xml - XACML type for bags -



xml - XACML type for bags -

what xacml type bag?

my status function string-at-least-one-member-of, , i'm using string-bag function in request. info type datatype give attributedesignator bag?

my status is:

<xacml3:condition> <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:attributedesignator attributeid="test:xacml:1.0:county" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" mustbepresent="false"></xacml3:attributedesignator> <xacml3:attributedesignator attributeid="test:xacml:1.0:counties" datatype="what should be?" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" mustbepresent="false"></xacml3:attributedesignator> </xacml3:apply> </xacml3:condition>

and attribute is

<xacml3:attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <xacml3:attribute attributeid="test:xacml:1.0:counties" includeinresult="false"> <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</xacml3:attributevalue> <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">brazoria</xacml3:attributevalue> <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dallas</xacml3:attributevalue> </xacml3:apply> </xacml3:attribute> </xacml3:attributes>

when seek request in wso2, get

<response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <result> <decision>deny</decision> <status> <statuscode value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </status> </result> </response>

for interested in entire files, request is:

<request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" combineddecision="false" returnpolicyidlist="true"> <attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <attribute attributeid="test:xacml:1.0:county" includeinresult="true"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> </attribute> </attributes> <attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <attribute attributeid="test:xacml:1.0:counties" includeinresult="true"> <apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">brazoria</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dallas</attributevalue> </apply> </attribute> </attributes> </request>

and policy is:

<xacml3:policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="county-based-3" rulecombiningalgid="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" version="1.0"> <xacml3:description></xacml3:description> <xacml3:target></xacml3:target> <xacml3:rule effect="permit" ruleid="http://axiomatics.com/alfa/identifier/stackoverflow.example.checkgroup"> <xacml3:description></xacml3:description> <xacml3:target></xacml3:target> <xacml3:condition> <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:attributedesignator attributeid="test:xacml:1.0:county" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" mustbepresent="false"></xacml3:attributedesignator> <xacml3:attributedesignator attributeid="test:xacml:1.0:counties" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" mustbepresent="false"></xacml3:attributedesignator> </xacml3:apply> </xacml3:condition> </xacml3:rule> <xacml3:rule effect="deny" ruleid="deny-rule"></xacml3:rule>

the info type should http://www.w3.org/2001/xmlschema#string:

<xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <xacml3:attributedesignator attributeid="test:xacml:1.0:county" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" mustbepresent="false"></xacml3:attributedesignator> <xacml3:attributedesignator attributeid="test:xacml:1.0:counties" datatype="http://www.w3.org/2001/xmlschema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" mustbepresent="false"></xacml3:attributedesignator> </xacml3:apply>

all attribute designators in fact bags in xacml. datatype applies entire elements of bag.

moreover, utilize function urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of takes 2 bags of string defined in xacml 3.0 specification:

urn:oasis:names:tc:xacml:x.x:function:type-at-least-one-member-of

this function shall take 2 arguments both handbag of ‘type’ values. shall homecoming “http://www.w3.org/2001/xmlschema#boolean”. function shall evaluate "true" if , if @ to the lowest degree 1 element of first argument contained in sec argument determined "urn:oasis:names:tc:xacml:x.x:function:type-is-in".

the request sent in invalid. <request/> element cannot contain <apply/> element inside.

remove <apply/> , should next request:

<request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" combineddecision="false" returnpolicyidlist="true"> <attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <attribute attributeid="test:xacml:1.0:county" includeinresult="true"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> </attribute> </attributes> <attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <attribute attributeid="test:xacml:1.0:counties" includeinresult="true"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">travis</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">brazoria</attributevalue> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dallas</attributevalue> </attribute> </attributes> </request>

this graphical representation in axiomatics policy server:

xml xacml3

Comments

Popular posts from this blog

php - Android app custom user registration and login with cookie using facebook sdk -

c# - Create a Notification Object (Email or Page) At Run Time -- Dependency Injection or Factory -

Set Up Of Common Name Of SSL Certificate To Protect Plesk Panel -