On Sat, Jun 20, 2015 at 11:07 AM, Abimaran Kugathasan <[email protected]> wrote:
> I defined below policy, > > <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" >> PolicyId="SimplePolicy" >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" >> Version="1.0"> >> <Target/> >> <Rule Effect="Permit" RuleId="primary-group-customer-rule"> >> <Condition> >> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >> <AttributeValue DataType=" >> http://www.w3.org/2001/XMLSchema#string";> >> http://localhost:8280/services/echo/</AttributeValue> >> <AttributeDesignator >> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" >> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >> </Apply> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >> <AttributeValue DataType=" >> http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >> <AttributeDesignator >> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >> Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType=" >> http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >> </Apply> >> </Apply> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >> <AttributeValue DataType=" >> http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> >> <AttributeDesignator AttributeId=" >> http://wso2.org/claims/role"; >> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> >> </Apply> >> </Apply> >> </Condition> >> </Rule> >> </Policy> > > > > And, through Entitelment Mediator with ESB, when I send the request from a > client with resource http://localhost:8280/services/echo/. I saw > following debug logs in the ESB. > > > [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Mediation for > Entitlement started > [2015-06-20 11:03:33,315] DEBUG - EntitlementCallbackHandler Service name > http://abimaran:8280/services/echo/ > [2015-06-20 11:03:33,315] DEBUG - EntitlementMediator Subject ID is : > admin Resource ID is : http://abimaran:8280/services/echo//POST Action ID > is : POST. > [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator Entitlement Decision > is : NotApplicable > [2015-06-20 11:03:33,358] DEBUG - EntitlementMediator User is not > authorized to perform the action > > Anyone plese advise me, why XACML engine return NotApplicable? And why > Resource ID is http://abimaran:8280/services/echo//POST? > PDP usually can return NotApplicable result when there is no any policy or no matching policy in its PDP. Above policy is evaluated to NotApplicable as there are no any matching rules for given request. Resource/User/Action are extracted from entitlement mediator using callback handler [1] It seems to be that "EntitlementMediator" has some logic to append the action in to it resource name. So, we can change the policy and see.. [1] http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.entitlement.mediator/4.2.2/src/main/java/org/wso2/carbon/identity/entitlement/mediator/callback/EntitlementCallbackHandler.java Thanks, Asela. > > On Sat, Jun 20, 2015 at 10:54 AM, Abimaran Kugathasan <[email protected]> > wrote: > >> [+Thanuja] >> >> On Sat, Jun 20, 2015 at 10:02 AM, Abimaran Kugathasan <[email protected]> >> wrote: >> >>> Applied SP1 for a fresh IS and tested, still same errror. >>> >>> On Sat, Jun 20, 2015 at 9:46 AM, Abimaran Kugathasan <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Sat, Jun 20, 2015 at 9:04 AM, Abimaran Kugathasan <[email protected] >>>> > wrote: >>>> >>>>> Hi Harsha, >>>>> >>>>> Please find the policy. >>>>> >>>>> <Policy PolicyId=" urn:oasis:names:tc:xacml:3.0:example:SimplePolicy" >>>>> RuleCombiningAlgId= >>>>> "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>>> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> >>>>> <Description>Sample XACML Authorization Policy.</Description> >>>>> <Target/> >>>>> <Rule >>>>> RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" >>>>> Effect="Permit"> >>>>> <Description> >>>>> Sample XACML Authorization Policy. >>>>> </Description> >>>>> <Target> >>>>> <AnyOf> >>>>> <AllOf> >>>>> <Match >>>>> MatchId= >>>>> "urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> >>>>> <AttributeValue DataType=" >>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>> <http://www.w3.org/2001/XMLSchema#string>> >>>>> http://localhost:8280/services/echo/</AttributeValue> >>>>> <AttributeDesignator >>>>> MustBePresent="false" >>>>> Category= >>>>> "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >>>>> AttributeId= >>>>> "urn:oasis:names:tc:xacml:1.0:resource:resource-id" >>>>> DataType=" >>>>> http://www.w3.org/2001/XMLSchema#string"; >>>>> <http://www.w3.org/2001/XMLSchema#string>/> >>>>> </Match> >>>>> </AllOf> >>>>> </AnyOf> >>>>> </Target> >>>>> </Rule> >>>>> </Policy> >>>>> >>>>> No, I haven't install any patches or SPs. >>>>> >>>>> On Sat, Jun 20, 2015 at 9:00 AM, Harsha Thirimanna <[email protected]> >>>>> wrote: >>>>> >>>>>> We don't need to specify the XACML version , because it is already >>>>>> available in the policy as a name space. >>>>>> Can you attach policy file , >>>>>> Did you try this with IS SP1 ? >>>>>> On Jun 20, 2015 8:48 AM, "Abimaran Kugathasan" <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> When I tried sample policy given as sample in [1], I got following >>>>>>> error in the UI. >>>>>>> >>>>>>> >>>>>>> Entitlement policy is not updated. Error is :Invalid Entitlement >>>>>>>> Policy. Policy is not valid according to XACML schema >>>>>>> >>>>>>> >>>>>>> I'm getting same for the sample [2]. >>>>>>> >>>>>>> >>>>>>> IS 5.0.0 supports both XACML 2.0.and 3.0 specification. Do I have to >>>>>>> set which version should support in a configuration file? >>>>>>> >>>>>>> [1] : >>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+1 >>>>>>> [2] : >>>>>>> https://docs.wso2.com/display/IS500/Writing+XACML+policies+in+WSO2+Identity+Server+-+1 >>>>>>> >>>>>>> -- >>>>>>> Thanks >>>>>>> Abimaran Kugathasan >>>>>>> >>>>>>> Software Engineer | WSO2 Inc >>>>>>> Data & APIs Technologies Team >>>>>>> Mobile : +94 773922820 >>>>>>> >>>>>>> <http://stackoverflow.com/users/515034> >>>>>>> <http://lk.linkedin.com/in/abimaran> >>>>>>> <http://www.lkabimaran.blogspot.com/> >>>>>>> <https://github.com/abimarank> <https://twitter.com/abimaran> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks >>>>> Abimaran Kugathasan >>>>> >>>>> Software Engineer | WSO2 Inc >>>>> Data & APIs Technologies Team >>>>> Mobile : +94 773922820 >>>>> >>>>> <http://stackoverflow.com/users/515034> >>>>> <http://lk.linkedin.com/in/abimaran> >>>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>>> <https://twitter.com/abimaran> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks >>>> Abimaran Kugathasan >>>> >>>> Software Engineer | WSO2 Inc >>>> Data & APIs Technologies Team >>>> Mobile : +94 773922820 >>>> >>>> <http://stackoverflow.com/users/515034> >>>> <http://lk.linkedin.com/in/abimaran> >>>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>>> <https://twitter.com/abimaran> >>>> >>>> >>> >>> >>> -- >>> Thanks >>> Abimaran Kugathasan >>> >>> Software Engineer | WSO2 Inc >>> Data & APIs Technologies Team >>> Mobile : +94 773922820 >>> >>> <http://stackoverflow.com/users/515034> >>> <http://lk.linkedin.com/in/abimaran> >>> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >>> <https://twitter.com/abimaran> >>> >>> >> >> >> -- >> Thanks >> Abimaran Kugathasan >> >> Software Engineer | WSO2 Inc >> Data & APIs Technologies Team >> Mobile : +94 773922820 >> >> <http://stackoverflow.com/users/515034> >> <http://lk.linkedin.com/in/abimaran> >> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> >> <https://twitter.com/abimaran> >> >> > > > -- > Thanks > Abimaran Kugathasan > > Software Engineer | WSO2 Inc > Data & APIs Technologies Team > Mobile : +94 773922820 > > <http://stackoverflow.com/users/515034> > <http://lk.linkedin.com/in/abimaran> > <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> > <https://twitter.com/abimaran> > > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
