[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] 5.31 Element <AttributeSelector>
Michiharu Kudoh wrote: >2. >"... it must also match the attribute's data-type ..." I think 'it' means >the value(s) selected by XPath. For example, > ><Request> > <Subject> > <Attribute AttributeId="...subject-id" DataType="...XMLSchema#integer"> > <AttributeValue>123</AttributeValue> > </Attribute> > </Subject> > ... ></Request> > ><AttributeSelector RequestContextPath="Subject/Attribute[AttributeId >= '...subject-id']/AttributeValue"/> >should return "123" that must be an integer from the DataType attribute. >When "subject-id" matches two attributes, then the both value must be >integers. > In your example the AttributeSelector must include a DataType. I'll assume that it is the same type as the attribute that's being selected. So, DataType="...XMLSchema #integer" The result of executing the given XPath expression within a context where the Request node is the context node will be a nodeset containing a single element node. The node will have a type of AttributeValue and a value of '123'. If the example request contained multiple subject attributes with the given AttributeId then the result of the expression valuation would be a nodeset containing multiple element nodes. Regardless of whatever type is specified by the AttributeSelector and Attributes. If you want to enforce type correctness between the selector and the values then you have these choices... 1) The author of the XPath expression must write the expression so that it matches both the AttributeId and the DataType. Subject/Attribute[AttributeId= '...subject-id' and DataType"..."]/AttributeValue or, 2) the processor must enforce the type correctness. Option 1 is clearly error prone as people just won't bother, option 2 could be quite hard. [Although using the AttributeValue as the context node you could say "../@DataType"] How is the selected node converted into a value? You can convert a node into a string-value, as defined in the XPath spec. You then have a choice of using the string to value conversions that are defined in XPath, or use the conversions as defined in XACML. I would specify as the later, as XPath has some oddities in this area. (ie. The string 'false' has the boolen value true.) The next problem is working out which type to convert the string-value into. If we assume that the author or processor has checked that the selector and value types match then we can use the DataType specified in the selector. Another example that should be explored is an XPath expression executed over the ResourceContent. In this case there are no DataTypes provided with the values, so there's no type checking that can be performed. We can only assume that the value provided is a valid representation for a an instance of the value of DataType specified in the selector. If the value can not be coerced into that DataType then what should the processor return? >3. >I think that the following XPath returns a boolean type: boolean >("Subject/Attribute[AttributeId='...subject-id']/AttributeValue"). > Nope. I think this is the basis of the problem in the specification. John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC