security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: XPath Attribute Profile: XPath as an Identifier
- From: "Cameron Morris" <cmorris@novell.com>
- To: <security-services@lists.oasis-open.org>
- Date: Tue, 05 Apr 2005 15:05:28 -0600
Liberty's EP profile didn't restrict the XPath but stated that at a minimum it must have a "slash separated path to any depth. The path is always anchored at the document root and may not contain any wild cards or empty nodes."
I think we can use this restriction of xpath as an Identifier, with the addition of positional predicates. I'll take a look at the xCap spec from IETF, thanks Arnaud Sahuguet for the reference. It looks like XSquirrel is slightly different than what I was thinking because I really do want the specific nodes in the document (But it's good to know about it)
Other thoughts:
- "urn:xpath" as a prefix: Is it safe to just use xpath directly (name="/pp/LegalName/CommonName") or does it need to have some clarifying prefix (name="urn:some_name_clarifying_that_this_is_an_xpath_name:/pp/LegalName/CommonName"). I suppose the problem is that XPath is a uri and I'm trying to put it into a urn.
- If an xpath query results in multiple nodes in the same path, the path can be specified by an xpath identifier (restricted xpath) and the values can be placed in the multivalued <value> elements in SAML attributes.
- One thing I had wrong: Liberty queries will return the element tag specified in the XPath, instead of just than the values inside that element tag (I suggested the latter in some examples).
- If we are uncomfortable having a query for one attribute return multiple attributes, we could also restrict the query attributes to be xpath identifiers.
More exploratory examples:
Suppose some document looks like this:
</body>
<body>
<thing name="thing3"/>
</body>
This shows how positional predicates may be needed, as well as multiple-attributes and multi-valued attributes
Query: <AttributeQuery>...<Attribute name:"/root/body/thing"/></Attributequery>
Result:
<saml:Attribute name="/root/body[1]/thing">
<value><thing>thing1<thing></value>
<value><thing>thing2<thing></value>
<saml:Attribute name="/root/body[2]/thing">
<value><thing name="thing3"/></value>
</saml:Attribute>
Maybe we need text and attribute functions...
Query: <AttributeQuery>...<Attribute name:"/root/body[1]/thing[2]/text()" /></Attributequery>
Result:
<saml:Attribute name="/root/body[1]/thing[2]/text()">
Query: <AttributeQuery>...<Attribute name:"/root/body/thing/@name" /></Attributequery>
Result:
<saml:Attribute name="/root/body[2]/thing/@name">
Thanks for the feedback everyone,
- Cameron
Cameron Morris
Novell, Inc., the leading provider of Linux and identity solutions
http://www.novell.com
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]