Re: [security-services] Groups - XPath Attribute Profile(draft-saml2-xpath-attribute-profile.sxw) uploaded

["Cameron Morris" <cmorris@novell.com>]

>I would be very interested in ideas people have for defining a subset of
>XPath that can be used for uniquely identifying Attributes within an XML
>document, even if that subset restricts the ability to identify
>Attributes based on query functions.

Good point.  The Liberty data template specification lets each service define whether or not to support full xpath or not.  If full xpath is not supported, the supported xpath identifiers for each attribute are enumerated by the service definition.

 

A restricted XPath used only for identifying nodes I think is certainly possible.  It would only include the xml document structure with probably the positional expressions: no wild-cards, descendant-of, ancestor-of, or other functions.

 

Also I think full XPath could be used in an attribute query, where the restricted xpath would apply to attribute statements and metadata.  Would it seem weird that one attribute name in a query could result in multiple attributes returned?

 

 

Here are some exploratory examples:

Suppose some document looks like this:

<root>

   <body>

      <thing>thing1</thing>

      <thing>thing2</thing>

   </body>

</root>

 

An attribute query with an xpath attribute name of "/root/body/thing[2]" could result in the following:

<saml:Attribute name="uri:xpath:/root/body/thing[2]">

   <value>thing2</value>

</saml:Attribute>

 

"uri:xpath:/root/body" results:

<saml:Attribute name="uri:xpath:/root/body">

   <value>

      <thing>thing1</thing>

      <thing>thing2</thing>

   </value>

</saml:Attribute>

 

"uri:xpath:/root/body/thing" results:

<saml:Attribute name="uri:xpath:/root/body/thing[1]">

   <value>thing1</value>

</saml:attribute>

<saml:Attribute name="uri:xpath:/root/body/thing[2]">

   <value>thing2</value>

</saml:attribute>

 

- Cameron