Carlos:
I think your action id value (readds) looks suspicious: The action
id is going to be something like
"urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination" if
you're fetching the datastream content.
Also, and this is just a matter of aesthetics: You don't need to
reproduce the attribute matches from the policy target in each rule,
so you could remove the later references to the object's pid. You
might also consider using a string bag for all those datastream ids
rather than separate matches: There's an example of this in the
default policies ('deny-apim-if-not-localhost.xml').
regards,
Ben
On Mon, Jul 2, 2012 at 11:53 AM, Carlos Santos
<[email protected]> wrote:
> Greetings,
>
> I am trying to define multiple rules in a FESLPOLICY datastream but it isn't
> working (the policies aren't applied). The following is the content of the
> policy ds:
>
>> <Policy PolicyId="pid"
>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
>> xmlns:schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
>> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
>> <Description>FESLPOLICY for empid:1001</Description>
>> <!-- This policy applies to the resource empid:1001 -->
>> <Target>
>> <Resources>
>> <Resource>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> </Resource>
>> </Resources>
>> </Target>
>>
>> <!-- The object is visible to any subject -->
>> <Rule Effect="Permit" RuleId="public-object">
>> <Target>
>> <Resources>
>> <Resource>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> </Resource>
>> </Resources>
>> <Actions>
>> <Action>
>> <ActionMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
>> <ActionAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:action:id"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ActionMatch>
>> </Action>
>> </Actions>
>> </Target>
>> </Rule>
>>
>> <!-- The meta datastreams are public -->
>> <Rule Effect="Permit" RuleId="public-meta">
>> <Target>
>> <Resources>
>> <Resource>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>EM</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> </Resource>
>> <Resource>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>DC</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> </Resource>
>> <Resource>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>Request</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> </Resource>
>> <Resource>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>RELS-EXT</AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>> </Resource>
>> </Resources>
>> <Actions>
>> <Action>
>> <ActionMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>readds</AttributeValue>
>> <ActionAttributeDesignator
>> AttributeId="urn:fedora:names:fedora:2.1:action:id"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ActionMatch>
>> </Action>
>> </Actions>
>> </Target>
>> </Rule>
>> <!-- Deny everything else -->
>> <Rule Effect="Deny" RuleId="3"/>
>> </Policy>
>
>
> If anyone finds the problem I would be very grateful.
>
>
> --
> cumprimentos,
> Carlos Santos @ LaSIGE
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
