WSO2 Identity XACML - Support for Condition Statement?

Question

Having issues with the XACML Version 3 syntax validator inside the WSO2 XML editor, which rejects insertion of a statement. I plan to add an attribute list in place of a single attribute check. Below a printout of the statements that gets rejected by the XACML syntax validator:

This simple condition with a "string-bag" is throwing a schema error:

<xacml3:Condition>
<xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">  
  <xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag">
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue>
     <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Belem</xacml3:AttributeValue>
  </xacml3:Apply>
<xacml3:AttributeDesignator Category=" urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
</xacml3:Apply>
</xacml3:Condition>

The error message displayed is:

Entitlement policy is not updated. Error is :Invalid Entitlement Policy. Policy is not valid according to XACML schema

This condition using an "or" logical operator is working fine:

 <xacml3:Condition>
 <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
       <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
    </xacml3:Apply>
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue>
       <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
    </xacml3:Apply>
 </xacml3:Apply>
 </xacml3:Condition>

The statements that describe the condition, as shown above, are inserted right before the as a final section of that rule.

Does the WSO2 PAP support use of Attribute lists, and case yes, could this error be explained by an error in the syntax construction?

Looking for a public syntax and schema validator at the Web, a utility tool that could be helpful to debug similar issues with XACML V3 syntax compliance.

Found today an on-line XML (XACML) validation utility that works well . Its reachable at the URL: http://www.freeformatter.com/xml-validator-xsd.html and it accept download of the XSD (schema) file directly from the OASIS source: http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd. This is helpful to debug the correctness of the source, mainly for test cases. — Claude Falbriard, Nov 25 '15 at 17:33

score 1 · Accepted Answer · answered Nov 25 '15 at 03:47

The Axiomatics Policy Administration Point tells you exactly where the error in your condition is:

org.xml.sax.SAXParseException; lineNumber: 13; columnNumber: 99; cvc-complex-type.3.2.2: Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'.
    at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
    at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.processAttributes(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source)
    at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
    at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importInputStream(PolicyImporter.java:285)
    at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importFile(PolicyImporter.java:264)

More specifically it says:

Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'.

This is an XML validation error. The XACML schema does not expect an XML attribute called functionid inside the XML element Apply.

Rather it expects FunctionId. All you have to do is apply the right capitalization and then the policy imports like a charm.

BTW any reason why you are using urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of?

a good question. In terms of XACML indeed a better decision could be obtained when asking if a "city name is not a member of a list" which could trigger a "Deny" decision. The current logic checks if a city name is a member of a list, a rather frequent logical condition, doing a Permit through a statement. Is there a way to revert it? — Claude Falbriard, Nov 25 '15 at 14:02

score 0 · Answer 2 · answered Nov 23 '15 at 20:27

I've isolated the XACML syntax error in the sequence of the statements that defines the "string-bag" elements (see the sample code below). With the syntax fixed, the condition is acting now validating a name of a city among a list of choices:

<xacml3:Condition>
 <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
    <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Porto Alegre</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rio de Janeiro</xacml3:AttributeValue>
       <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">São Paulo</xacml3:AttributeValue>
    </xacml3:Apply>
 </xacml3:Apply>

WSO2 Identity XACML - Support for Condition Statement?

2 Answers2