Re: [Dev] Current time is not picked by XACML engine

Sun, 30 Oct 2016 21:07:35 -0700 

On Sun, Oct 30, 2016 at 8:07 PM, Pulasthi Mahawithana <pulast...@wso2.com>
wrote:

> Hi,
>
> I wrote a XACML policy which has a rule involving the current time. When a
> request is made the XACML response is given as below.
>
> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><
> Result><Decision>Indeterminate</Decision><Status><StatusCode
> Value="urn:oasis:names:tc:xacml:1.0:status:missing-
> attribute"/><StatusMessage>Couldn't find AttributeDesignator
> attribute</StatusMessage><StatusDetail>
> <MissingAttributeDetail AttributeId="urn:oasis:names:
> tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/
> 2001/XMLSchema#time" Category="urn:oasis:names:tc:
> xacml:3.0:attribute-category:environment" ></MissingAttributeDetail>
> </StatusDetail></Status></Result></Response>
>
> Although the "CurrentEnvModule" class is able to provide the current time.
> It is not not even called.
>
> When I debugged for the reason, I found out that at [1], the callHelper
> method (which will pick the missing values from attribute finders) is not
> called when the 'mapAttributes' do not have the category of the missing
> attribute. Since the 'mappedAttributes' are taken from the XACML request,
> according to the current implementation, The request should have at least
> one attribute each from the categories we include in the policy. In my case
> I need to send an attribute from "urn:oasis:names:tc:xacml:3.0:
> attribute-category:environment" category in the XACML request in order to
> get the current time.
>
> Is this intentional? Shouldn't we move the code at [1] to L146?
>

Yes.. it seems to be.  Please check line 5277 in XACML spec [2]

[2] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf


>
> [1] https://github.com/wso2/balana/blob/master/modules/
> balana-core/src/main/java/org/wso2/balana/ctx/xacml3/
> XACML3EvaluationCtx.java#L142-L144
> --
> *Pulasthi Mahawithana*
> Senior Software Engineer
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022
> Blog: http://blog.pulasthi.org
>
> <https://wso2.com/signature>
>



-- 
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933
             +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to