XACML Bags operations - xacml

Assume we have a bag of booleans. Is there a function that can tell whether the number of "true" values is larger than some constant (e.g., 5)?
I came across "n-of" function, but it requires multiple separate attributes as an input and not a bag... Maybe "map" function can help, but not sure how since I didn't find a function that can reduce the number of items in a bag.
Thanks!
Michael.

To achieve what you are looking for, you need to use two functions:
a function that measures the size of the bag e.g. booleanBagSize(someAttribute)
a functiont that checks that each value of the bag is equal to true. e.g. booleanEquals used in conjunction with a higher-order function e.g. AllOf
The resulting code in ALFA would be:
namespace axiomatics{
attribute allowed{
category = subjectCat
id = "axiomatics.allowed"
type = boolean
}
policy allowIf5True{
apply firstApplicable
rule allow{
permit
condition booleanBagSize(allowed)>5 && allOf(function[booleanEqual], true, allowed)
}
}
}
And the XACML 3.0 output would be
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/axiomatics.allowIf5True"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/axiomatics.allowIf5True.allow">
<xacml3:Description />
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-bag-size" >
<xacml3:AttributeDesignator
AttributeId="axiomatics.allowed"
DataType="http://www.w3.org/2001/XMLSchema#boolean"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">5</xacml3:AttributeValue>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:all-of" >
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#boolean">true</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.allowed"
DataType="http://www.w3.org/2001/XMLSchema#boolean"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
This approach only works if the bag only contains true values.

Related

Xacml policy test occurence of string in string bag

I'm trying to come up with a rule that says the string must begin with ABC but not be ABC123, ABC456, ABC789.
I'm trying write this to evaluate against a string bag, any pointers much appreciated.
You'll need two things:
A check that matches your attribute (e.g. a) with the value (ABC)
A condition that checks the same attribute is not either of ABC123, ABC456, ABC789.
There are (at least) two ways you could do this:
You could write a policy that checks the attribute starts with ABC and then have a rule that denies access if the value is one of the 3 forbidden ones or
You could write a policy that checks the attribute starts with ABC and only returns permit if the the value is not one of the 3 forbidden ones.
ALFA Example
ALFA, the abbreviated language for AuthZ, is a lightweight syntax for XACML policies. (Source: alfa, Wikipedia)
namespace com.axiomatics{
attribute a{
category = subjectCat
id = "com.axiomatics.a"
type = string
}
/**
* This policy allows access if the string starts with ABC but is not ABC123, ABC456, or ABC789
*/
policy example{
apply firstApplicable
/**
* Deny specific values
*/
rule denySpecificValues{
target clause a == "ABC123" or a == "ABC456" or a == "ABC789"
deny
}
/**
* Allow if the string starts with ABC
*/
rule startsWithABC{
target clause stringStartsWith("ABC", a)
permit
}
}
/**
* This policy allows access if the string starts with ABC but is not ABC123, ABC456, or ABC789
*/
policy anotherExample{
apply firstApplicable
/**
* Allow if the string with ABC
*/
rule startsWithABC{
target clause stringStartsWith("ABC", a)
permit
condition not (a == "ABC123") && not(a == "ABC456") || not(a == "ABC789")
}
}
}
XACML XML Equivalent
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.example"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>This policy allows access if the string starts with
ABC but is not ABC123, ABC456, or ABC789</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Deny"
RuleId="com.axiomatics.example.denySpecificValues">
<xacml3:Description>Deny specific values</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC123</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC456</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC789</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.example.startsWithABC">
<xacml3:Description>Allow if the string starts with ABC
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>

Sitecore custom index configure languages

I created a custom Lucene index in a Sitecore 8.1 environment like this:
<?xml version="1.0"?>
<configuration xmlns:x="http://www.sitecore.net/xmlconfig/">
<sitecore>
<contentSearch>
<configuration type="Sitecore.ContentSearch.ContentSearchConfiguration, Sitecore.ContentSearch">
<indexes hint="list:AddIndex">
<index id="Products_index" type="Sitecore.ContentSearch.LuceneProvider.LuceneIndex, Sitecore.ContentSearch.LuceneProvider">
<param desc="name">$(id)</param>
<param desc="folder">$(id)</param>
<param desc="propertyStore" ref="contentSearch/indexConfigurations/databasePropertyStore" param1="$(id)" />
<configuration ref="contentSearch/indexConfigurations/ProductIndexConfiguration" />
<strategies hint="list:AddStrategy">
<strategy ref="contentSearch/indexConfigurations/indexUpdateStrategies/onPublishEndAsync" />
</strategies>
<commitPolicyExecutor type="Sitecore.ContentSearch.CommitPolicyExecutor, Sitecore.ContentSearch">
<policies hint="list:AddCommitPolicy">
<policy type="Sitecore.ContentSearch.TimeIntervalCommitPolicy, Sitecore.ContentSearch" />
</policies>
</commitPolicyExecutor>
<locations hint="list:AddCrawler">
<crawler type="Sitecore.ContentSearch.SitecoreItemCrawler, Sitecore.ContentSearch">
<Database>master</Database>
<Root>/sitecore/content/General/Product Repository</Root>
</crawler>
</locations>
<enableItemLanguageFallback>false</enableItemLanguageFallback>
<enableFieldLanguageFallback>false</enableFieldLanguageFallback>
</index>
</indexes>
</configuration>
<indexConfigurations>
<ProductIndexConfiguration type="Sitecore.ContentSearch.LuceneProvider.LuceneIndexConfiguration, Sitecore.ContentSearch.LuceneProvider">
<initializeOnAdd>true</initializeOnAdd>
<analyzer ref="contentSearch/indexConfigurations/defaultLuceneIndexConfiguration/analyzer" />
<documentBuilderType>Sitecore.ContentSearch.LuceneProvider.LuceneDocumentBuilder, Sitecore.ContentSearch.LuceneProvider</documentBuilderType>
<fieldMap type="Sitecore.ContentSearch.FieldMap, Sitecore.ContentSearch">
<fieldNames hint="raw:AddFieldByFieldName">
<field fieldName="_uniqueid" storageType="YES" indexType="TOKENIZED" vectorType="NO" boost="1f" type="System.String" settingType="Sitecore.ContentSearch.LuceneProvider.LuceneSearchFieldConfiguration, Sitecore.ContentSearch.LuceneProvider">
<analyzer type="Sitecore.ContentSearch.LuceneProvider.Analyzers.LowerCaseKeywordAnalyzer, Sitecore.ContentSearch.LuceneProvider" />
</field>
<field fieldName="key" storageType="YES" indexType="UNTOKENIZED" vectorType="NO" boost="1f" type="System.String" settingType="Sitecore.ContentSearch.LuceneProvider.LuceneSearchFieldConfiguration, Sitecore.ContentSearch.LuceneProvider"/>
</fieldNames>
</fieldMap>
<documentOptions type="Sitecore.ContentSearch.LuceneProvider.LuceneDocumentBuilderOptions, Sitecore.ContentSearch.LuceneProvider">
<indexAllFields>true</indexAllFields>
<include hint="list:AddIncludedTemplate">
<Product>{843B9598-318D-4AFA-B8C8-07E3DF5C6738}</Product>
</include>
</documentOptions>
<fieldReaders ref="contentSearch/indexConfigurations/defaultLuceneIndexConfiguration/fieldReaders"/>
<indexFieldStorageValueFormatter ref="contentSearch/indexConfigurations/defaultLuceneIndexConfiguration/indexFieldStorageValueFormatter"/>
<indexDocumentPropertyMapper ref="contentSearch/indexConfigurations/defaultLuceneIndexConfiguration/indexDocumentPropertyMapper"/>
</ProductIndexConfiguration>
</indexConfigurations>
</contentSearch>
</sitecore>
</configuration>
Actually a quite straightforward index that points to a root, includes a template and stores a field. It all works. But I need something extra:
Limit the entries in the index to the latest version
Limit the entries in the index to one language (English)
I know this can be easily triggered in the query as well, but I want to get my indexes smaller so they will (re)build faster.
The first one could be solved by indexing web instead of master, but I actually also want the unpublished ones in this case. I'm quite sure I will need a custom crawler for this.
The second one (limit the languages) is actually more important as I will also need this in other indexes. The easy answer is probably also to use a custom crawler but I was hoping there would be a way to configure this without custom code. Is it possible to configure an custom index to only include a defined set of languages (one or more) instead of all?
After some research I came to the conclusion that to match all the requirements a custom crawler was the only solution. Blogged the code: http://ggullentops.blogspot.be/2016/10/custom-sitecore-index-crawler.html
The main reason was that we really had to be able to set this per index - which is not possible with the filter approach. Also, when we added a new version the previous version had to be deleted from the index - also not possible without the crawler...
There is quite some code so I won't copy it all here but we had to override the DoAdd and DoUpdate methods of the SitecoreItemCrawler, and for the languages we also had to make a small override of the Update method.
You can easily create a custom processor that will let you filter what you want:
namespace Sitecore.Custom
{
public class CustomInboundIndexFilter : InboundIndexFilterProcessor
{
public override void Process(InboundIndexFilterArgs args)
{
var item = args.IndexableToIndex as SitecoreIndexableItem;
var language = Sitecore.Data.Managers.LanguageManager.GetLanguage("en");
if (item != null && (!item.Item.Versions.IsLatestVersion() || item.Item.Language == language))
{
args.IsExcluded = true;
}
}
}
}
And add this processor into the config:
<pipelines>
<indexing.filterIndex.inbound>
<processor type="Sitecore.Custom.CustomInboundIndexFilter, Sitecore.Custom"></processor>
</indexing.filterIndex.inbound>
</pipelines>

WSO2 Identity Server - Issues with XACML V.3 Policy Set under the Try-It of PAP

I'd like to add a policy set in order to run a series of policies in sequence using a target which defines if a given policy is applicable, or not, based on the input field "resource". To begin a test I wrote a single policySet that contains one policy.
The evaluation by the WSO2 PAP fails showing a result of "NotApplicable" while I expect to receive a "Permit".
Here the policy named "cfatest0" created in XML:
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="cfatest0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<xacml3:Description></xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.permitAll">
<xacml3:Description></xacml3:Description>
<xacml3:Target></xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.checkId">
<xacml3:Description></xacml3:Description>
<xacml3:Target></xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></xacml3:Function>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef#br.red.com</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
<xacml3:ObligationExpressions>
<xacml3:ObligationExpression ObligationId="obligation.displayAttributes" FulfillOn="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Access denied due to invalid UserID</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:ObligationExpression>
</xacml3:ObligationExpressions>
</xacml3:Rule>
<xacml3:AdviceExpressions>
<xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:AdviceExpression>
<xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Permit">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:AdviceExpression>
</xacml3:AdviceExpressions>
</xacml3:Policy>
Here the PolicySet named cfapolicyset1 created in XML:
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="cfapolicyset1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" Version="1.0">
<xacml3:Description></xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:PolicyIdReference>cfatest0</xacml3:PolicyIdReference>
</xacml3:PolicySet>
Below the request generated by the WSO2 "Try-It" tool under the PAP:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef#br.red.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</AttributeValue>
</Attribute>
</Attributes>
</Request>
Decision is: NotApplicable
Do I miss something in the way how I use to send a request to a PolicySet? When using the WSO2 high level policy editor, I get the same error at the response. When testing the policy isolated in the PAP "Try-It" tool, I receive the correct value, which for this policy is: "Permit".
I tried your request and policies inside the Axiomatics Policy Administration Point and I get the desired response i.e. Permit + Advice.
Could it be you forgot to load the policy inside WSO2IS?

Error in XACML validation

I have created a XACML file for authorization, which looks as:
<?xml version="1.0" encoding="UTF-8"?><PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="mysecurity:security:policyset:testmypolicyapi" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:oshttp://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd">
<Policy PolicyId="mytest:security:policy:testcollection" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>This is a test policy,not for official use</Description>
<Target/>
<Rule Effect="Deny" RuleId="RuleIdrule1">
<Description>This is a test rule</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ADMIN</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ADMIN" DataType="POLICY_ATTRIBUTEDATATYPE"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TESTRESOURCE1</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:TESTRESOURCE1" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TESTACTION</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:TESTACTION"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
</PolicySet>
I am doing balana based validation but I am getting the error as:
resource missing resource-id
But I have mentioned the resource-id already, same code works with balana test policy file, difference is I am using policy set instead of "policy".
Could you please let us know XACML request that you are using.. If not, please try to change the following value in the policy and try out. I guess that can be the issues. In your request you may sending resource-id value as attribute id
urn:oasis:names:tc:xacml:1.0:resource:TESTRESOURCE1
into
urn:oasis:names:tc:xacml:1.0:resource:resource-id

XACML Class cast exception

I am new to XACML and getting the following error
java.lang.String cannot be cast to com.sun.xacml.ctx.Attribute
at com.sun.xacml.BasicEvaluationCtx.setupSubjects(BasicEvaluationCtx.java:252)
I have defined my attribute something like this:
Set subjects=new HashSet();
subjects.add("Julius Hibbert");
Subject subject = new Subject(subjects);
Set subjectList=new HashSet();
subjectList.add(subject);
value = new AnyURIAttribute(new URI("http://medico.com/record/patient/BartSimpson"));
Attribute resource = new Attribute(new URI("urn:oasis:names:tc:xacml:1.0:resource:resource-id"), null, null, value);
Set resourceAttrs=new HashSet();
resourceAttrs.add(resource);
Set actionAttrs=new HashSet();
DateTimeAttribute date=new DateTimeAttribute();
AttributeValue attvalue=new StringAttribute("read");
Attribute action = new Attribute(new URI("urn:oasis:names:tc:xacml:1.0:action:action-id"), "", date, attvalue);
actionAttrs.add(action);
Set env=new HashSet();
RequestCtx request = new RequestCtx(subjects, resourceAttrs,
actionAttrs, environmentAttrs);
My XACML file is:
<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"
PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target/>
<Rule
RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule"
Effect="Permit">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
Where am I going wrong?I am using Sun XACML implementation.
After observing your code I found that you are trying to cast a String type to Attribute Type of class com.sun.xacml.ctx.Attribute. Pass the parameters as it is defined by the attribute class : Attribute Class
Paste your code in the Pastebin so that i can take a look.