[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] Inconsistent specification of <*Match> elements and-match functions
Problem: MatchId functions used in a target take one AttributeDesignator or AttributeSelector argument, and one literal AttributeValue argument. The order of the two arguments is specified differently in different parts of the specification. Also, the *-match functions can only be used in a Target if the order of their arguments (template, specific value) agree with the order of arguments in a MatchId function (the AttributeDesignator or AttributeSelector, and the literal value). Recommendation: Option 1: Specify that the first argument to each *-match function is the specific value to be compared to the template, and the second argument is the template. To be consistent, rename "regexp-string-match" to "string-regexp-match". This requires the least change to the specification. Option 2: Specify that the first argument to a MatchId function is a literal AttributeValue and the second argument is the AttributeDesignator or AttributeSelector. Text locations where references occur: 1 must change if Option 1 selected 2 must change if Option 2 selected 2 - Every occurrence of <SubjectMatch, <ResourceMatch, or <ActionMatch except as called out below: Change order of AttributeSelector or AttributeDesignator argument and AttributeValue argument 2 - Section A.12 lines 3491-3493: reword as follows: "Each argument to the named function MUST match the appropriate primitive types for the explict attribute value and the following <AttributeDesignator> or <AttributeSelector> element, ... 1 - Section A.12, lines 3493-3496: reword as follows: "... such that an element of the bag returned by the <AttributeDesignator> or <AttributeSelector> element is placed as the first argument to the function, and the explicit attribute value is placed as the second argument to the function." 1 - Section A.14.12, lines 4250-4281: reverse order of arguments in the specifications for the -match functions, such that the first argument is the full value to be compared to the template or dominating value, and the second argument is the template or dominating (higher in the tree of values) value. 2 - Section A.14.13, lines 4306-4313: the specification of the xpath-node-match function probably needs to change to be consistent with the above if xpath-node-match is to be allowed in a Target expression. Note that several examples use xpath-node-match as MatchId functions, and line 3503 implies that this is permissable, but lines 3535-3540 indicate that xpath-node-match is NOT permissable in a MatchId function. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC