Hi all, Thanks for the feedback! I've added a unit test to replicate the issue I am facing (incidentally, there is a real paucity of unit testing of the PDP functionality in the project...scope for contribution here for sure):
https://git1-us-west.apache.org/repos/asf?p=incubator-openaz.git;a=commit;h=8a2d2cf6 The test succeeds as is. However if you comment explicitly setting the Category on the Subject Role attribute on line 90 it fails: subjectRoleAttribute.setCategory(new IdentifierImpl("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject")); In my opinion this is a bug, as if "the individual Attribute elements can be considered to "inherit" the "Category" property from their container." as Rich stated above, then it shouldn't be necessary to explicitly set the Category on the individual attribute Objects. If an Attribute Object is added to a containing object, then the category associated with the containing object should be propagated down to the Attribute Object itself. If you agree with this assessment I will file a JIRA and fix it. Not a big deal really in any case :-) Colm. On Wed, Jul 15, 2015 at 6:31 PM, rich levinson <[email protected]> wrote: > Hi Colm, > > The way I have viewed it is that when a XACML Request arrives, the > individual > Attribute elements always are contained in a parent Attributes element. > > Therefore the individual Attribute elements can be considered to "inherit" > the "Category" property from their container. > > This is useful for distinguishing an Attribute element that may appear in > multiple containers, where sometimes matches are made between say > a user name in a Subject Category and a user name in a Resource Category > that need to match to grant access. (In this case the user name in the > Resource Category is often obtained dynamically, possibly, as a missing > attribute, and so does not appear in the original XACML Request) > > Thanks, > Rich > > > On 7/15/2015 12:58 PM, Hal Lockhart wrote: > > I believe this is correct behavior. The designator indicates what attribute > you want. It must match name, type, category and issuer (if any) with an > Attribute in the Request. > > The Attribute in the Request is labeled with its category. If you have a > Secret subject attribute and a Secret resource attributed, the designator > will find the right one. > > Keep in mind that the creation of policy and the provision of attribute > values would normally take place at very different times and places. > > Hal > > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected] <[email protected]>] > Sent: Wednesday, July 15, 2015 11:33 AM > To: dev > Subject: Re: Attribute Category question > > Ok thanks for your reply. The reason I asked is that I was using the > OpenAZ API to create a Request where I was setting a Category URI on > the Attributes Object. I was then evaluating the Request against a PDP > that was loaded with a policy that has an AttributeDesignator as > follows: > > <AttributeDesignator MustBePresent="false" > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access- > subject" > AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" > DataType="http://www.w3.org/2001/XMLSchema#anyURI"; > <http://www.w3.org/2001/XMLSchema#anyURI> /> > > However, the evaluation failed. Only when I *also* added the Category > URI on the Attribute itself did the evaluation pass. Am I correct in > thinking this is a bug? If an Attributes Object has a Category then > this should also be set on each of the child Attribute Objects? > > Colm. > > > On Wed, Jul 15, 2015 at 4:24 PM, DRAGOSH, PAMELA L (PAM) > <[email protected]> wrote: > > > Colm, > > In implementing XACML, an attribute ALWAYS has a category. Carrying > that property along with it made programming a lot simpler. Its > > always > > going to be needed. > > Pam > > On 7/15/15, 9:48 AM, "Colm O hEigeartaigh" <[email protected]> > <[email protected]> > > wrote: > > Hi all, > > The Attribute Object defined in the API contains the following > > method: > > https://git-wip-us.apache.org/repos/asf?p=incubator- > > openaz.git;a=blob; > > f=op > > enaz- > > xacml/src/main/java/org/apache/openaz/xacml/api/Attribute.java;h > > =741a 73f4525e3544ee45fc35f872766969adbb57;hb=HEAD > > Identifier getCategory(); > > However, unless I'm missing something, there is no Category directly > associated with an Attribute in the 3.0 spec: > > <xs:complexType name="AttributeType"> <xs:sequence> <xs:element > ref="xacml:AttributeValue" maxOccurs="unbounded"/> </xs:sequence> > <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> > <xs:attribute name="Issuer" type="xs:string" use="optional"/> > <xs:attribute name="IncludeInResult" type="xs:boolean" > use="required"/> </xs:complexType> > > The Category is associated with the "Attributes" Element instead: > > <xs:attribute name="Category" type="xs:anyURI" use="required"/> > > Should Attribute have a getCategory method? > > Colm. > > -- > Colm O hEigeartaigh > > Talend Community Coderhttp://coders.talend.com > > -- > Colm O hEigeartaigh > > Talend Community Coderhttp://coders.talend.com > > > -- > Thanks, Rich > > [image: Oracle] <http://www.oracle.com> > Rich Levinson | Internet Standards Security Architect > Mobile: +1 978 5055017 <+1%20978%205055017> > Oracle Identity Management > 45 Network Drive | Burlington, Massachusetts 01803 > [image: Green Oracle] <http://www.oracle.com/commitment> Oracle is > committed to developing practices and products that help protect the > environment > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
