I would like to know whether WSO2 Identity Server supports multipleRequests?
When I try to formulate the following request
:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" id="action1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" id="action2">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GETT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" id="subject1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cijoy</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" id="subject2">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cijoyy</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" id="resource1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/Entitlement_Sample_WebApp/protected.jsp</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" id="resource2">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/Entitlement_Sample_WebApp/protected.jspp</AttributeValue>
</Attribute>
</Attributes>
<MultiRequests>
<RequestReference>
<AttributesReference ReferenceId="subject1"/>
<!-- Is Subject necesary? -->
<AttributesReference ReferenceId="action1"/>
<!-- Is Action necessary -->
<AttributesReference ReferenceId="resource1"/>
<!-- This generates a normal single Resource request -->
</RequestReference>
</MultiRequests>
</Request>
It throws In determinant Error saying
Invalid request : Error parsing required ReferenceId in MultiRequestType
Any working sample? Any idea?
Yes you can do it with Balana XACML 3.0 . This link would be of help.
Related
I'm looking for a way to define a condition in a policy rule, so that when we pass a multiple string value in our certificate and try to authenticate authzforce against that rule, assuming the string value in the condition is equal to one of the string values we passed in the certificate, I want the rule to evaluate to 'true'.
For example if the attribute value of the condition is "DNS:google.com" and the multiple value string we receive from the certificate are: ["DNS:google.nl" ,"DNS:google.com"], I would expect to get the rule evaluated to 'true' as one of those values are equal to the value of the condition ("DNS:google.com").
I tried to achieve this defining a rule with this condition:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
I used the 'string-is-in' XACML operator in the condition, however the rule evaluates to false.
The attributes I send via the certificate using the crypto library look like this when they reach the PDP:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>
Right now, the way I defined the condition rule and the the way I sent the multi-string in the certificate, I manage to get the rulet to evaluate to 'true' only if ALL values of the certificate are equal or contain the string value of the condition as a substring. So its more of a "matchAll". That is not what I want - I would like the rule to be evaluated to 'true' if we even have one string on the multi-string in the certificate equal to the string in the condition - meaning a an i'm looking to implement a "matchAny" approach rather than the "matchAll" approach I have here.
Could you please advise me why the rule evaluates to 'false' with my current implementation and how to correct it, using perhaps a different XACML operator?
Pasting the policy below as well as in the comments.
<PolicySet PolicySetId="root" Version="0.1.2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit"
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Target/>
<Policy PolicyId="dbfcb643-cb39-4560-9c11-95112df970d0" Version="0.1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" MaxDelegationDepth="10">
<Description>Policy for EAP authentications by SAN dns domains</Description>
<Target/>
<Rule RuleId="86ef9adb-2acb-43a1-aac6-b01fdeab9a44" Effect="Permit">
<Description>Permit by certificate's SAN dns domain</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Description>new condition</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EAP</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:radius-auth-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
<AdviceExpressions>
<AdviceExpression AdviceId="authorization-result" AppliesTo="Permit">
<AttributeAssignmentExpression AttributeId="profile-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bbfc5e21-0e9f-40a6-a5c6-fedd921bff2c</AttributeValue>
</AttributeAssignmentExpression>
</AdviceExpression>
</AdviceExpressions>
</Rule>
</Policy>
I found the bug, it was in the way build our request, originally our request was structured it like:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>`
The way it should be is like:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>
Meaning the are nesting all the attributes within them rather than wrapping each attribute separately. When I structure the request as the latter the policy evaluation returns 'Permit'.
I followed applying security to a proxy service article.
My problem is that in the XACML request the subject-id property value is an LDAP query "CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US". what should I do to just commonName (CN) value become subject-id?
My entitlement mediator:
<entitlementService
callbackClass="org.wso2.micro.integrator.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler"
remoteServiceUrl=" https://testdomain.org:9444/services/"
client="basicAuth"
remoteServicePassword="admin"
remoteServiceUserName="admin">
XACML request that entitlement mediator made:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
</AttributeValue></Attribute></Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
read
</AttributeValue></Attribute></Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
/services/SecureProxy/createUser
</AttributeValue></Attribute></Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="IssuerDN" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
</AttributeValue></Attribute>
<Attribute AttributeId="SignatureAlgorithm" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
SHA256withRSA
</AttributeValue></Attribute></Attributes></Request>
WSO2 Micro Integrator 4.1, Identity Server 5.11, and SoapUI 5.7.0.
I wrote a basic test case with XACML using the Simple Editor tool.
My rule: "Only doctor can access medical records"
When using the role name "admin", all works OK and the answer from the request is "permit".
Case I update the role, both in the policy and request and set it to the value: "doctor", then the rules engine returns a erroneous "deny". For testing, I've also recorded a user role name with the value "doctor", which is the desired value and added one ID under the WSO2 console.
Why XACML under WSO2 constantly denies any evaluation request when using other role then "doctor"? (see the resulting policy and request statements below)
Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="MedicalRecords" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>doctors</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"/>
</Policy>
Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
Thanks for feedback and support.
Regards,
Claude
Since you have added http://wso2.org/claims/role as the AttributeId for the subject, following should be your XACML request
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="http://wso2.org/claims/role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
in XAML values are matches against AttributeId, you must use the same AttributeId. Butm you have used urn:oasis:names:tc:xacml:1.0:subject:subject-id as the AttributeId in the request.
I have requirement to write a policy for the particular user it will return the xacml response like this :
This policy is based on single user : bob
FirstName: Create= true , Read = true, Update = true, Delete = false
MiddleName: Create= true , Read = true, Update = true, Delete = false
LastName: Create= true , Read = true, Update = true, Delete = false
How to write a xacml policy for such requirement and how the request will look like for the same policy.
How to achieve this policy using Axiomatics Alfa plugin and WSO2 identity server.
Let get as following... This policy is based on single user : bob
FirstName: Create= true , Read = true, Update = true, Delete = false
MiddleName: Create= true , Read = true, Update = false, Delete = false
LastName: Create= false , Read = true, Update = false, Delete = false
Following is the policy, policy is based on user ("bob"). Therefore we can take the user name as the policy target and can create three rules. In rules, "FirstName", "MiddleName" and "LastName" have been taken as resources and for each resource, rule has been created.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="NamePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">FirstName</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule-2">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MiddleName</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule-3">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule Effect="Deny" RuleId="Rule-4"></Rule>
</Policy>
Following is the XACML multiple decision profile request that you can try out. Here, you can change the resource value and see the authorization for each resource. It would return permit result for the actions that are permit for "bob"
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
</Request>
I have a policy and when i run a request in WSO2 Identity Server i get permit decision as expected. But when i create another sample policy from:
http://svn.wso2.org/repos/wso2/carbon/platform/tags/4.0.7/products/is/4.1.0/modules/distribution/conf/policies/sample-kmarket-sliver-policy.xml
And send my same request again, i get following error:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
<StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
<StatusDetail>
<MissingAttributeDetail AttributeId="http://kmarket.com/id/role" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" ></MissingAttributeDetail>
</StatusDetail>
</Status>
</Result>
</Response>
For some reason request is being run against this sample policy instead of my original policy. Now interesting thing is I downloaded Balana (XACML Engine used by WSO2 Identity Server) source code and ran tests with both policies and my request and i am getting Permit as expected. But when i do the same in WSO2 its not working and i am getting Indeterminate error. I tried both 'Try It' feature and 'Evaluate with PDP' with same results.
Here is the request i used, why is this being applied to the sample policy and not my original policy via WSO2 but not Balana?
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:subject:provider-npi" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1548797430</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:subject:provider-npi" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1347570297</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:purpose-of-use">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:purpose-of-use-code" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TREAT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">#outlook.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2013-07-12T00:00:00-04:00</AttributeValue>
</Attribute>
</Attributes>
</Request>
According to the error, it seems that attribute finder is not configure. I guess policy has a attribute id called "http://kmarket.com/id/role" But it is not in the request, so attribute finder is called. you need to register an attribute finder to support it... Please find sample attribute finder from here [1]. In balana sample, this attribute finder has been already there with the sample itself
[1] http://svn.wso2.org/repos/wso2/carbon/platform/tags/4.0.7/components/identity/org.wso2.carbon.identity.samples.entitlement.pip/