1

I'm trying to do a check in a XACML policy. I have a long in my subject (urn:ch:xxxx:attribute:subject:1.0:participantid) context which i wish to find in a list of longs (urn:ch:xxxx:attribute:resource:1.0:participantids) in my resource context. I'm trying to do that with the function integer-is-in.

I've tried so far:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-is-in">
  <SubjectAttributeDesignator AttributeId="urn:ch:xxxx:attribute:subject:1.0:participantid" DataType="http://www.w3.org/2001/XMLSchema#long" />
  <ResourceAttributeDesignator AttributeId="urn:ch:xxxx:attribute:resource:1.0:participantids" DataType="http://www.w3.org/2001/XMLSchema#long" />
</Apply>

I've tested this and it worked well.

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-is-in">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#long">9000501</AttributeValue>
  <ResourceAttributeDesignator AttributeId="urn:ch:xxxx:attribute:resource:1.0:participantids" DataType="http://www.w3.org/2001/XMLSchema#long" />
</Apply>

So how should I pass the subject attribute so that it works? Or is the function integer-is-in the wrong way?

Regards

Cristiano

David Brossard
  • 13,584
  • 6
  • 55
  • 88
cristiano007
  • 379
  • 1
  • 3
  • 9

1 Answers1

2

An AttributeDesignator is considered a bag in XACML, in other words it is multi-valued. So you have to apply the integer-one-and-only function on it before you apply integer-is-in, because integer-is-in expects a single value (like an AttributeValue) as first argument.

Besides, integer-is-in and integer-one-and-only functions work only with the integer datatype (from XML schema) in the XACML standard, not long. So the fact that your second example works well tells me your XACML implementation is not 100% XACML-compliant.

Last, you are using XACML 2.0 syntax here, and I strongly recommend to upgrade to XACML 3.0 which fixes and enhances XACML in general. In XACML 3.0, the fix would look like this:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-is-in">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
        <AttributeDesignator AttributeId="urn:ch:xxxx:attribute:subject:1.0:participantid" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
    </Apply>
    <AttributeDesignator AttributeId="urn:ch:xxxx:attribute:resource:1.0:participantids" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
</Apply>
cdan
  • 3,470
  • 13
  • 27
  • Hi Cyril. Thx so much for this explanation. It helps me to solve my problem. I'll consider migrating to XACM 3.0. We've a lot of this policies working on our system and the migration will have a big impact for a lot of services. Do you know if it's a way to migrate the policies automatically? Do you know any application, that could do the job for me? – cristiano007 Mar 23 '20 at 17:59
  • Yes, you can easily migrate from XACML 2.0 to XACML 3.0 either using XSLT or JAXB (in Java) or other means – David Brossard Mar 23 '20 at 18:58
  • https://www.webfarmr.eu/2015/02/use-jaxb-and-ant-to-generate-java-pojos-for-xacml-1-1-xacml-2-0-and-xacml-3-0-policies/ – David Brossard Mar 23 '20 at 18:59
  • Yep, you can find an [XSLT stylesheet for XACML-2.0-to-3.0 policy conversion on the xacml-comment mailing list](https://lists.oasis-open.org/archives/xacml-comment/201506/msg00000.html). It works fine with Saxon XSLT processor at least, but you are free to try with other processors... at your own risk ;-) – cdan Mar 24 '20 at 01:33