Hi Asela, On Mon, Oct 31, 2016 at 9:36 AM, Asela Pathberiya <[email protected]> wrote:
> > > On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana <[email protected]> > wrote: > >> Hi, >> >> I wrote a XACML policy which has a rule involving the current time. When >> a request is made the XACML response is given as below. >> >> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Resu >> lt><Decision>Indeterminate</Decision><Status><StatusCode >> Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/><StatusMessage>Couldn't >> find AttributeDesignator attribute</StatusMessage><StatusDetail> >> <MissingAttributeDetail AttributeId="urn:oasis:names:t >> c:xacml:1.0:environment:current-time" DataType="http://www.w3.org/20 >> 01/XMLSchema#time" Category="urn:oasis:names:tc:x >> acml:3.0:attribute-category:environment" ></MissingAttributeDetail> >> </StatusDetail></Status></Result></Response> >> >> Although the "CurrentEnvModule" class is able to provide the current >> time. It is not not even called. >> >> When I debugged for the reason, I found out that at [1], the callHelper >> method (which will pick the missing values from attribute finders) is not >> called when the 'mapAttributes' do not have the category of the missing >> attribute. Since the 'mappedAttributes' are taken from the XACML request, >> according to the current implementation, The request should have at least >> one attribute each from the categories we include in the policy. In my case >> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0: >> attribute-category:environment" category in the XACML request in order >> to get the current time. >> >> Is this intentional? Shouldn't we move the code at [1] to L146? >> > > Yes.. it seems to be. Please check line 5277 in XACML spec [2] > > [2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf > >From this section what I interpret is, If we are sending any attributes in XACML request related to environment, we should send them under "urn:oasis:names:tc:xacml:3.0:attribute-category:environment" category. Not under any other category. It doesn't mean that we must send them in request (if we are using them in policies). Please correct me if I got it wrong. > > >> >> [1] https://github.com/wso2/balana/blob/master/modules/balan >> a-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3Evalua >> tionCtx.java#L142-L144 >> -- >> *Pulasthi Mahawithana* >> Senior Software Engineer >> WSO2 Inc., http://wso2.com/ >> Mobile: +94-71-5179022 >> Blog: http://blog.pulasthi.org >> >> <https://wso2.com/signature> >> > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > -- *Pulasthi Mahawithana* Senior Software Engineer WSO2 Inc., http://wso2.com/ Mobile: +94-71-5179022 Blog: http://blog.pulasthi.org <https://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
