The reason <Attribute> does not contain a Category is so it can be use in contexts other than within <Attributes>. For example, <Attribute> can appear within <PolicyIssuer>. This is used by the Admin & Delegation Profile, which is not currently supported by this PDP. (I am not saying it should be, I regard it as a low priority.)
<PolicyIssuer> appears in <Policy> not <Request>, so it may not be relevant here. But care should be taken that the data model not preclude future enhancements. The point is that the very same attribute and value from the very same Issuer can be associated with different Categories even in the same request. It may be fine to consider them to be two different attributes, I am not sure. However, for example the data dictionary should not force every attribute to be a member of a single Category, which I believe the implementation correctly does not. In particular, Attributes which apply to Subjects can generally be used in any Subject Category. Hal From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Thursday, July 16, 2015 5:41 AM To: dev Subject: Re: Attribute Category question Hi all, Thanks for the feedback! I've added a unit test to replicate the issue I am facing (incidentally, there is a real paucity of unit testing of the PDP functionality in the project...scope for contribution here for sure): https://git1-us-west.apache.org/repos/asf?p=incubator-openaz.git;a=commit;h=8a2d2cf6 The test succeeds as is. However if you comment explicitly setting the Category on the Subject Role attribute on line 90 it fails: subjectRoleAttribute.setCategory(new IdentifierImpl("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject")); In my opinion this is a bug, as if "the individual Attribute elements can be considered to "inherit" the "Category" property from their container." as Rich stated above, then it shouldn't be necessary to explicitly set the Category on the individual attribute Objects. If an Attribute Object is added to a containing object, then the category associated with the containing object should be propagated down to the Attribute Object itself. If you agree with this assessment I will file a JIRA and fix it. Not a big deal really in any case :-) Colm. On Wed, Jul 15, 2015 at 6:31 PM, rich levinson <HYPERLINK "mailto:[email protected]"; \[email protected]> wrote: Hi Colm, The way I have viewed it is that when a XACML Request arrives, the individual Attribute elements always are contained in a parent Attributes element. Therefore the individual Attribute elements can be considered to "inherit" the "Category" property from their container. This is useful for distinguishing an Attribute element that may appear in multiple containers, where sometimes matches are made between say a user name in a Subject Category and a user name in a Resource Category that need to match to grant access. (In this case the user name in the Resource Category is often obtained dynamically, possibly, as a missing attribute, and so does not appear in the original XACML Request) Thanks, Rich On 7/15/2015 12:58 PM, Hal Lockhart wrote: I believe this is correct behavior. The designator indicates what attribute you want. It must match name, type, category and issuer (if any) with an Attribute in the Request. The Attribute in the Request is labeled with its category. If you have a Secret subject attribute and a Secret resource attributed, the designator will find the right one. Keep in mind that the creation of policy and the provision of attribute values would normally take place at very different times and places. Hal -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Wednesday, July 15, 2015 11:33 AM To: dev Subject: Re: Attribute Category question Ok thanks for your reply. The reason I asked is that I was using the OpenAZ API to create a Request where I was setting a Category URI on the Attributes Object. I was then evaluating the Request against a PDP that was loaded with a policy that has an AttributeDesignator as follows: <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access- subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType=HYPERLINK "http://www.w3.org/2001/XMLSchema#anyURI"; \n"http://www.w3.org/2001/XMLSchema#anyURI"; /> However, the evaluation failed. Only when I *also* added the Category URI on the Attribute itself did the evaluation pass. Am I correct in thinking this is a bug? If an Attributes Object has a Category then this should also be set on each of the child Attribute Objects? Colm. On Wed, Jul 15, 2015 at 4:24 PM, DRAGOSH, PAMELA L (PAM) < HYPERLINK "mailto:[email protected]"; \[email protected]> wrote: Colm, In implementing XACML, an attribute ALWAYS has a category. Carrying that property along with it made programming a lot simpler. Its always going to be needed. Pam On 7/15/15, 9:48 AM, "Colm O hEigeartaigh" HYPERLINK "mailto:[email protected]"; \n<[email protected]> wrote: Hi all, The Attribute Object defined in the API contains the following method: https://git-wip-us.apache.org/repos/asf?p=incubator- openaz.git;a=blob; f=op enaz- xacml/src/main/java/org/apache/openaz/xacml/api/Attribute.java;h =741a 73f4525e3544ee45fc35f872766969adbb57;hb=HEAD Identifier getCategory(); However, unless I'm missing something, there is no Category directly associated with an Attribute in the 3.0 spec: <xs:complexType name="AttributeType"> <xs:sequence> <xs:element ref="xacml:AttributeValue" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> <xs:attribute name="IncludeInResult" type="xs:boolean" use="required"/> </xs:complexType> The Category is associated with the "Attributes" Element instead: <xs:attribute name="Category" type="xs:anyURI" use="required"/> Should Attribute have a getCategory method? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Thanks, Rich HYPERLINK "http://www.oracle.com"; \nOracle Rich Levinson | Internet Standards Security Architect Mobile: HYPERLINK "tel:+1%20978%205055017" \n+1 978 5055017 Oracle Identity Management 45 Network Drive | Burlington, Massachusetts 01803 HYPERLINK "http://www.oracle.com/commitment"; \nGreenOracleOracle is committed to developing practices and products that help protect the environment -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
