3 Replies Latest reply on May 10, 2010 10:55 AM by Anil Saldanha

    Why is this XACML Request returning a Deny?

    Brian Krisler Newbie

      Hi,

       

      I have a very simple XACML request that is returning a Deny when I expect a Permit, and I can't figure out why, it appears to be releated to the

      anyURI resource since changing the URI to a string works.

       

      Any help is appreciated!

       

      The Request:

       

      <ns9:XACMLAuthzDecisionQuery IssueInstant="2010-05-06T11:05:25.911-04:00">
        <ns3:Issuer>testIssuer</ns3:Issuer>
        <ns7:Request>
        <ns7:Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
          <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
                         DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" Issuer="testIssuer">
            <ns7:AttributeValue>john.doe@corporate.com</ns7:AttributeValue>
          </ns7:Attribute>
          <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" 
                         DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="testIssuer">
            <ns7:AttributeValue>executive</ns7:AttributeValue>
          </ns7:Attribute>
        </ns7:Subject>
        <ns7:Resource>
          <ns7:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="testIssuer">
            <ns7:AttributeValue>http://www.corporate.com/feeds/financial.rss</ns7:AttributeValue>
          </ns7:Attribute>
        </ns7:Resource>
        <ns7:Action/>
        <ns7:Environment/>
        </ns7:Request>
        </ns9:XACMLAuthzDecisionQuery>
      

       

      The Policy:

       

      <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 
                         http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
        PolicySetId="urn:oasis:names:tc:bbn:1.0:example:policyid:1"
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
      <Target>
        <Resources>
          <Resource>
            <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://www.corporate.com/feeds/financial.rss</AttributeValue>
              <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI" 
                  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
            </ResourceMatch>
          </Resource>
        </Resources>
      </Target>
      
      <Policy PolicyId="ExecutivePolicy"
      RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
      <Description>My Test Policy</Description>
      <Target />
      <Rule RuleId="ExecRule" Effect="Permit">
      <Target>
        <Subjects>
          <Subject>
            <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">corporate.com
              </AttributeValue>
              <SubjectAttributeDesignator DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
                  AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" />
            </SubjectMatch>
          </Subject>
        </Subjects>
      </Target>
      <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">executive</AttributeValue>
          <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" 
             AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
        </Apply>
      </Condition>
      </Rule>
      
      <Rule RuleId="DefaultPolicy" Effect="Deny" />
      </Policy>
      
      </PolicySet>
      

       

      The request is constructed at follows:

       

      RequestType xacmlRequest = new RequestType();
      
      SubjectType subject = new SubjectType();
      subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"); 
      
      List<AttributeType> attrList = new ArrayList<AttributeType>();
      attrList.add(RequestAttributeFactory.createEmailAttributeType(
           "urn:oasis:names:tc:xacml:1.0:subject:subject-id", issuer,"john.doe@corporate.com"));
      attrList.add(RequestAttributeFactory.createStringAttributeType(
           "urn:oasis:names:tc:xacml:2.0:subject:role", issuer,"executive"))); 
      subject.getAttribute().addAll(attrList); 
       
      xacmlRequest.getSubject().add(subject);
      
      ResourceType resourceType = new ResourceType();
      List<AttributeType> resList = new ArrayList<AttributeType>();
      resList.add(RequestAttributeFactory.createAnyURIAttributeType(
           "urn:oasis:names:tc:xacml:1.0:resource:resource-id", issuer, 
           new URI("http://corporate.com/feeds/financial.rss")));
      resourceType.getAttribute().addAll(resList);
      
      xacmlRequest.getResource().add(resourceType);
      xacmlRequest.setAction(createAction());
      xacmlRequest.setEnvironment(createEnvironment());
      

       

      Thanks again

       

      Brian