Hi, I have the following policy, which I am going to evaluate with multiple values for subject attribute.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Entitlement_Filter_Sample_Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Target></Target> <Rule Effect="Permit" RuleId="Rule1"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string">/twitter/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType=" http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string">everyone</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> </Rule> <Rule Effect="Deny" RuleId="Rule2"></Rule> </Policy> When I send admin, everone as Subject Names the decision is 'Deny'. But If I send everyone, admin , the decision is 'Permit'. I debugged the balana code and found that it only retrieves the first attribute value and add it. So I did a fix in XACML3EvaluationCtx class to add all the attribute values. After that this scenario worked for both cases. Here is the diff of my fix. --- modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java (revision 147595) +++ modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java (working copy) @@ -125,7 +125,10 @@ if(attribute.getId().equals(id) && attribute.getType().equals(type) && (issuer == null || issuer.equals(attribute.getIssuer())) && attribute.getValue() != null){ - attributeValues.add(attribute.getValue()); + List<AttributeValue> attributeValueList = attribute.getValues(); + for (AttributeValue attributeVal : attributeValueList) { + attributeValues.add(attributeVal); + } } } Is this fix ok to procede with or was there any thing need to be changed in the policy, to work this scenario. Thanks, Lakmali -- Lakmali Baminiwatta* * Software Engineer WSO2, Inc.: http://wso2.com lean.enterprise.middleware * *
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev