[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] Making MatchId and FunctionId argument order the same
I have identified the exact changes required in order for us to
make the arguments to a MatchId function appear in the same order
as the arguments to a FunctionId function. I believe they are
not nearly so extensive as we thought, and that we should make
this change. Otherwise, we will have to live with this major,
confusing inconsistency forever.
In general:
a. Redefine the -match functions such that the template is the
second argument and the explicit value is the first argument.
a. rfc822Name-match
b. x500Name-match
c. regexp-string-match [rename to string-regexp match]
d. xpath-node-match
b. Specify that Match element arguments are passed to the MatchId
function in the same order in which they appear in the Match
element.
c. NO changes are required in the schema.
d. NO changes are required in the examples, as -match functions
appear only in example <Target> elements, where they are
already in the new, correct order.
Specific changes required:
A.12.Matching elements
1. Change pdf:3538-3543 (but from new A.12 Matching elements
version) from:
The attribute value specified in the matching element SHALL be
supplied to the MatchId function as its first argument. An
element of the bag returned by the <AttributeDesignator> or
<AttributeSelector> element SHALL be supplied to the MatchId
function as its second argument1. The datatype of the
<AttributeDesignator> or <AttributeSelector> element SHALL
match the datatype of the second argument expected by the
MatchId function. The datatype of the attribute value SHALL
match the datatype of the first argument expected by the
MatchId function.
to:
An element of the bag returned by the <AttributeDesignator> or
<AttributeSelector> element SHALL be supplied to the MatchId
function as its first argument1. The attribute value
specified in the matching element SHALL be supplied to the
MatchId function as its second argument. The datatype of the
<AttributeDesignator> or <AttributeSelector> element SHALL
match the datatype of the first argument expected by the
MatchId function. The datatype of the attribute value SHALL
match the datatype of the secondy argument expected by the
MatchId function.
2. Change pdf:3508-3510 (but in new Appendix A.12 version) from:
Otherwise, the MatchId function SHALL be applied between the
explicit attribute value and each element of the bag returned
from the <AttributeDesignator> or <AttributeSelector> element.
to:
Otherwise, the MatchId function SHALL be applied between each
element of the bag returned yfrom the <AttributeDesignator> or
<AttributeSelector> element and the explicit attribute value.
3. Remove footnote from new version of Appendix A.12
4. Replace pdf:3526-3529 (but in new Appendix A.12 version) from:
<Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>John.*</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
to:
<Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"/>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>John.*</AttributeValue>
A.14.12 Special match functions
5. Redefine regexp-string-match: Change pdf:4250-4253 from
The first argument SHALL be a regular expression and the
second argument SHALL be a general string. The function
specification SHALL be that of the "xf:match" function with
the arguments reversed [XF Section 6.3.15.1].
to:
The first argument SHALL be a general string and the
second argument SHALL be a regular expression. The function
specification SHALL be that of the "xf:match" function [XF
Section 6.3.15.1].
6. Redefine x500Name-match: Change pdf:4256-4258 from:
It shall return "True" if and only if some terminal sequence
of RDNs from the first argument matches the second argument
when compared using x500Name-equal.
7. Redefine rfc822Name-match: Change pdf:4260-4282 to:
This function SHALL evaluate to "True" if the first argument
matches the second argument according to the following
specification.
An RFC822 name consists of a local-part followed by "@"
followed by domain-part. The local-part is case-sensitive,
while the domain-part (which is usually a DNS name) is not
case-sensitive.1
This function SHALL take two arguments, the first is of type
"urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" and the
second is of type "http://www.w3.org/2001/XMLSchema#string";
and SHALL return an
"http://www.w3.org/2001/XMLSchema#boolean";. The first
argument contains a complete rfc822Name. The second argument
is a complete or partial rfc822Name used to select appropriate
values in the first argument as follows.
In order to match a particular mailbox in the first argument,
the second argument must specify the complete mail address to
be matched. For example, if the second argument is
"Anderson@sun.com", this matches a value in the first argument
of "Anderson@sun.com" and "Anderson@SUN.COM", but not
"Anne.Anderson@sun.com", "anderson@sun.com" or
"Anderson@east.sun.com".
In order to match any mail address at a particular domain in
the first argument, the second argument must specify only a
domain name (usually a DNS name). For example, if the second
argument is "sun.com", this matches a value in the first
argument of "Anderson@sun.com? or "Baxter@SUN.COM", but not
"Anderson@east.sun.com".
In order to match any mail address in a particular domain in
the first argument, the second argument must specify the
desired domain-part with a leading ".". For example, if the
second argument is ".east.sun.com", this matches a value in
the first argument of "Anderson@east.sun.com" and
"anne.anderson@ISRG.EAST.SUN.COM" but not "Anderson@sun.com".
8. Change A.14.13 pdf:4303-4313 from:
xpath-node-match
This function SHALL take two
"http://www.w3.org/2001/XMLSchema#string"; arguments, which
SHALL be interpreted as XPath expressions and SHALL return an
"http://www.w3.org/2001/XMLSchema#boolean";. This function
SHALL first extend the first argument to match an XML document
in a hierarchical fashion. If a is an XPath expression and it
is specified as the first argument, it SHALL be interpreted to
mean match the set of nodes specified by the enhanced XPath
expression "a | a//* | a//@*". In other words, the expression
a SHALL match all elements and attributes below the element
specified by a. This function SHALL evaluate to "True" if any
XML node that matches the enhanced XPath expression is equal
according to "op:node-equal" [XQO] to any XML node from the
node-set matched by the second argument.
to:
xpath-node-match
This function SHALL take two
"http://www.w3.org/2001/XMLSchema#string"; arguments, which
SHALL be interpreted as XPath expressions and SHALL return an
"http://www.w3.org/2001/XMLSchema#boolean";. This function
SHALL first extend the second argument to match an XML document
in a hierarchical fashion. If 'a' is an XPath expression and it
is specified as the second argument, it SHALL be interpreted to
mean match the set of nodes specified by the enhanced XPath
expression "a | a//* | a//@*". In other words, the expression
a SHALL match all elements and attributes below the element
specified by 'a'. This function SHALL evaluate to "True" if any
XML node that matches the enhanced XPath expression is equal
according to "op:node-equal" [XQO] to any XML node from the
node-set matched by the first argument.
9. Throughout the specification, change "regexp-string-match" to
"string-regexp-match"
10. Many conformance tests will need to be changed, as they often
use -match functions in Apply elements. I can make these in
one day, however, and I believe the effort is justified.
Anne Anderson
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC