Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
On Mon, Oct 31, 2016 at 9:36 AM, Asela Pathberiya <[email protected]> wrote: > > > On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana <[email protected]> > wrote: > >> Hi, >> >> I wrote a XACML policy which has a rule involving the current time. When >> a request is made the XACML response is given as below. >> >> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Resu >> lt><Decision>Indeterminate</Decision><Status><StatusCode >> Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/><StatusMessage>Couldn't >> find AttributeDesignator attribute</StatusMessage><StatusDetail> >> <MissingAttributeDetail AttributeId="urn:oasis:names:t >> c:xacml:1.0:environment:current-time" DataType="http://www.w3.org/20 >> 01/XMLSchema#time" Category="urn:oasis:names:tc:x >> acml:3.0:attribute-category:environment" ></MissingAttributeDetail> >> </StatusDetail></Status></Result></Response> >> >> Although the "CurrentEnvModule" class is able to provide the current >> time. It is not not even called. >> >> When I debugged for the reason, I found out that at [1], the callHelper >> method (which will pick the missing values from attribute finders) is not >> called when the 'mapAttributes' do not have the category of the missing >> attribute. Since the 'mappedAttributes' are taken from the XACML request, >> according to the current implementation, The request should have at least >> one attribute each from the categories we include in the policy. In my case >> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0: >> attribute-category:environment" category in the XACML request in order >> to get the current time. >> >> Is this intentional? Shouldn't we move the code at [1] to L146? >> > > Yes.. it seems to be. Please check line 5277 in XACML spec [2] > > [2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf > Even in that case this behaviour is expected only for environment attributes right? With our current implementation we are expecting the same for other categories as well. So shouldn't we do the change suggested by Pulsathi? > > >> >> [1] https://github.com/wso2/balana/blob/master/modules/balan >> a-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3Evalua >> tionCtx.java#L142-L144 >> -- >> *Pulasthi Mahawithana* >> Senior Software Engineer >> WSO2 Inc., http://wso2.com/ >> Mobile: +94-71-5179022 >> Blog: http://blog.pulasthi.org >> >> <https://wso2.com/signature> >> > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
