Search code examples
logicxacml2

XACML Resources

I am trying to write a code that will enable user access of content from a website based on security roles. Thus some users can see all the content, and some can only see urls with certain extensions.

Most of my code works, but I have trouble with the access for the 3 subcategories.

<Rule Effect="Permit" RuleId="accesses">
    <Description>Permission for lower clearance</Description>
    <Target>
        <Resources>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">home.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="[email protected]"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">localweather.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="[email protected]"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">about.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="[email protected]"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
        </Resources>
    </Target>
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <SubjectAttributeDesignator AttributeId="AccessLevel"
                    DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="[email protected]"
                    MustBePresent="true" />
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Clear</AttributeValue>
            </Apply>
        </Apply>
    </ Condition >
</Rule>

I have these 3 resources, and when I run the program, I get an "indeterminate" response. Can I only have 1 resource per rule? Is something else throwing an exception?

Solution

  • You can have tree resources for in target. According to the your rule, they would act as "OR". Please check with your XACML request, may be you are sending request that is not matching with policy (policy has MustBePresent="true it means, if attribute is not there, PDP would create a indeterminate error). Please change them to "false" and see.