xml - XACML type for bags -



xml - XACML type for bags -

what xacml type bag?

my status function string-at-least-one-member-of, , i'm using string-bag function in request. info type datatype give attributedesignator bag?

my status is:

<xacml3:condition> <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:attributedesignator attributeid="test:xacml:1.0:county" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" mustbepresent="false"></xacml3:attributedesignator> <xacml3:attributedesignator attributeid="test:xacml:1.0:counties" datatype="what should be?" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" mustbepresent="false"></xacml3:attributedesignator> </xacml3:apply> </xacml3:condition>

and attribute is

<xacml3:attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <xacml3:attribute attributeid="test:xacml:1.0:counties" includeinresult="false"> <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</xacml3:attributevalue> <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">brazoria</xacml3:attributevalue> <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dallas</xacml3:attributevalue> </xacml3:apply> </xacml3:attribute> </xacml3:attributes>

when seek request in wso2, get

<response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <result> <decision>deny</decision> <status> <statuscode value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </status> </result> </response>

for interested in entire files, request is:

<request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" combineddecision="false" returnpolicyidlist="true"> <attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <attribute attributeid="test:xacml:1.0:county" includeinresult="true"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> </attribute> </attributes> <attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <attribute attributeid="test:xacml:1.0:counties" includeinresult="true"> <apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">brazoria</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dallas</attributevalue> </apply> </attribute> </attributes> </request>

and policy is:

<xacml3:policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="county-based-3" rulecombiningalgid="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" version="1.0"> <xacml3:description></xacml3:description> <xacml3:target></xacml3:target> <xacml3:rule effect="permit" ruleid="http://axiomatics.com/alfa/identifier/stackoverflow.example.checkgroup"> <xacml3:description></xacml3:description> <xacml3:target></xacml3:target> <xacml3:condition> <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:attributedesignator attributeid="test:xacml:1.0:county" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" mustbepresent="false"></xacml3:attributedesignator> <xacml3:attributedesignator attributeid="test:xacml:1.0:counties" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" mustbepresent="false"></xacml3:attributedesignator> </xacml3:apply> </xacml3:condition> </xacml3:rule> <xacml3:rule effect="deny" ruleid="deny-rule"></xacml3:rule>

the info type should http://www.w3.org/2001/xmlschema#string:

<xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:attributedesignator attributeid="test:xacml:1.0:county" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" mustbepresent="false"></xacml3:attributedesignator> <xacml3:attributedesignator attributeid="test:xacml:1.0:counties" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" mustbepresent="false"></xacml3:attributedesignator> </xacml3:apply>

all attribute designators in fact bags in xacml. datatype applies entire elements of bag.

moreover, utilize function urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of takes 2 bags of string defined in xacml 3.0 specification:

urn:oasis:names:tc:xacml:x.x:function:type-at-least-one-member-of

this function shall take 2 arguments both handbag of ‘type’ values. shall homecoming “http://www.w3.org/2001/xmlschema#boolean”. function shall evaluate "true" if , if @ to the lowest degree 1 element of first argument contained in sec argument determined "urn:oasis:names:tc:xacml:x.x:function:type-is-in".

the request sent in invalid. <request/> element cannot contain <apply/> element inside.

remove <apply/> , should next request:

<request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" combineddecision="false" returnpolicyidlist="true"> <attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <attribute attributeid="test:xacml:1.0:county" includeinresult="true"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> </attribute> </attributes> <attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <attribute attributeid="test:xacml:1.0:counties" includeinresult="true"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">brazoria</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dallas</attributevalue> </attribute> </attributes> </request>

this graphical representation in axiomatics policy server:

xml xacml3

Comments

Post a Comment

Popular posts from this blog

php - Android app custom user registration and login with cookie using facebook sdk -

php - Android app custom user registration and login with cookie using facebook sdk - i developing android application in users need register , log in using facebook. approximately, flow. open app first time, authenticate facebook, data, send info server create them business relationship in application, start session new business relationship in server, cookie perform later interactions. so far good. what need know wich info have send server, can able identify users when log in seccond time. because need start session in server , send cookie android app farther interactions. i'm using php server side language. i thinking getting getaccesstoken() in android facebook sdk, pass server on business relationship creation , storing in android app. but can't manage how login users on sec time utilize app. any suggestions ? in advance ! to uniquely identify user within app, should create request /me , user's id. guaranteed unique , remain con
Read more

django - Access session in user model .save() -

django - Access session in user model .save() - is possible access current session in user model .save()? pseudo code of want achieve: # users.models.py def save(self, *args, **kwargs): created = true if self.pk: created = false super(abstractuser, self).save(*args, **kwargs) # post-save if created: look_for_invite_in_session_and_register_if_found(self, session) seems wrong in architecture. shouldn't access request in models layer. work request must done in view. can this: user, created = abstractuser.objects.get_or_create(name=name) if created: look_for_invite_in_session_and_register_if_found(user, request.session) django session
Read more

php - .htaccess Multiple Rewrite Rules / Prioritizing -

php - .htaccess Multiple Rewrite Rules / Prioritizing - here current htaccess file: rewriteengine on rewritecond %{http_host} !^www\.website\.com [nc] rewritecond %{http_host} ([^.]+)\.website\.com [nc] rewriterule ^(.*)$ http://www.website.com/gotourl.php?urlid=?%1 [l] rewriterule ^(\w+)$ ./gotourl.php?urlid=$1 [nc,l] rewriterule ^(\w+)/$ ./gotourl.php?urlid=$1 [nc,l] the website in question url shortener i'm working on testing/developing , personal use. above code may not ideal i'm not familiar .htaccess , made via googling , testing. want url shortening aspect: http://website.com/1234 -> http://website.com/gotourl.php?urlid=1234 http://website.com/1234/ -> http://website.com/gotourl.php?urlid=1234 the problem cannot figure out how ignore directories. want specific directories go specific pages: http://website.com/img (or) http://website.com/img/ -> http://website.com/img.php http://website.com/img/1234 (or) http://website.com/
Read more