Yes. This seems to be an issue. Thanks for fixing this.... Thanks, Asela.
On Fri, Nov 9, 2012 at 12:46 PM, Lakmali Baminiwatta <lakm...@wso2.com>wrote: > Hi, > > I have the following policy, which I am going to evaluate with multiple > values for subject attribute. > > <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" > PolicyId="Entitlement_Filter_Sample_Policy" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" > Version="1.0"> > <Target></Target> > <Rule Effect="Permit" RuleId="Rule1"> > <Target> > <AnyOf> > <AllOf> > <Match > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>/twitter/*</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > DataType="http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="true"></AttributeDesignator> > </Match> > <Match > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>GET</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType=" > http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="true"></AttributeDesignator> > </Match> > <Match > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue DataType=" > http://www.w3.org/2001/XMLSchema#string";>everyone</AttributeValue> > <AttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > DataType="http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="true"></AttributeDesignator> > </Match> > </AllOf> > </AnyOf> > </Target> > </Rule> > <Rule Effect="Deny" RuleId="Rule2"></Rule> > </Policy> > > When I send admin, everone as Subject Names the decision is 'Deny'. But If > I send everyone, admin , the decision is 'Permit'. > > I debugged the balana code and found that it only retrieves the first > attribute value and add it. So I did a fix in XACML3EvaluationCtx class to > add all the attribute values. After that this scenario worked for both > cases. > > Here is the diff of my fix. > > --- > modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java > (revision 147595) > +++ > modules/balana-core/src/main/java/org/wso2/balana/ctx/xacml3/XACML3EvaluationCtx.java > (working copy) > @@ -125,7 +125,10 @@ > if(attribute.getId().equals(id) && > attribute.getType().equals(type) > && (issuer == null || > issuer.equals(attribute.getIssuer())) > && attribute.getValue() != null){ > - attributeValues.add(attribute.getValue()); > + List<AttributeValue> attributeValueList = > attribute.getValues(); > + for (AttributeValue attributeVal : > attributeValueList) { > + attributeValues.add(attributeVal); > + } > } > } > > Is this fix ok to procede with or was there any thing need to be changed > in the policy, to work this scenario. > > Thanks, > Lakmali > > > -- > Lakmali Baminiwatta* > * > Software Engineer > WSO2, Inc.: http://wso2.com > lean.enterprise.middleware > > * > * > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
