Search
Search

Same XACML request different response when I use wso2is and Java application

debugcn Published at Dev
7
askspantac

Hi I’m having problem understand why I get different response when I use the (org.xacmlinfo.xacml.pep.agent.PEPAgent.java) and the tryit function in WSO2IS 5.0.0. They are querying the same policy.

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="OfficeHours" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" Version="1.0">
  <Description>denyOutsideOfficeHours</Description>
  <Target>
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
          <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Rule Effect="Permit" RuleId="PermitInOfficeHours">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">12:00:00</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
          <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"></AttributeDesignator>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy>

PEPAgent

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
</Attribute>
</Attributes>
</Request>

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision><Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:time-one-and-only expects a bag that contains a single element, got a bag with 0 elements</StatusMessage>
</Status>
</Result>
</Response>

Tryit

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
</Attribute></Attributes></Request> 

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result><Decision>Permit</Decision><Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status><PolicyIdentifierList>
<PolicyIdReference>OfficeHours</PolicyIdReference>
</PolicyIdentifierList>
</Result>
</Response>
David Brossard

First of all here are a few comments regarding your policy and rule:

  • the policy description doesn't match the rule description. In one case you say deny, in the other you say Permit.
  • you use a Condition where in fact a Target would be enough.

Graphical view of the policy in the Axiomatics Policy Server

Now, as for the different responses: in one case your code (PEPAgent) doesn't send the current time value and the server (is that the PDP?) doesn't add the time either. In the second case, the Tryit client still doesn't send time but obviously the receiving end (another PDP?) fills in the missing time value.

If you look more closely at your first response, you will notice the following error message:

<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:time-one-and-only expects a bag that contains a single element, got a bag with 0 elements</StatusMessage>

This means that you didn't pass in any value for current-time.

I tested this using the Axiomatics Policy Server and I received the expected behavior.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

From Dev

Is WSO2 Identity Server working with JSON XACML request/response?

From Dev

WSO2 IS REST request XACML

From Dev

Restful - same request but difference response on different scenarios

From Dev

Response.Write hangs when I try to read from request and write to response at the same time

From Dev

Response.Write hangs when I try to read from request and write to response at the same time

From Dev

Different behavior when sending POST Request through Java application and Chrome's POSTMAN Extension. How do I debug and find the mistake?

From Dev

how to use action filter when i have 2 method with same name with different protocol

From Dev

how to use action filter when i have 2 method with same name with different protocol

From Dev

Can I use HTTP response 424 when a request requires another request to be done first?

From Dev

how can i configure the service provider in wso2is for different tenants of version 5.2.0

From Dev

Two different format when using same java classes in java application and android application

From Dev

Things I can't do when I use php json_encode in response to an ajax request

From Dev

I'm getting Different sized responses for same request when using parallel stream in Java 8. Can anyone provide insights on how to handle this?

From Java

Can I use the same enum in 2 different classes in C#?

From Dev

When should I use POJO (instead of EJB) in a Java EE application?

From Dev

How to use same method but to call different methods in response every time?

From Dev

How can I tell if Request/Response is available in Application_Error?

From Dev

Can I use the same id on different xmls?

From Dev

Can I use the same id on different xmls?

From Dev

I can't use the same CSS property with a different value when toggling a class

From Dev

Get request works with POSTMAN but throws garbage response in my Java application

From Dev

AFNetworking 2 - No response body when request fails

From Dev

Can I use the same index in 2 different tables but on the same columns in Oracle

From Dev

Different HTTP response from Android app and Java application

From Dev

Which HTTP response code to use when the request takes too long?

From Dev

which swing component i must use to apply different styles of text in a same field in java

From Dev

WSO2 Identity Server XACML JSON Request results in "Indeterminate" [Couldn't find AttributeDesignator attribute]

From Dev

Rails, "<h2>Incomplete response received from application</h2>" in Post Json request when body is very big

From Dev

should i use jpa entity in rest request and/or response

Related Related

  1. 1

    Is WSO2 Identity Server working with JSON XACML request/response?

  2. 2

    WSO2 IS REST request XACML

  3. 3

    Restful - same request but difference response on different scenarios

  4. 4

    Response.Write hangs when I try to read from request and write to response at the same time

  5. 5

    Response.Write hangs when I try to read from request and write to response at the same time

  6. 6

    Different behavior when sending POST Request through Java application and Chrome's POSTMAN Extension. How do I debug and find the mistake?

  7. 7

    how to use action filter when i have 2 method with same name with different protocol

  8. 8

    how to use action filter when i have 2 method with same name with different protocol

  9. 9

    Can I use HTTP response 424 when a request requires another request to be done first?

  10. 10

    how can i configure the service provider in wso2is for different tenants of version 5.2.0

  11. 11

    Two different format when using same java classes in java application and android application

  12. 12

    Things I can't do when I use php json_encode in response to an ajax request

  13. 13

    I'm getting Different sized responses for same request when using parallel stream in Java 8. Can anyone provide insights on how to handle this?

  14. 14

    Can I use the same enum in 2 different classes in C#?

  15. 15

    When should I use POJO (instead of EJB) in a Java EE application?

  16. 16

    How to use same method but to call different methods in response every time?

  17. 17

    How can I tell if Request/Response is available in Application_Error?

  18. 18

    Can I use the same id on different xmls?

  19. 19

    Can I use the same id on different xmls?

  20. 20

    I can't use the same CSS property with a different value when toggling a class

  21. 21

    Get request works with POSTMAN but throws garbage response in my Java application

  22. 22

    AFNetworking 2 - No response body when request fails

  23. 23

    Can I use the same index in 2 different tables but on the same columns in Oracle

  24. 24

    Different HTTP response from Android app and Java application

  25. 25

    Which HTTP response code to use when the request takes too long?

  26. 26

    which swing component i must use to apply different styles of text in a same field in java

  27. 27

    WSO2 Identity Server XACML JSON Request results in "Indeterminate" [Couldn't find AttributeDesignator attribute]

  28. 28

    Rails, "<h2>Incomplete response received from application</h2>" in Post Json request when body is very big

  29. 29

    should i use jpa entity in rest request and/or response

HotTag

Archive