HERAS-AF Forum
Welcome, Guest. Please login or register.
Did you miss your activation email?
May 20, 2012, 11:48:20 am

Login with username, password and session length
Search:     Advanced search
Welcome to the HERAS-AF Forum...
373 Posts in 89 Topics by 272 Members
Latest Member: Jasmine
* Home Help Search Login Register
+  HERAS-AF Forum
|-+  HERAS-AF XACML (0.x, "old")
| |-+  HERAS-AF XACML (Moderator: Florian Huonder)
| | |-+  Obligations and AttributeAssignments		 « previous next »
Pages: [1] Print
Author Topic: Obligations and AttributeAssignments  (Read 1486 times)
Erwan G
Newbie
*
Posts: 9


View Profile
« on: September 15, 2009, 04:09:25 pm »
Hi,

we have got a little problem with obligations and attributeAssignment.
the following rule is deployed on the PDP :

Code:
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable" PolicySetId="Default">
    <Target/>
    <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides" Version="1.0" PolicyId="24">
        <Target/>
        <Rule Effect="Deny" RuleId="AdminRule">
            <Target/>
        </Rule>
        <Obligations>
            <Obligation FulfillOn="Deny" ObligationId="urn:oasis:names:tc:xacml:2.0:example:obligation:text">
                <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">Proposer utilisateur de changer ses permissions acces via une page interaction</AttributeAssignment>
            </Obligation>
        </Obligations>
    </Policy>
    <Obligations/>
</PolicySet>

and when we evaluate the following request :

Code:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:oasis:names:tc:xacml:2.0:context:schema:os">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:Request>
         <urn:Subject>
            <urn:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
               <urn:AttributeValue>chronopost</urn:AttributeValue>
    </urn:Attribute>
         </urn:Subject>
<urn:Resource>
            <urn:Attribute AttributeId="xacml:2.0:interop:example:resource:owner-id" DataType="http://www.w3.org/2001/XMLSchema#string">
               <urn:AttributeValue>pascal</urn:AttributeValue>
            </urn:Attribute>
    <urn:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" DataType="http://www.w3.org/2001/XMLSchema#string">
               <urn:AttributeValue>PersonalRichProfile</urn:AttributeValue>
            </urn:Attribute>
    <urn:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
               <urn:AttributeValue>lastname</urn:AttributeValue>
            </urn:Attribute>
    <urn:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:target-namespace" DataType="http://www.w3.org/2001/XMLSchema#string">
               <urn:AttributeValue>FR</urn:AttributeValue>
            </urn:Attribute>
         </urn:Resource>
         <urn:Action>
            <urn:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
               <urn:AttributeValue>Read</urn:AttributeValue>
            </urn:Attribute>
         </urn:Action>
         <urn:Environment/>
      </urn:Request>
   </soapenv:Body>
</soapenv:Envelope>

the response retrun the obligation but not the AttributeAssignment :

Code:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
         <Result ResourceId="lastname">
            <Decision>Deny</Decision>
            <Status>
               <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
               <StatusDetail/>
            </Status>
            <ns2:Obligations>
               <ns2:Obligation FulfillOn="Deny" ObligationId="urn:oasis:names:tc:xacml:2.0:example:obligation:text"/>
            </ns2:Obligations>
         </Result>
       </Response>
   </soap:Body>
</soap:Envelope>

Is this normal ? Is AttributeAssignment manage by the pdp ? or is it a bug in our side ?
I ask these questions because it seems that AttributeAssignments are not manage in the PAP.

Best regards,

Erwan
Logged
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« Reply #1 on: September 15, 2009, 04:46:40 pm »
Hi Erwan,

I wrote a little test and tried to reproduce your issue.
Code:
package org.herasaf.xacml;

import java.io.File;

import org.herasaf.xacml.core.context.RequestCtx;
import org.herasaf.xacml.core.context.RequestCtxFactory;
import org.herasaf.xacml.core.context.ResponseCtx;
import org.herasaf.xacml.core.policy.Evaluatable;
import org.herasaf.xacml.core.policy.PolicyConverter;
import org.herasaf.xacml.pdp.PDP;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.testng.AbstractTestNGSpringContextTests;
import org.testng.annotations.Test;

@ContextConfiguration(locations={"classpath:context/ApplicationContext.ctx.xml"})
public class TestForForum extends AbstractTestNGSpringContextTests {
private static final String POLICYFILE = "src/test/resources/forumTest/policy.xml";
private static final String REQUESTFILE = "src/test/resources/forumTest/request.xml";

@Autowired
private PDP pdp;

@Test
public void beforeTest() throws Exception {
Evaluatable eval = PolicyConverter.unmarshal(new File(POLICYFILE));
RequestCtx request = RequestCtxFactory.unmarshal(new File(REQUESTFILE));

pdp.deploy(eval);

ResponseCtx response = pdp.evaluate(request);

response.marshal(System.out);

pdp.undeploy(eval.getId());
}
}

The response I get with this is the following:
Code:
<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
    <Result>
        <Decision>Deny</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
        <ns2:Obligations>
            <ns2:Obligation FulfillOn="Deny" ObligationId="urn:oasis:names:tc:xacml:2.0:example:obligation:text">
                <ns2:AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">Proposer utilisateur de changer ses permissions acces via une page interaction</ns2:AttributeAssignment>
            </ns2:Obligation>
        </ns2:Obligations>
    </Result>
</Response>

The AttributeAssignment is included.

Maybe you could attach a sample project that reproduces the error to this thread. So that I could have a closer look.

Regards,
Florian
Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!