I defined below policy, <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" > PolicyId="SimplePolicy" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" > Version="1.0"> > <Target/> > <Rule Effect="Permit" RuleId="primary-group-customer-rule"> > <Condition> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";> > http://localhost:8280/services/echo/</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> > </Apply> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType=" > http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> > </Apply> > </Apply> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> > <AttributeDesignator AttributeId=" > http://wso2.org/claims/role"; > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> > </Apply> > </Apply> > </Condition> > </Rule> > </Policy>
And, through Entitelment Mediator with ESB, when I send the request from a client with resource http://localhost:8280/services/echo/. I saw following debug logs in the ESB. [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for Entitlement started [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service name http://abimaran:8280/services/echo/ [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is : admin Resource ID is : http://abimaran:8280/services/echo//POST Action ID is : POST. [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement Decision is : NotApplicable [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not authorized to perform the action Anyone plese advise me, why XACML engine return NotApplicable? And why Resource ID is http://abimaran:8280/services/echo//POST? On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected]> wrote: > [+Thanuja] > > On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <[email protected]> > wrote: > >> Applied SP1 for a fresh IS and tested, still same errror. >> >> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <[email protected]> >> wrote: >> >>> >>> >>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan <[email protected]> >>> wrote: >>> >>>> Hi Harsha, >>>> >>>> Please find the policy. >>>> >>>> <Policy PolicyId=" urn:oasis:names:tc:xacml:3.0:example:SimplePolicy" >>>> RuleCombiningAlgId= >>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> >>>> <Description>Sample XACML Authorization Policy.</Description> >>>> <Target/> >>>> <Rule >>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" >>>> Effect="Permit"> >>>> <Description> >>>> Sample XACML Authorization Policy. >>>> </Description> >>>> <Target> >>>> <AnyOf> >>>> <AllOf> >>>> <Match >>>> MatchId= >>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> >>>> <AttributeValue DataType=" >>>> http://www.w3.org/2001/XMLSchema#string"; >>>> <http://www.w3.org/2001/XMLSchema#string>> >>>> http://localhost:8280/services/echo/</AttributeValue> >>>> <AttributeDesignator >>>> MustBePresent="false" >>>> Category= >>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>> AttributeId= >>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>> DataType=" >>>> http://www.w3.org/2001/XMLSchema#string"; >>>> <http://www.w3.org/2001/XMLSchema#string>/> >>>> </Match> >>>> </AllOf> >>>> </AnyOf> >>>> </Target> >>>> </Rule> >>>> </Policy> >>>> >>>> No, I haven't install any patches or SPs. >>>> >>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected]> >>>> wrote: >>>> >>>>> We don't need to specify the XACML version , because it is already >>>>> available in the policy as a name space. >>>>> Can you attach policy file , >>>>> Did you try this with IS SP1 ? >>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> When I tried sample policy given as sample in [1], I got following >>>>>> error in the UI. >>>>>> >>>>>> >>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement >>>>>>> Policy. Policy is not valid according to XACML schema >>>>>> >>>>>> >>>>>> I'm getting same for the sample [2]. >>>>>> >>>>>> >>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have to >>>>>> set which version should support in a configuration file? >>>>>> >>>>>> [1] : >>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1 >>>>>> [2] : >>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1 >>>>>> >>>>>> -- >>>>>> Thanks >>>>>> Abimaran Kugathasan >>>>>> >>>>>> Software Engineer | WSO2 Inc >>>>>> Data & APIs Technologies Team >>>>>> Mobile : +94 773922820 >>>>>> >>>>>> <http://stackoverflow.com/users/515034> >>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>>> <https://twitter.com/abimaran> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>> >>>> >>>> -- >>>> Thanks >>>> Abimaran Kugathasan >>>> >>>> Software Engineer | WSO2 Inc >>>> Data & APIs Technologies Team >>>> Mobile : +94 773922820 >>>> >>>> <http://stackoverflow.com/users/515034> >>>> <http://lk.linkedin.com/in/abimaran> >>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>> <https://twitter.com/abimaran> >>>> >>>> >>> >>> >>> -- >>> Thanks >>> Abimaran Kugathasan >>> >>> Software Engineer | WSO2 Inc >>> Data & APIs Technologies Team >>> Mobile : +94 773922820 >>> >>> <http://stackoverflow.com/users/515034> >>> <http://lk.linkedin.com/in/abimaran> >>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>> <https://twitter.com/abimaran> >>> >>> >> >> >> -- >> Thanks >> Abimaran Kugathasan >> >> Software Engineer | WSO2 Inc >> Data & APIs Technologies Team >> Mobile : +94 773922820 >> >> <http://stackoverflow.com/users/515034> >> <http://lk.linkedin.com/in/abimaran> >> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >> <https://twitter.com/abimaran> >> >> > > > -- > Thanks > Abimaran Kugathasan > > Software Engineer | WSO2 Inc > Data & APIs Technologies Team > Mobile : +94 773922820 > > <http://stackoverflow.com/users/515034> > <http://lk.linkedin.com/in/abimaran> > <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> > <https://twitter.com/abimaran> > > -- Thanks Abimaran Kugathasan Software Engineer | WSO2 Inc Data & APIs Technologies Team Mobile : +94 773922820 <http://stackoverflow.com/users/515034> <http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
