Hi Arleis,
Your XACML policy is not valid according to the XACML policy schema.
<Condition>
element must be inside the <Rule> element. But if you just look carefully,
you can see that <Condition> is under the <Policy> element. That may be
the reason, Identity Server does not process the <Condition> element. Also
most of the function id and data types defined under the <Condition>
element is not full qualified. This also generates some errors when
uploading your policy to the Identity Server. Also when you are defining
the time. Please make sure to configure time offset according to the
timezone. As an example you can try with following XACML policy. that i
modified. Hope this would be help for you.
<Policy PolicyId="POP_TIME_IN_RANGE"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Rule Effect="Permit" RuleId="Details_POPrule1">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>
https://localhost:9443/services/recurso</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="
http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="
http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string";>aprieto</AttributeValue>
<SubjectAttributeDesignator AttributeId="
http://wso2.org/claims/givenname"; DataType="
http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time
">14:00:00+05:00</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time
">18:00:00+05:00</AttributeValue>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="nombreRegla1"/>
<Target/>
</Policy>
Thanks,
Asela.
On Fri, May 4, 2012 at 10:37 PM, Arleis Prieto Riverón <
[email protected]> wrote:
> Hi all
> I am interested in knowing why Identity Server does not process the
> <Condition> in the following policy...
> thanks in advance
>
> <Policy PolicyId="POP_TIME_IN_RANGE"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
> <Rule Effect="Permit" RuleId="Details_POPrule1"/>
> <Target>
> <Resources>
> <Resource>
> <ResourceMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
> ">https://localhost:9443/services/recurso</AttributeValue>
> <ResourceAttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="
> http://www.w3.org/2001/XMLSchema#string"/>
> </ResourceMatch>
> </Resource>
> </Resources>
> <Actions>
> <Action>
> <ActionMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
> ">read</AttributeValue>
> <ActionAttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="
> http://www.w3.org/2001/XMLSchema#string"/>
> </ActionMatch>
> </Action>
> </Actions>
> <Subjects>
> <Subject>
> <SubjectMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
> ">aprieto</AttributeValue>
> <SubjectAttributeDesignator AttributeId="
> http://wso2.org/claims/givenname"; DataType="
> http://www.w3.org/2001/XMLSchema#string"/>
> </SubjectMatch>
> </Subject>
> </Subjects>
> </Target>
> <Condition>
> <Apply FunctionId="time-in-range">
> <Apply FunctionId="time-one-and-only">
> <EnvironmentAttributeDesignator AttributeId="current-time"
> DataType="time" MustBePresent="true"/>
> </Apply>
> <AttributeValue DataType="time">08:00:00</AttributeValue>
> <AttributeValue DataType="time">18:00:00</AttributeValue>
> </Apply>
> </Condition>
> <Rule Effect="Deny" RuleId="nombreRegla1"/>
> <Target/>
> </Policy>
>
> 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS
> INFORMATICAS...
> CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
>
> http://www.uci.cu
> http://www.facebook.com/universidad.uci
> http://www.flickr.com/photos/universidad_uci
> _______________________________________________
> User mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/user
>
_______________________________________________
User mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/user
