HERAS-AF Forum
Welcome, Guest. Please login or register.
Did you miss your activation email?
May 20, 2012, 09:43:08 am

Login with username, password and session length
Search:     Advanced search
Welcome to the HERAS-AF Forum...
373 Posts in 89 Topics by 272 Members
Latest Member: Jasmine
* Home Help Search Login Register
+  HERAS-AF Forum
|-+  HERAS-AF XACML
| |-+  HERAS-AF XACML Core (Moderators: René Eggenschwiler, Florian Huonder)
| | |-+  MustBePresent gets ignored?		 « previous next »
Pages: [1] Print
Author Topic: MustBePresent gets ignored?  (Read 508 times)
ekrem
Newbie
*
Posts: 6


View Profile
« on: January 25, 2011, 05:11:44 pm »
Hi,


I'm using herasaf-xacml-core-1.0.0-M2 and don't understand its behavior.  In the simple example below there are two Resources with the MustBePresent set to true. Still the example request matches the policy. In my understanding, the correct result would be "NotApplicable". Is this a bug or do I lag fundamental understanding of the topic?

Policy
Code:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="policy:test_multiple_different_resources" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
  <Description />
  <Target>
    <Resources>
      <Resource>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ID=10</AttributeValue>
          <ResourceAttributeDesignator AttributeId="NEST:Person:ID" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
        </ResourceMatch>
      </Resource>
      <Resource>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Position</AttributeValue>
          <ResourceAttributeDesignator AttributeId="NEST:Person:Attribut" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
        </ResourceMatch>
      </Resource>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="rule:test_multiple_different_resources">
    <Description />
  </Rule>
</Policy>

Request
Code:
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
        access_control-xacml-2.0-context-schema-os.xsd">
<Subject />
<Resource>
<Attribute AttributeId="NEST:Person:ID"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>ID=10</AttributeValue>
</Attribute>
</Resource>
<Action />
<Environment />
</Request>

Response
Code:
<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
    <Result>
        <Decision>Permit</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
    </Result>
</Response>

Regards,
Erik
Logged
René Eggenschwiler
Administrator
Jr. Member
*****
Posts: 63



View Profile
« Reply #1 on: January 25, 2011, 09:47:00 pm »
Hi Ekrem

Thanks for your detailed description of your issue.

Your understanding is correct. If a "mustBePresent" attribute is missing then you should receive an "INDETERMINATE" response with status code "missing-attribute".
Your example should also behave like that.

But to be able to reconstruct your case we need more information because the evaluation depends on a lot of components.
Can you please tell us:
- Which combining algorithm did you use?
- Did you customize any component which is relevant for the evaluation (e.g. PolicyRepository, PIP, CombiningAlgorithms, ResourceMatch etc...)
- What is the debug log output?

Can you maybe attach a small project that reproduces the problem?

We will try to take a look a soon as possible.

Best regards,
René
Logged
ekrem
Newbie
*
Posts: 6


View Profile
« Reply #2 on: January 25, 2011, 11:10:48 pm »
Hi René,

thanks for your fast answer. I think I found the error myself. I looked at the source code of  o.h.x.c.t.impl.TargetMatcherImpl. The method resourcesMatch(...) returns true, if one resource matches. Therefore MustBePresent Flags get ignored and the MissingAttributeException gets only thrown when no matching resource was found.

The same behavior is found in actionMatch(), environmentMatch, subjectsMatch().

Regards,
Erik
Logged
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« Reply #3 on: February 21, 2011, 09:05:04 am »
Hi Ekrem,

This behavior is as expected.
The <Resource> elements are OR-linked.
If it is required for you to have a AND-link you can achieve this with the <ResourceMatch> within the <Resource>.

Meaning:
Code:
<Resources>
    <Resource>
        <ResourceMatch ... >
            ...
        </ResourceMatch ... >
        <ResourceMatch ... >
            ...
        </ResourceMatch ... >
    </Resource>
</Resources>

Regards,
Florian
Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!