Hi, I wrote a XACML policy which has a rule involving the current time. When a request is made the XACML response is given as below.
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Indeterminate</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/><StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage><StatusDetail> <MissingAttributeDetail AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"; Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" ></MissingAttributeDetail> </StatusDetail></Status></Result></Response> Although the "CurrentEnvModule" class is able to provide the current time. It is not not even called. When I debugged for the reason, I found out that at [1], the callHelper method (which will pick the missing values from attribute finders) is not called when the 'mapAttributes' do not have the category of the missing attribute. Since the 'mappedAttributes' are taken from the XACML request, according to the current implementation, The request should have at least one attribute each from the categories we include in the policy. In my case I need to send an attribute from "urn:oasis:names:tc:xacml:3.0:attribute-category:environment" category in the XACML request in order to get the current time. Is this intentional? Shouldn't we move the code at [1] to L146? [1] https://github.com/wso2/balana/blob/master/modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java#L142-L144 -- *Pulasthi Mahawithana* Senior Software Engineer WSO2 Inc., http://wso2.com/ Mobile: +94-71-5179022 Blog: http://blog.pulasthi.org <https://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
