Re: [sunxacml-discuss] multiple AttributeValue inside Attribute for RequestCtx

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On May 5, 2005, at 11:35 AM, Anne Anderson wrote:
> I think what you want to do is create one XACML Attribute instance for
> each <saml:AttributeValue>.  Each XACML Attribute will have the same
> AttributeId and DataType (assuming all the <saml:AttributeValue>
> instances are the same DataType).
>
> In policies, when you reference this AttributeId using a
> <SubjectAttributeDesignator>, for example, what is returned is a bag
> containing one element for each instance of the 
> <xacml-context:Attribute>.

That's exactly right. In the Request you use multiple Attributes, and 
from the policy evaluation point of view it's just a bag of values.

Note that this changes from 1.x to 2.0. In 1.x, you can only have one 
value in an Attribute. In 2.0 we changed it so you can have multiple 
values in the same Attribute element. The semantics are the same, it's 
just syntactically easier. This isn't supported in SunXACML yet, but it 
will be soon.

seth