On Mon, Oct 31, 2016 at 11:43 AM, Pulasthi Mahawithana <[email protected]> wrote:
> Hi Asela, > > On Mon, Oct 31, 2016 at 9:36 AM, Asela Pathberiya <[email protected]> wrote: > >> >> >> On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana <[email protected] >> > wrote: >> >>> Hi, >>> >>> I wrote a XACML policy which has a rule involving the current time. When >>> a request is made the XACML response is given as below. >>> >>> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Resu >>> lt><Decision>Indeterminate</Decision><Status><StatusCode >>> Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/><StatusMessage>Couldn't >>> find AttributeDesignator attribute</StatusMessage><StatusDetail> >>> <MissingAttributeDetail AttributeId="urn:oasis:names:t >>> c:xacml:1.0:environment:current-time" DataType="http://www.w3.org/20 >>> 01/XMLSchema#time" Category="urn:oasis:names:tc:x >>> acml:3.0:attribute-category:environment" ></MissingAttributeDetail> >>> </StatusDetail></Status></Result></Response> >>> >>> Although the "CurrentEnvModule" class is able to provide the current >>> time. It is not not even called. >>> >>> When I debugged for the reason, I found out that at [1], the callHelper >>> method (which will pick the missing values from attribute finders) is not >>> called when the 'mapAttributes' do not have the category of the missing >>> attribute. Since the 'mappedAttributes' are taken from the XACML request, >>> according to the current implementation, The request should have at least >>> one attribute each from the categories we include in the policy. In my case >>> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0: >>> attribute-category:environment" category in the XACML request in order >>> to get the current time. >>> >>> Is this intentional? Shouldn't we move the code at [1] to L146? >>> >> >> Yes.. it seems to be. Please check line 5277 in XACML spec [2] >> >> [2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf >> > > From this section what I interpret is, If we are sending any attributes in > XACML request related to environment, we should send them under > "urn:oasis:names:tc:xacml:3.0:attribute-category:environment" category. > Not under any other category. It doesn't mean that we must send them in > request (if we are using them in policies). Please correct me if I got it > wrong. > +1 > > >> >> >>> >>> [1] https://github.com/wso2/balana/blob/master/modules/balan >>> a-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3Evalua >>> tionCtx.java#L142-L144 >>> -- >>> *Pulasthi Mahawithana* >>> Senior Software Engineer >>> WSO2 Inc., http://wso2.com/ >>> Mobile: +94-71-5179022 >>> Blog: http://blog.pulasthi.org >>> >>> <https://wso2.com/signature> >>> >> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> > > > > -- > *Pulasthi Mahawithana* > Senior Software Engineer > WSO2 Inc., http://wso2.com/ > Mobile: +94-71-5179022 > Blog: http://blog.pulasthi.org > > <https://wso2.com/signature> > -- Regards, *Darshana Gunawardana*Associate Technical Lead WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
