Hi,

I'm trying to use x500Name-regexp-match within a XACML 2.0 policy document as follows:

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
        http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"
    PolicyId="whatever"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
    <Target />
    <Rule RuleId="whatever" Effect="Permit">
        <Target>
            <Subjects>
            <Subject>
                <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SERIALNUMBER=79102520991,.*</AttributeValue>
                    <SubjectAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                        DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" />
                </SubjectMatch>
            </Subject>
        </Subjects>
            <Resources>
                <Resource>
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:dss</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
                    </ResourceMatch>
                </Resource>
            </Resources>
            <Actions>
                <Action>
                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>
                        <ActionAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string" />
                    </ActionMatch>
                </Action>
            </Actions>
        </Target>
    </Rule>
</Policy>

which should result in a PERMIT against the following request:

<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
        http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd">
    <Subject>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
            DataType="hturn:oasis:names:tc:xacml:1.0:data-type:x500Name">
            <AttributeValue>SERIALNUMBER=79102520991, GIVENNAME=Frank Henri, SURNAME=Cornelis, CN=Frank Cornelis (Signature), C=BE</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
            DataType="http://www.w3.org/2001/XMLSchema#anyURI">
            <AttributeValue>urn:dss</AttributeValue>
        </Attribute>
    </Resource>
    <Action>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>sign</AttributeValue>
        </Attribute>
    </Action>
    <Environment />
</Request>

but the following junit test:

@Test
    public void testXACML3() throws Exception {
        PDPConfig config = new PDPConfig(null, null, null);
        PolicyFinder policyFinder = config.getPolicyFinder();
        Set<PolicyFinderModule> modules = new HashSet<PolicyFinderModule>();
        List<String> policyList = new LinkedList<String>();
        policyList.add(XACMLTest.class.getResource("/xacml/policy-3.xml")
                .toString());
        PolicyFinderModule policyFinderModule = new StaticPolicyFinderModule(
                policyList);
        modules.add(policyFinderModule);
        policyFinder.setModules(modules);
        PDP pdp = new PDP(config);

        RequestContext requestContext = RequestResponseContextFactory
                .createRequestCtx();
        requestContext.readRequest(XACMLTest.class
                .getResourceAsStream("/xacml/request-3.xml"));
        RequestCtx requestCtx = (RequestCtx) requestContext
                .get(XACMLConstants.REQUEST_CTX);

        ResponseCtx responseCtx = pdp.evaluate(requestCtx);

        ResponseContext responseContext = RequestResponseContextFactory
                .createResponseContext();
        responseContext.set(XACMLConstants.RESPONSE_CTX, responseCtx);

        LOG.debug("decision: " + responseContext.getDecision());
        assertEquals(XACMLConstants.DECISION_PERMIT,
                responseContext.getDecision());
    }

gives me:

org.jboss.security.xacml.sunxacml.ParsingException: Unknown MatchId
...
Caused by: org.jboss.security.xacml.sunxacml.UnknownIdentifierException: functions of type urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match are not supported by this factory
at org.jboss.security.xacml.sunxacml.cond.BaseFunctionFactory.createFunction(BaseFunctionFactory.java:266)

Any idea what I'm doing wrong? Could someone give me a simple example of how to use:

urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match

within a SubjectMatch element?

Kind Regards,

Frank.