On 06/06/11 16:48, Eliana Lazzeri wrote:
> Hello again,
> I found an answer to my question:
>> 2011-06-01 13:18:50,488 [main] DEBUG issrg.utils.handler.Handler - to
>> create a PERMIS Subject with DN: null
>> --> this would imply that you haven't given your subject a name ?
>> Yes, in the XACML request I have to give only the role of the subject. How can I add also the subject's name? Have I to use the user
> I have to add an attribute to XACML request.
> In particular, I have to add:
> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
> <AttributeValue> <!-- LDAPDN --> </AttributeValue>
> Is It correct?
Yes, that is correct. The subject-id attribute gives the (distinguished)
name of the subject.
> How can I verify that that LDAPDN refers to a subject with the Role necessary to perform the Action?
In the example you had earlier, you included a validated attribute in
your request context, i.e. you would have had something like:
In this case no credential validation checking is done as it is assumed
that the credential has already been validated.
Now, if you wanted to do credential validation, you could push the
base64 encoding of an X.509 AC for your subject in the request. This is,
you would use something like
encoding of certificate here</AttributeValue>
Then only if the student role (say) was (indirectly) assigned by an SOA
(Source of Authority) would it validate and would the subject get
assigned the subject role.
> Thank you very much for your help
> Kind regards