Re: [fcrepo-user] XACML problems

Thu, 25 Aug 2011 02:03:13 -0700 

Hi Ben

In your first rule, under actions, you have:

      <AttributeValue DataType="http://www.w3.org2001/XMLSchema#string";>

This appears to be missing a "/"; ie it should be
"http://www.w3.org/2001/XMLSchema#string";

Regards
Steve

> -----Original Message-----
> From: Benjamin Ryan [mailto:b.r...@leeds.ac.uk] 
> Sent: 25 August 2011 09:54
> To: fedora-commons-users@lists.sourceforge.net
> Subject: [fcrepo-user] XACML problems
> 
> 
> Hi,
>   I have the following policy that I am trying to use in a 
> POLICY data stream.
> 
> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> PolicyId="MAF_WAF" 
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin
> g-algorithm:first-applicable" 
> xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy 
> C:\development\repositories\fedora3.4\server\xsd\cs-xacml-sche
> ma-policy-01.xsd">
>  <Description>This is an object-specific 
> policy.</Description>  <Target>
> 
>   <Subjects>
>    <AnySubject/>
>   </Subjects>
>   <Resources>
>    <AnyResource/>
>   </Resources>
> 
>   <Actions>
>    <AnyAction/>
>   </Actions>
>  </Target>
> 
>  <Rule RuleId="1" Effect="Permit">
>   <Target>
>    <Subjects>
>     <AnySubject/>
>    </Subjects>
>    <Resources>
>     <AnyResource/>
>    </Resources>
>    <Actions>
>     <Action>
>      <ActionMatch 
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>       <AttributeValue 
> DataType="http://www.w3.org2001/XMLSchema#string";>
>      urn:fedora:names:fedora:2.1:action:api-a
>       </AttributeValue>
>       <ActionAttributeDesignator 
> AttributeId="urn:fedora:names:fedora:2.1:action:api" 
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>      </ActionMatch>
>     </Action>
>    </Actions>
>   </Target>
> 
>   <Condition 
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-le
> ast-one-member-of">
>    <SubjectAttributeDesignator 
> AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" 
> MustBePresent="false" 
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>    <Apply 
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
>     <AttributeValue 
> DataType="http://www.w3.org/2001/XMLSchema#string";>fedoraAdmin
> </AttributeValue>
>     <AttributeValue 
> DataType="http://www.w3.org/2001/XMLSchema#string";>ben</Attrib
> uteValue>
>    </Apply>
>   </Condition>
>  </Rule>
> 
>  <Rule RuleId="2" Effect="Permit">
>   <Target>
>    <Subjects>
>     <AnySubject/>
>    </Subjects>
>    <Resources>
>     <AnyResource/>
>    </Resources>
>    <Actions>
>     <Action>
>      <ActionMatch 
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>       <AttributeValue 
> DataType="http://www.w3.org2001/XMLSchema#string";>
>      urn:fedora:names:fedora:2.1:action:api-a
>       </AttributeValue>
>       <ActionAttributeDesignator 
> AttributeId="urn:fedora:names:fedora:2.1:action:api" 
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>      </ActionMatch>
>     </Action>
>    </Actions>
>   </Target>
>   <Condition 
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-le
> ast-one-member-of">
>    <SubjectAttributeDesignator 
> DataType="http://www.w3.org/2001/XMLSchema#string"; 
> AttributeId="*memberOf*"/>
>    <Apply 
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
>     <AttributeValue 
> DataType="http://www.w3.org/2001/XMLSchema#string";>MAF</Attrib
> uteValue>
>     <AttributeValue 
> DataType="http://www.w3.org/2001/XMLSchema#string";>WAF</Attrib
> uteValue>
>    </Apply>
>   </Condition>
>  </Rule>
> </Policy>
> 
> That gives the following error when validating with the 
> validate-policy.bat:
> 
> org.fcrepo.server.errors.ValidationException: Policy invalid; 
> failed parsing by Sun XACML implementation  at 
> org.fcrepo.server.security.PolicyParser.parse(PolicyParser.java:141)
>  at 
> org.fcrepo.server.security.PolicyParser.main(PolicyParser.java:193)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native 
> Method)  at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
> orImpl.java:39)
>  at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
> odAccessorImpl.java:25)
>  at java.lang.reflect.Method.invoke(Method.java:597)
>  at 
> org.fcrepo.server.utilities.rebuild.cli.CLILoader.main(CLILoad
> er.java:77)
> Caused by: com.sun.xacml.ParsingException: Unknown Attribute 
> Type  at com.sun.xacml.TargetMatch.getInstance(TargetMatch.java:255)
>  at 
> com.sun.xacml.TargetMatchGroup.getInstance(TargetMatchGroup.java:115)
>  at com.sun.xacml.TargetSection.getInstance(TargetSection.java:117)
>  at com.sun.xacml.Target.getInstance(Target.java:192)
>  at com.sun.xacml.Rule.getInstance(Rule.java:206)
>  at com.sun.xacml.Policy.<init>(Policy.java:346)
>  at com.sun.xacml.Policy.getInstance(Policy.java:431)
>  at 
> org.fcrepo.server.security.PolicyParser.parse(PolicyParser.java:132)
>  ... 6 more
> Caused by: com.sun.xacml.UnknownIdentifierException: 
> Attributes of type http://www.w3.org2001/XMLSchema#string 
> aren't supported.  at 
> com.sun.xacml.attr.BaseAttributeFactory.createValue(BaseAttrib
> uteFactory.java:205)
>  at 
> com.sun.xacml.attr.BaseAttributeFactory.createValue(BaseAttrib
> uteFactory.java:157)
>  at com.sun.xacml.TargetMatch.getInstance(TargetMatch.java:253)
>  ... 13 more
> 
> 
> Can anyone help as this has stopped all further work until I 
> can get policies working in object data streams.
> 
> Regards,
>   Ben
> ---------------------------------------------------------------------
> Dr Ben Ryan
> Timescapes Archive Technical Officer
> School of Sociology and Social Policy
> Faculty of Education, Social Sciences and Law
> Social Science Building
> The University of Leeds
> Leeds LS2 9JT
> Email: b.r...@leeds.ac.uk<mailto:b.r...@leeds.ac.uk>
> Tel: 0113 343 7319
> Website: 
> http://www.timescapes.leeds.ac.uk<http://www.timescapes.leeds.ac.uk/>
> ---------------------------------------------------------------------
> 
> --------------------------------------------------------------
> ----------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management 
> Up to 160% more powerful than alternatives and 25% more efficient. 
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Fedora-commons-users mailing list 
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> 


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

Reply via email to