Re: [Dev] Current time is not picked by XACML engine

2016-10-31 Thread Darshana Gunawardana 
On Mon, Oct 31, 2016 at 11:43 AM, Pulasthi Mahawithana 
wrote:

> Hi Asela,
>
> On Mon, Oct 31, 2016 at 9:36 AM, Asela Pathberiya  wrote:
>
>>
>>
>> On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana > > wrote:
>>
>>> Hi,
>>>
>>> I wrote a XACML policy which has a rule involving the current time. When
>>> a request is made the XACML response is given as below.
>>>
>>> >> lt>Indeterminate>> Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>Couldn't
>>> find AttributeDesignator attribute
>>> http://www.w3.org/20
>>> 01/XMLSchema#time" Category="urn:oasis:names:tc:x
>>> acml:3.0:attribute-category:environment" >
>>> 
>>>
>>> Although the "CurrentEnvModule" class is able to provide the current
>>> time. It is not not even called.
>>>
>>> When I debugged for the reason, I found out that at [1], the callHelper
>>> method (which will pick the missing values from attribute finders) is not
>>> called when the 'mapAttributes' do not have the category of the missing
>>> attribute. Since the 'mappedAttributes' are taken from the XACML request,
>>> according to the current implementation, The request should have at least
>>> one attribute each from the categories we include in the policy. In my case
>>> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0:
>>> attribute-category:environment" category in the XACML request in order
>>> to get the current time.
>>>
>>> Is this intentional? Shouldn't we move the code at [1] to L146?
>>>
>>
>> Yes.. it seems to be.  Please check line 5277 in XACML spec [2]
>>
>> [2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
>>
>
> From this section what I interpret is, If we are sending any attributes in
> XACML request related to environment, we should send them under
> "urn:oasis:names:tc:xacml:3.0:attribute-category:environment" category.
> Not under any other category. It doesn't mean that we must send them in
> request (if we are using them in policies). Please correct me if I got it
> wrong.
>

+1

>
>
>>
>>
>>>
>>> [1] https://github.com/wso2/balana/blob/master/modules/balan
>>> a-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3Evalua
>>> tionCtx.java#L142-L144
>>> --
>>> *Pulasthi Mahawithana*
>>> Senior Software Engineer
>>> WSO2 Inc., http://wso2.com/
>>> Mobile: +94-71-5179022
>>> Blog: http://blog.pulasthi.org
>>>
>>> 
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> ATL
>> Mobile : +94 777 625 933
>>  +358 449 228 979
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>>
>
>
>
> --
> *Pulasthi Mahawithana*
> Senior Software Engineer
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022
> Blog: http://blog.pulasthi.org
>
> 
>



-- 
Regards,


*Darshana Gunawardana*Associate Technical Lead
WSO2 Inc.; http://wso2.com

*E-mail: darsh...@wso2.com *
*Mobile: +94718566859*Lean . Enterprise . Middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Current time is not picked by XACML engine

2016-10-31 Thread Pulasthi Mahawithana 
Hi Asela,

On Mon, Oct 31, 2016 at 9:36 AM, Asela Pathberiya  wrote:

>
>
> On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana 
> wrote:
>
>> Hi,
>>
>> I wrote a XACML policy which has a rule involving the current time. When
>> a request is made the XACML response is given as below.
>>
>> > lt>Indeterminate> Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>Couldn't
>> find AttributeDesignator attribute
>> http://www.w3.org/20
>> 01/XMLSchema#time" Category="urn:oasis:names:tc:x
>> acml:3.0:attribute-category:environment" >
>> 
>>
>> Although the "CurrentEnvModule" class is able to provide the current
>> time. It is not not even called.
>>
>> When I debugged for the reason, I found out that at [1], the callHelper
>> method (which will pick the missing values from attribute finders) is not
>> called when the 'mapAttributes' do not have the category of the missing
>> attribute. Since the 'mappedAttributes' are taken from the XACML request,
>> according to the current implementation, The request should have at least
>> one attribute each from the categories we include in the policy. In my case
>> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0:
>> attribute-category:environment" category in the XACML request in order
>> to get the current time.
>>
>> Is this intentional? Shouldn't we move the code at [1] to L146?
>>
>
> Yes.. it seems to be.  Please check line 5277 in XACML spec [2]
>
> [2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
>

>From this section what I interpret is, If we are sending any attributes in
XACML request related to environment, we should send them under
"urn:oasis:names:tc:xacml:3.0:attribute-category:environment" category. Not
under any other category. It doesn't mean that we must send them in request
(if we are using them in policies). Please correct me if I got it wrong.


>
>
>>
>> [1] https://github.com/wso2/balana/blob/master/modules/balan
>> a-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3Evalua
>> tionCtx.java#L142-L144
>> --
>> *Pulasthi Mahawithana*
>> Senior Software Engineer
>> WSO2 Inc., http://wso2.com/
>> Mobile: +94-71-5179022
>> Blog: http://blog.pulasthi.org
>>
>> 
>>
>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933
>  +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>



-- 
*Pulasthi Mahawithana*
Senior Software Engineer
WSO2 Inc., http://wso2.com/
Mobile: +94-71-5179022
Blog: http://blog.pulasthi.org


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Current time is not picked by XACML engine

2016-10-30 Thread Farasath Ahamed 
Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 




On Mon, Oct 31, 2016 at 9:36 AM, Asela Pathberiya  wrote:

>
>
> On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana 
> wrote:
>
>> Hi,
>>
>> I wrote a XACML policy which has a rule involving the current time. When
>> a request is made the XACML response is given as below.
>>
>> > lt>Indeterminate> Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>Couldn't
>> find AttributeDesignator attribute
>> http://www.w3.org/20
>> 01/XMLSchema#time" Category="urn:oasis:names:tc:x
>> acml:3.0:attribute-category:environment" >
>> 
>>
>> Although the "CurrentEnvModule" class is able to provide the current
>> time. It is not not even called.
>>
>> When I debugged for the reason, I found out that at [1], the callHelper
>> method (which will pick the missing values from attribute finders) is not
>> called when the 'mapAttributes' do not have the category of the missing
>> attribute. Since the 'mappedAttributes' are taken from the XACML request,
>> according to the current implementation, The request should have at least
>> one attribute each from the categories we include in the policy. In my case
>> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0:
>> attribute-category:environment" category in the XACML request in order
>> to get the current time.
>>
>> Is this intentional? Shouldn't we move the code at [1] to L146?
>>
>
> Yes.. it seems to be.  Please check line 5277 in XACML spec [2]
>
> [2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
>

Even in that case this behaviour is expected only for environment
attributes right? With our current implementation we are expecting the same
for other categories as well. So shouldn't we do the change suggested by
Pulsathi?


>
>
>>
>> [1] https://github.com/wso2/balana/blob/master/modules/balan
>> a-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3Evalua
>> tionCtx.java#L142-L144
>> --
>> *Pulasthi Mahawithana*
>> Senior Software Engineer
>> WSO2 Inc., http://wso2.com/
>> Mobile: +94-71-5179022
>> Blog: http://blog.pulasthi.org
>>
>> 
>>
>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933
>  +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Current time is not picked by XACML engine

2016-10-30 Thread Asela Pathberiya 
On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana 
wrote:

> Hi,
>
> I wrote a XACML policy which has a rule involving the current time. When a
> request is made the XACML response is given as below.
>
> <
> Result>Indeterminate Value="urn:oasis:names:tc:xacml:1.0:status:missing-
> attribute"/>Couldn't find AttributeDesignator
> attribute
> http://www.w3.org/
> 2001/XMLSchema#time" Category="urn:oasis:names:tc:
> xacml:3.0:attribute-category:environment" >
> 
>
> Although the "CurrentEnvModule" class is able to provide the current time.
> It is not not even called.
>
> When I debugged for the reason, I found out that at [1], the callHelper
> method (which will pick the missing values from attribute finders) is not
> called when the 'mapAttributes' do not have the category of the missing
> attribute. Since the 'mappedAttributes' are taken from the XACML request,
> according to the current implementation, The request should have at least
> one attribute each from the categories we include in the policy. In my case
> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0:
> attribute-category:environment" category in the XACML request in order to
> get the current time.
>
> Is this intentional? Shouldn't we move the code at [1] to L146?
>

Yes.. it seems to be.  Please check line 5277 in XACML spec [2]

[2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf


>
> [1] https://github.com/wso2/balana/blob/master/modules/
> balana-core/src/main/java/org/wso2/balana/ctx/xacml3/
> XACML3EvaluationCtx.java#L142-L144
> --
> *Pulasthi Mahawithana*
> Senior Software Engineer
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022
> Blog: http://blog.pulasthi.org
>
> 
>



-- 
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933
 +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Current time is not picked by XACML engine

2016-10-30 Thread Pulasthi Mahawithana 
Hi,

I wrote a XACML policy which has a rule involving the current time. When a
request is made the XACML response is given as below.

IndeterminateCouldn't
find AttributeDesignator attribute
http://www.w3.org/2001/XMLSchema#time;
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
>


Although the "CurrentEnvModule" class is able to provide the current time.
It is not not even called.

When I debugged for the reason, I found out that at [1], the callHelper
method (which will pick the missing values from attribute finders) is not
called when the 'mapAttributes' do not have the category of the missing
attribute. Since the 'mappedAttributes' are taken from the XACML request,
according to the current implementation, The request should have at least
one attribute each from the categories we include in the policy. In my case
I need to send an attribute from
"urn:oasis:names:tc:xacml:3.0:attribute-category:environment" category in
the XACML request in order to get the current time.

Is this intentional? Shouldn't we move the code at [1] to L146?

[1]
https://github.com/wso2/balana/blob/master/modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java#L142-L144
-- 
*Pulasthi Mahawithana*
Senior Software Engineer
WSO2 Inc., http://wso2.com/
Mobile: +94-71-5179022
Blog: http://blog.pulasthi.org


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev