[sunxacml-discuss] sunxacml policy evaluation problem
Brought to you by:
farrukh_najmi,
sethp
Menu
▾
▴
[sunxacml-discuss] sunxacml policy evaluation problem
|
From: Ashok S. <as...@sf...> - 2005-03-04 00:54:57
|
Hello,
I am trying to setup the XACML engine for attribute verification. I am
running into trouble when i generate policy through policybuilder, as
explained in the programmers guide on the website. I have a policy in
file, when i load the policy through the file, the whole engine works
perfect, and gives correct verification results. But because of our
requirement, I added a custom PolicyFinderModule class which adds the
policies as Policy objects. I provide this custom PolicyFinderModule to
the PDP as below,
new PDP(new PDPConfig(null, policyFinder , null)).evaluate(request);
This is the request
<Request>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>developers</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>java.html</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue></Attribute>
</Action>
</Request>
and this is the actual policy that the policybuilder generates, and is
added to custom PolicyFinderModule
<Policy PolicyId="GeneratedPolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">java.html</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="ReadRule" Effect="Permit">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">developers</AttributeValue>
</Condition>
</Rule>
</Policy>
When I run the whole engine to verify the above request against the above
policy it generates the below response.
<Response>
<Result ResourceId="java.html">
<Decision>Indeterminate</Decision>
<Status>
<StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:string-one-and-only
expects a bag that contains a single element, got a bag with 0
elements</StatusMessage>
</Status>
</Result>
</Response>
I have tried to debug the code, PDP is able to locate the policy, but
something goes wrong when it tries to verify the request against the Rule
inside the policy.
Unlike, if i provide the same policy through a file, and add it to my
custom PolicyFinderModule, as below, it gives correct response and permits
the access.
Policy.getInstance(root); //root is the root <policy> tag in xml file.
I was wonderinig if anyone could give me some hints on where the problem
might be?
Any help is appereciated.
Thanks,
Ashok.
|
