OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

Re: [xacml] string-equal and bags

  • 1.  Re: [xacml] string-equal and bags

    Posted 05-11-2005 17:24 
     MHonArc v2.5.0b2 -->


















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]
    


    







    Subject: Re: [xacml] string-equal and bags
    







    



    
On May 11, 2005, at 11:57 AM, Rich Salz wrote:
> Test IIC003Policy.xml has this fragment:
>        <Condition  
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>            <AttributeValue  
> DataType="http://www.w3.org/2001/XMLSchema#string";>convicted-felon</ 
> AttributeValue>
>            <SubjectAttributeDesignator  
> AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:group"
>                  DataType="http://www.w3.org/2001/XMLSchema#string"/>
>        </Condition>
>
> But SubjectAttributeDesignator returns a bag of strings and  
> string-equal doesn't work on bags.
>
> Is the test wrong, or are we missing something?

You and Polar are both right that this is invalid. From the "special  
instructions" for test case IIC003:

   "Special Instructions for Test Case II.C.3

    The policy for this test contains a static type error.

    If an initial policy with static type errors MAY EVER be evaluated
    by the implementation's XACML PDP at the time a Request is
    received, then this test MUST be passed.  In this case, the
    result MUST be consistent with the supplied IIC003Response.xml
    file: it returns a Decision of Indeterminate with a StatusCode
    value of "urn:oasis:names:tc:xacml:1.0:status:processing-error".

    If the implementation's XACML PDP CAN NEVER attempt to evaluate
    an initial policy with static type errors at the time a Request
    is received, then the implementation MUST demonstrate that the
    policy in IIA003Policy.xml will be rejected by whatever entity is
    responsible for validating policy syntax in the system in which
    the XACML PDP will be used.  In this case, the supplied Request
    and Response files are not relevant and may be ignored."

This test is supposed to fail. You need to read the documentation on  
the tests, cause there are others designed this way too. In this case,  
the test is specifically catching the fact that you can't implicitly  
take the bag and turn it into a single string value.


seth


    





    








    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]


Related Content