Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] Problem with XACMLPolicyStatement

Subject: OpenSAML user discussion

List archive

[OpenSAML] Problem with XACMLPolicyStatement


Chronological Thread 
  • From: "" <>
  • To:
  • Subject: [OpenSAML] Problem with XACMLPolicyStatement
  • Date: Sat, 31 Jul 2010 11:24:26 +0200
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=O2sAx+AtxTDHxmc3rioHR5vpvEAUrfWw75MwlDIJSUh8FQrFqv8RMBoH6SQjgAUuMm l6Wc1V3GmH2nAj6usxUmEilMjsJ05kdcyuYJDKVm9Y1sMILwAo9UI8uW06CT9Osg2lcr Yf5YVC3IugA1v8dPbQ3J2mnWsBmkgoZsBuszo=

Hi All,

I'm using opensaml 2.3.1. I have the following problem. I have created
this[1] assertion for
storing a policy in a policy repository.


But this assertion is wrong, according with the schema defined in [2]
(the schema in the
oasis home page is buggy).

org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content
was found starting with element 'xacml-saml:XACMLPolicyStatement'. One
of '{"urn:oasis:names:tc:SAML:2.0:assertion":Advice,
"urn:oasis:names:tc:SAML:2.0:assertion":Statement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthnStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthzDecisionStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AttributeStatement}' is
expected.

This means that instead of a XACMLPolicyStatement I should create a
Statement, with xsi:type as xacml,

<saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">

<saml:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">


But how to do it with opensaml? There's no Statement builder!


[1]
<saml2:Assertion ID="_091286d9-9f94-41c7-bdd5-5dbac110a52f"
IssueInstant="2010-07-31T09:19:49.628Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>com.spirit.ws.XACML.client.SAMLXACMLv2</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_091286d9-9f94-41c7-bdd5-5dbac110a52f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ds saml2
xacml-saml #default xsi"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vrybvmR1LByJKJgTAD2LaDyVrac=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
sd2onP2tKcGvcw9FnT6LgludZyxSrcXr1vnqA5ZVXkw86LfKrUXojTJs2AnAEkFu052N+rdDz84f
Pr2iOYyk+aarSCvbvSYnpVG77jXmvRISUdj+iQH/S/XWRF8I6NgPmalZoiMM8UAX02yRZhjANTX8
ks8EOZdfEdOd+hmsTUE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>

<ds:X509Certificate>MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQUFADCBuDELMAkGA1UEBhMCQVQxEDAOBgNVBAgT
B0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRowGAYDVQQL
ExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMTAv
BgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wHhcNMTAwNTI1
MTI1NzMxWhcNMzUwMTE0MTI1NzMxWjCBlzELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWEx
FTATBgNVBAoTDFRpYW5pIFNwaXJpdDEaMBgGA1UECxMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNV
BAMTB3NlcnZlcjExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJp
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOKFHKAWDiI4GC4W1WFAHGkNuE3hzaMp
KaEkDYm9yJDqqEpw758iuiyOZdfRRiQuTmP6lNpT5DlJiQOLYhG5U9TS72VuK3rIncmtvAG0PPur
jsFyggbeuV169iRnkdbU2pyhu046gAINCVoJfp+9kb9EZHlDmcEs4NznFj+NtojHAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
MB0GA1UdDgQWBBRcW+6sHYHdEZ69MdjUQ7ovetYeTzAfBgNVHSMEGDAWgBRPsGnZxUG4UGFrj7qu
E2FoiwZLQDANBgkqhkiG9w0BAQUFAAOCAQEAsqp5FZiRrkUZ72UB7lgxBxzh9Psuvb8cLoYbS/FZ
94DOrMyMscj4Nog9F006WFaVWX90NQFRPKlYRPeH52BkBGL/Dq7vbMmgAgnDAKj59BCQuPA9V8lR
ImdA9sZKH5wKjYXlonV9yIHsZFWlV0P9IEPX4RquAJXSE8ym3JwqCs65nXXDvSuaNDKRuVjkHu57
V1U7wxDDiu4aj8h4BjxkRuAf+h7PsefRycctQGhLhMPxgj+xUQzv+ribIn8cMulmxU5GvkhVmNVB
i2L1GLR8sgzv6IFsXRsIAmKUU7FS9eWx5UMZ9U5O1dZedgXFpASHQecHf0cbJqDG1jsURodZCw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Conditions NotBefore="2010-07-31T09:19:49.628Z"
NotOnOrAfter="2010-07-31T22:39:49.628Z">
<saml2:AudienceRestriction>
<saml2:Audience>testaudience</saml2:Audience>
<saml2:Audience>test2</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<xacml-saml:XACMLPolicyStatement
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion">
<PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="MAU.12675296158691-GLOB.OID.TESTMAURO_ENV.LOCAL.OS.2.PI-DOM"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd";>
<Description>Test policy that permits everything</Description>
<Target/>
<Policy PolicyId="policy_id"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Description>Test policy</Description>
<Target/>
<Rule Effect="Permit"
RuleId="urn:oasis:names:tc:xacml:2.0:example:SimpleRule1"/>
</Policy>
</PolicySet>
</xacml-saml:XACMLPolicyStatement>
</saml2:Assertion>

[2]
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#XACML20errata
--
Massimiliano Masi

http://www.mascanc.net/~max



Archive powered by MHonArc 2.6.16.

Top of Page