves the first
attribute value and add it. So I did a fix in XACML3EvaluationCtx class to
add all the attribute values. After that this scenario worked for both
cases.

Here is the diff of my fix.

---
modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java
(revision 147595)
+++
modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java
(working copy)
@@ -125,7 +125,10 @@
                 if(attribute.getId().equals(id) &&
attribute.getType().equals(type)
                         && (issuer == null ||
issuer.equals(attribute.getIssuer()))
                         && attribute.getValue() != null){
-                    attributeValues.add(attribute.getValue());
+                    List<AttributeValue> attributeValueList =
attribute.getValues();
+                    for (AttributeValue attributeVal : attributeValueList)
{
+                        attributeValues.add(attributeVal);
+                    }
                 }
             }

Is this fix ok to procede with or was there any thing need to be changed in
the policy, to work this scenario.

Thanks,
Lakmali


-- 
Lakmali Baminiwatta*
*
Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

*
*

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to