I am using Authzforce 10.1.1
and i have already created some basic policies, now im trying to use the element <AttributeSelector>
to compare some values of a resource that I plan to send on the request.
I have been following the documentation of xacml present in http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf and even tried some of the examples that they have for <AttributeSelector>
with no success.
Policy I want to create
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Target />
<Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
</Target>
<Rule RuleId="Ruleo" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
Error i get
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
<message>Invalid PolicySet with PolicySetId='root', Version=1.0.5</message>
</error>
If I replace <AttributeSelector>
for <AttributeDesignator>
the policy is created with success, so I assume the error is in the <AttributeSelector>
, but from the documentation i have read i can't find the error.
Make sure you have enabled the PDP feature urn:ow2:authzforce:feature:pdp:core:xpath-eval
as mentioned in the documentation on PDP properties.
Then you need to fix a few things in the PolicySet:
<PolicySetDefaults><XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion></PolicySetDefaults>
md
in the XPath with xmlns:md="..."
"/md:record/md:parentGuardian/md:parentGuardianId/text()"
(add a slash at the very start) or more simply "//md:parentGuardianId/text()"
.Here is what the fixed PolicySet looks like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<PolicySetDefaults>
<XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
</PolicySetDefaults>
<Target />
<Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
</Target>
<Rule RuleId="Ruleo" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
xPathEnabled="true"
in the PDP configuration - pdp.xml
- to enable XPath support in this case.)/var/log/tomcat9
and /var/log/tomcat9/authzforce-ce
/opt/authzforce-ce-server/conf/logback.xml
, especially for the logger named org.ow2.authzforce
.