[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Issue: Request query language
As described in the SAML spec "Request Message" section, starting on roughly line 632, there are 2 types of queries listed: 1) A new request language specified by name/value pairs 2) A new request language specified by a "template", that is filled in in some pre-determined language. I offer two additional alternatives 3) XPath/XPointer[1] 4) XML Query [2] It is my belief that we do not want to create a query language. The creation of operations that intersect with the constraints expressible can be very difficult. I'd rather re-use portions of an existing language so we don't have to explain our grammer, rules, operations, and parser. I assert (albeit weakly at this time) that XML Query should be examined for this. I believe we will define a model - perhaps as a virtual document - that can be queried against - assertions of different types in a collection - where we will want powerful expression capabilities. I don't think we would need all of XML Queries abilities - such as defining functions or manipulation of the output. Using a W3C query syntax would also assist in deploying SAML in the W3C when the W3C decides to define or specify best practices for security in web services. To illustrate, let's try a sample query: "Is carol allowed to access resource Y when using an x509 cert?", with a response of yes. In all examples, I'll exclude the end-tags for brevity. Now Phil's vmodel core document expresses these as: Request: <AssertionQuery> <Resources> <string>http://store.carol.test/finance <Subject> <ds:KeyInfo> <ds:X509Data>... Response: <SAML> <AssertionID>http://www.bizexchange.test/assertion/AE0221 <Issuer>URN:dns-date:www.bizexchange.test:2001-01-03:19283 <ValidityInterval><NotBefore><NotOnOrAfter> <Conditions><Audience>http://www.bizexchange.test/rule_book.html <Subject><ds:KeyInfo><ds:X509Data>... <Resources> <string>http://store.carol.test/finance So here's how I think the queries would look given the 4 alternatives: 1) <requestidentifier> <PrototypeAssertionsList> <PrototypeAssertion> <FieldType>AssertionResource <FieldValue>http://store.carol.test/finance <PrototypeAssertion> <Fieldtype>AssertionSubject <FieldValue><ds:KeyInfo><ds:X509Data>... 2) <requestidentifier> <PrototypeAssertionsList> <PrototypeAssertion> <AssertionID> <Issuer> <Subject><ds:KeyInfo><ds:X509Data>... <Resources><string>http://store.carol.test/finance 3) <requestidentifier> <Resource expr="VirtualAssertionList.xml#SAML/Resource[@string=http://store.carol.test /finance]/../Subject/KeyInfo/X509Data[@someinternalelement=carol]"> <!-- See how the request is constructed as a string rather than a set of nodes. Therefore booleans can content values can be done --> <!-- Note that I'm not completely sure if this is valid XPath syntax, Eve would know for sure --> 4) <requestidentifier> FOR $S IN document("VirtualAssertionList.xml")//SAML WHERE $S/Resource/string = "http://store.carol.test/finance" AND $S/Subject/KeyInfo/X509Data/someinternalelement = "carol" RETURN $S <!-- now we're cooking with gas as we can do just about any type of expression possible, and we haven't created a new syntax --> It all depends upon how complex the queries and results will be. I have a feeling people are wanting complex queries - which leans to more of an XQuery language. If it turns out that all of our queries are fairly simple, then I'm more comfortable with inventing a simple syntax. [1]http://www.w3.org/TR/xpath.html [2]http://www.w3.org/TR/xquery/ Dave Orchard XML Architect Jamcracker Inc., 19000 Homestead Dr., Cupertino, CA 95014 p: 408.864.5118 m: 604.908.8425 f: 408.725.4310 www.jamcracker.com - Sounds like a job for Jamcracker.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC