java - XACML Policy Evaluation Error -


i followed link run pdp using saml envelope on xacml. created webservice ( pdp , pdpclient - in other words xacml request generator ). here every thing run fine i.e. generate request , result perfect given (test policies given followed link) policies.

now test pdp policies !! ( in point of view ) pdp isn't evaluate policies correctly. example here policy

<?xml version="1.0" encoding="utf-8" standalone="yes"?> <policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"     policyid="serverdatadeletion" version="2.0"     rulecombiningalgid="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">     <description>server data deletion student</description>     <target>         <subjects>             <subject>                 <subjectmatch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                     <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">visitor</attributevalue>                     <subjectattributedesignator                         attributeid="urn:oasis:names:tc:xacml:1.0:subject:outside-university"                         datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />                 </subjectmatch>             </subject>         </subjects>         <resources>             <resource>                 <resourcematch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                     <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">server file</attributevalue>                     <resourceattributedesignator                         attributeid="urn:oasis:names:tc:xacml:1.0:resource:file123"                         datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />                 </resourcematch>             </resource>         </resources>         <actions>             <action>                 <actionmatch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                     <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">delete</attributevalue>                     <actionattributedesignator                         attributeid="urn:oasis:names:tc:xacml:1.0:action:delete123"                         datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />                 </actionmatch>             </action>         </actions>     </target>     <rule ruleid="serverdatadeletion" effect="permit">         <description>server data deletion</description>         <target>             <subjects>                 <subject>                     <subjectmatch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                         <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">student</attributevalue>                         <subjectattributedesignator                             attributeid="urn:oasis:names:tc:xacml:1.0:subject:inside-university123"                             datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />                     </subjectmatch>                 </subject>             </subjects>             <resources>                 <resource>                     <resourcematch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                         <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">server file</attributevalue>                         <resourceattributedesignator                             attributeid="urn:oasis:names:tc:xacml:1.0:resource:file"                             datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="false" />                     </resourcematch>                 </resource>             </resources>             <actions>                 <action>                     <actionmatch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                         <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">delete</attributevalue>                         <actionattributedesignator                             attributeid="urn:oasis:names:tc:xacml:1.0:action:delete"                             datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="false" />                     </actionmatch>                 </action>             </actions>         </target>     </rule>     <rule ruleid="default" effect="deny" /> </policy>

and here request

subject-id: urn:oasis:names:tc:xacml:1.0:subject:outside-university, subject-value: staff

arttibute-id: urn:oasis:names:tc:xacml:1.0:resource:file123, attribute-value: server file

action-id: urn:oasis:names:tc:xacml:1.0:action:delete123, action-value: delete

and response deny. see mustbepresent = true in subject, resource , action of policy-target , request contains none's id. according xacml 2.0 if mustbepresent true , ids not present in request target indeterminate. , if target policy-target whole policy indeterminate. in case after indeterminate policy-target, pdp still evaluate rule , making result according rule combining algorithm.

let me know if wrong.

actually, @ quick glance, should getting notapplicable.

you have following structure:

  • policy
    • rule 1: serverdatadeletion yields permit
    • rule 2: default yields deny.

your policy has target follows:

<target>     <subjects>         <subject>             <subjectmatch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                 <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">visitor</attributevalue>                 <subjectattributedesignator                     attributeid="urn:oasis:names:tc:xacml:1.0:subject:outside-university"                     datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />             </subjectmatch>         </subject>     </subjects>     <resources>         <resource>             <resourcematch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                 <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">server file</attributevalue>                 <resourceattributedesignator                     attributeid="urn:oasis:names:tc:xacml:1.0:resource:file123"                     datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />             </resourcematch>         </resource>     </resources>     <actions>         <action>             <actionmatch matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">                 <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">delete</attributevalue>                 <actionattributedesignator                     attributeid="urn:oasis:names:tc:xacml:1.0:action:delete123"                     datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true" />             </actionmatch>         </action>     </actions> </target>

it apply if visitor trying delete server file.

in request, send staff instead of visitor. should therefore notapplicable.

if chance, move xacml 3.0. check out alfa plugin eclipse write policies easily.


Comments

Post a Comment

Popular posts from this blog

google app engine - 403 Forbidden POST - Flask WTForms -

i have flask application running on google app engine. trying submit form built using wtform , keep getting following error. 403 forbidden: don't have permission access requested resource. either read-protected or not readable server. location.html (part of code) <form method=post action="/home/location"> .... <button type="submit" class="btn btn-primary" value="submit"> directions </button> </form> main.py @app.route('/home/location', methods=['post', 'get']) def location(): form = cfcdirections.direction(request.form) print(request.method) if request.method == 'post' , form.validate(): print("after if") directions = cfcdirections() street_no = directions.no street = directions.street suburb = directions.suburb postcode = directions.postcode ...
Read more

Android layout hidden on keyboard show -

i have strange problem layout. when tap on edittext , keyboard shown edittext stay on bottom , when tap on to hide keyboard , keyboard hides , edittext go should when want input text. when tap again, keyboard shown , edittext goes down behind keyboard... <relativelayout android:layout_width="match_parent" android:layout_height="match_parent" > <scrollview android:layout_width="match_parent" android:layout_height="fill_parent" android:above="@+id/rl_commands"> <textview android:layout_width="match_parent" android:layout_height="wrap_content"/> </scrollview> <relativelayout android:layout_width="match_parent android:layout_height="24dp" android:id="@+id/rl_commands" android:alignparentbottom="true"> ...
Read more

Parse xml element into list in Python -

i've been trying days store list of coordinates list in python. i've tried minidom, xmlreader, , few others. i'm doing wrong, i'm on deadline , need help. <?xml version="1.0" encoding="utf-8"?> <kml xmlns="http://www.opengis.net/kml/2.2" xmlns:gx="http://www.google.com/kml/ext/2.2" xmlns:kml="http://www.opengis.net/kml/2.2" xmlns:atom="http://www.w3.org/2005/atom"> <document> <name>kmlfile</name> <style id="s_ylw-pushpin_hl"> <iconstyle> <scale>1.3</scale> <icon> <href>http://maps.google.com/mapfiles/kml/pushpin/ylw-pushpin.png</href> </icon> <hotspot x="20" y="2" xunits="pixels" yunits="pixels"/> </iconstyle> </style> <stylemap id="m_ylw-pushpin"> ...
Read more