I was able to fix this by writing the condition as follows
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"></Function>
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>^manager_.*$</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role";
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
Thanks @Godwin Shrimal <[email protected]>
[1] http://xacmlinfo.org/2013/09/02/how-write-xacml-policies-1/
On Fri, Sep 28, 2018 at 10:05 AM Rajith Siriwardena <[email protected]> wrote:
> + Dev
>
> On Fri, Sep 28, 2018 at 9:41 AM Rajith Siriwardena <[email protected]>
> wrote:
>
>> Hi
>>
>> I'm getting the following error when I try to apply a regex function to
>> an XACML policy.
>>
>> Policy
>>
>> ---------
>> *<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
>> PolicyId="authn_bank_admin_role_based_policy_template"
>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>> Version="1.0">*
>> * <Description>This policy is for role based authentication for
>> managers</Description>*
>> * <Target>*
>> * <AnyOf>*
>> * <AllOf>*
>> * <Match
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">*
>> * <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string
>> <http://www.w3.org/2001/XMLSchema#string>">saml2-web-app-dispatch.com
>> <http://saml2-web-app-dispatch.com></AttributeValue>*
>> * <AttributeDesignator
>> AttributeId="http://wso2.org/identity/sp/sp-name
>> <http://wso2.org/identity/sp/sp-name>"
>> Category="http://wso2.org/identity/sp <http://wso2.org/identity/sp>"
>> DataType="http://www.w3.org/2001/XMLSchema#string
>> <http://www.w3.org/2001/XMLSchema#string>"
>> MustBePresent="false"></AttributeDesignator>*
>> * </Match>*
>> * <Match
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">*
>> * <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string
>> <http://www.w3.org/2001/XMLSchema#string>">authenticate</AttributeValue>*
>> * <AttributeDesignator
>> AttributeId="http://wso2.org/identity/identity-action/action-name
>> <http://wso2.org/identity/identity-action/action-name>"
>> Category="http://wso2.org/identity/identity-action
>> <http://wso2.org/identity/identity-action>"
>> DataType="http://www.w3.org/2001/XMLSchema#string
>> <http://www.w3.org/2001/XMLSchema#string>"
>> MustBePresent="false"></AttributeDesignator>*
>> * </Match>*
>> * </AllOf>*
>> * </AnyOf>*
>> * </Target>*
>> * <Rule Effect="Permit" RuleId="permit_by_roles">*
>> * <Condition>*
>> * <Apply
>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">*
>> * <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string
>> <http://www.w3.org/2001/XMLSchema#string>">{ ^manager_.*$
>> }</AttributeValue>*
>> * <AttributeDesignator
>> AttributeId="http://wso2.org/claims/role <http://wso2.org/claims/role>"
>> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
>> DataType="http://www.w3.org/2001/XMLSchema#string
>> <http://www.w3.org/2001/XMLSchema#string>"
>> MustBePresent="true"></AttributeDesignator>*
>> * </Apply>*
>> * </Condition>*
>> * </Rule>*
>> * <Rule Effect="Deny" RuleId="deny_others"></Rule>*
>> *</Policy> *
>>
>> ----------
>>
>> Error log
>>
>> [2018-09-28 09:32:20,260] ERROR
>> {org.wso2.carbon.identity.entitlement.pap.PAPPolicyReader} - Error while
>> parsing the policy
>> java.lang.IllegalArgumentException: illegal parameter
>> at org.wso2.balana.cond.FunctionBase.checkInputs(FunctionBase.java:380)
>> at org.wso2.balana.cond.Apply.<init>(Apply.java:89)
>> at org.wso2.balana.cond.Apply.getInstance(Apply.java:227)
>> at org.wso2.balana.cond.Apply.getInstance(Apply.java:188)
>> at
>> org.wso2.balana.cond.ExpressionHandler.parseExpression(ExpressionHandler.java:53)
>> at org.wso2.balana.cond.Condition.getInstance(Condition.java:177)
>> at org.wso2.balana.Rule.getInstance(Rule.java:237)
>> at org.wso2.balana.Policy.<init>(Policy.java:303)
>> at org.wso2.balana.Policy.getInstance(Policy.java:382)
>> at
>> org.wso2.carbon.identity.entitlement.pap.PAPPolicyReader.handleDocument(PAPPolicyReader.java:158)
>> at
>> org.wso2.carbon.identity.entitlement.pap.PAPPolicyReader.getPolicy(PAPPolicyReader.java:119)
>> at
>> org.wso2.carbon.identity.entitlement.EntitlementPolicyAdminService.addOrUpdatePolicy(EntitlementPolicyAdminService.java:741)
>> at
>> org.wso2.carbon.identity.entitlement.EntitlementPolicyAdminService.updatePolicy(EntitlementPolicyAdminService.java:170)
>> at sun.reflect.GeneratedMethodAccessor254.invoke(Unknown Source)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
>> at
>> org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
>> at
>> org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
>> at
>> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
>> at
>> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:170)
>> at
>> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
>> at
>> org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:45)
>> at
>> org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
>> at
>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
>> at
>> org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceStub.updatePolicy(EntitlementPolicyAdminServiceStub.java:1973)
>> at
>> org.wso2.carbon.identity.entitlement.ui.client.EntitlementPolicyAdminServiceClient.updatePolicy(EntitlementPolicyAdminServiceClient.java:210)
>> at
>> org.apache.jsp.entitlement.update_002dpolicy_002dsubmit_jsp._jspService(update_002dpolicy_002dsubmit_jsp.java:147)
>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
>> at
>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
>> at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
>> at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:603)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:542)
>> at
>> org.eclipse.equinox.http.servlet.internal.RequestDispatcherAdaptor.include(RequestDispatcherAdaptor.java:37)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor$RequestDispatcherAdaptor.include(ContextPathServletAdaptor.java:369)
>> at
>> org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:905)
>> at
>> org.apache.jasper.runtime.PageContextImpl.doInclude(PageContextImpl.java:688)
>> at
>> org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:682)
>> at sun.reflect.GeneratedMethodAccessor121.invoke(Unknown Source)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.tiles.jsp.context.JspUtil.doInclude(JspUtil.java:87)
>> at
>> org.apache.tiles.jsp.context.JspTilesRequestContext.include(JspTilesRequestContext.java:88)
>> at
>> org.apache.tiles.jsp.context.JspTilesRequestContext.dispatch(JspTilesRequestContext.java:82)
>> at
>> org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:465)
>> at
>> org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:140)
>> at
>> org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:117)
>> at
>> org.apache.tiles.jsp.taglib.RenderTagSupport.execute(RenderTagSupport.java:171)
>> at
>> org.apache.tiles.jsp.taglib.RoleSecurityTagSupport.doEndTag(RoleSecurityTagSupport.java:75)
>> at
>> org.apache.tiles.jsp.taglib.ContainerTagSupport.doEndTag(ContainerTagSupport.java:80)
>> at
>> org.apache.jsp.admin.layout.template_jsp._jspx_meth_tiles_005finsertAttribute_005f7(template_jsp.java:733)
>> at
>> org.apache.jsp.admin.layout.template_jsp._jspService(template_jsp.java:396)
>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
>> at
>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
>> at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
>> at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:410)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)
>> at
>> org.eclipse.equinox.http.servlet.internal.RequestDispatcherAdaptor.forward(RequestDispatcherAdaptor.java:30)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor$RequestDispatcherAdaptor.forward(ContextPathServletAdaptor.java:362)
>> at
>> org.apache.tiles.servlet.context.ServletTilesRequestContext.forward(ServletTilesRequestContext.java:198)
>> at
>> org.apache.tiles.servlet.context.ServletTilesRequestContext.dispatch(ServletTilesRequestContext.java:185)
>> at
>> org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:419)
>> at
>> org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:370)
>> at org.wso2.carbon.ui.action.ActionHelper.render(ActionHelper.java:52)
>> at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:101)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
>> at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at
>> org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
>> at
>> org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
>> at
>> org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
>> at
>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
>> at
>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:748)
>>
>>
>> please let me know if I'm doing anything wrong here.
>>
>> --
>> *Rajith Siriwardana*
>> WSO2 Inc. | http://wso2.com
>> *lean. enterprise. middleware*
>>
>> ---------------------------------------------------
>> *https://home.apache.org/~siriwardana
>> <https://home.apache.org/~siriwardana>*
>>
>>
>>
>> Disclaimer: This communication may contain privileged or other
>> confidential information and is intended exclusively for the addressee/s.
>> If you are not the intended recipient/s, or believe that you may have
>> received this communication in error, please reply to the sender indicating
>> that fact and delete the copy you received and in addition, you should not
>> print, copy, re-transmit, disseminate, or otherwise use the information
>> contained in this communication. Internet communications cannot be
>> guaranteed to be timely, secure, error or virus-free. The sender does not
>> accept liability for any errors or omissions.
>>
>
>
> --
> *Rajith Siriwardana*
> WSO2 Inc. | http://wso2.com
> *lean. enterprise. middleware*
>
> ---------------------------------------------------
> *https://home.apache.org/~siriwardana
> <https://home.apache.org/~siriwardana>*
>
>
>
> Disclaimer: This communication may contain privileged or other
> confidential information and is intended exclusively for the addressee/s.
> If you are not the intended recipient/s, or believe that you may have
> received this communication in error, please reply to the sender indicating
> that fact and delete the copy you received and in addition, you should not
> print, copy, re-transmit, disseminate, or otherwise use the information
> contained in this communication. Internet communications cannot be
> guaranteed to be timely, secure, error or virus-free. The sender does not
> accept liability for any errors or omissions.
>
--
*Rajith Siriwardana*
WSO2 Inc. | http://wso2.com
*lean. enterprise. middleware*
---------------------------------------------------
*https://home.apache.org/~siriwardana
<https://home.apache.org/~siriwardana>*
Disclaimer: This communication may contain privileged or other confidential
information and is intended exclusively for the addressee/s. If you are not
the intended recipient/s, or believe that you may have received this
communication in error, please reply to the sender indicating that fact and
delete the copy you received and in addition, you should not print, copy,
re-transmit, disseminate, or otherwise use the information contained in
this communication. Internet communications cannot be guaranteed to be
timely, secure, error or virus-free. The sender does not accept liability
for any errors or omissions.
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
