Search code examples
authorizationxacmlabacxacml3alfa

XACML: how to find a long in a list of longs (list contains)

I'm trying to do a check in a XACML policy. I have a long in my subject (urn:ch:xxxx:attribute:subject:1.0:participantid) context which i wish to find in a list of longs (urn:ch:xxxx:attribute:resource:1.0:participantids) in my resource context. I'm trying to do that with the function integer-is-in.

I've tried so far:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-is-in">
  <SubjectAttributeDesignator AttributeId="urn:ch:xxxx:attribute:subject:1.0:participantid" DataType="http://www.w3.org/2001/XMLSchema#long" />
  <ResourceAttributeDesignator AttributeId="urn:ch:xxxx:attribute:resource:1.0:participantids" DataType="http://www.w3.org/2001/XMLSchema#long" />
</Apply>

I've tested this and it worked well.

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-is-in">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#long">9000501</AttributeValue>
  <ResourceAttributeDesignator AttributeId="urn:ch:xxxx:attribute:resource:1.0:participantids" DataType="http://www.w3.org/2001/XMLSchema#long" />
</Apply>

So how should I pass the subject attribute so that it works? Or is the function integer-is-in the wrong way?

Regards

Cristiano

Solution

  • An AttributeDesignator is considered a bag in XACML, in other words it is multi-valued. So you have to apply the integer-one-and-only function on it before you apply integer-is-in, because integer-is-in expects a single value (like an AttributeValue) as first argument.

    Besides, integer-is-in and integer-one-and-only functions work only with the integer datatype (from XML schema) in the XACML standard, not long. So the fact that your second example works well tells me your XACML implementation is not 100% XACML-compliant.

    Last, you are using XACML 2.0 syntax here, and I strongly recommend to upgrade to XACML 3.0 which fixes and enhances XACML in general. In XACML 3.0, the fix would look like this:

    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-is-in">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
        <AttributeDesignator AttributeId="urn:ch:xxxx:attribute:subject:1.0:participantid" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
    </Apply>
    <AttributeDesignator AttributeId="urn:ch:xxxx:attribute:resource:1.0:participantids" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
</Apply>