[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] 5.31 Element <AttributeSelector>
Michiharu Kudoh wrote:
>2.
>"... it must also match the attribute's data-type ..." I think 'it' means
>the value(s) selected by XPath. For example,
>
><Request>
> <Subject>
> <Attribute AttributeId="...subject-id" DataType="...XMLSchema#integer">
> <AttributeValue>123</AttributeValue>
> </Attribute>
> </Subject>
> ...
></Request>
>
><AttributeSelector RequestContextPath="Subject/Attribute[AttributeId
>= '...subject-id']/AttributeValue"/>
>should return "123" that must be an integer from the DataType attribute.
>When "subject-id" matches two attributes, then the both value must be
>integers.
>
In your example the AttributeSelector must include a DataType. I'll
assume that it is
the same type as the attribute that's being selected. So,
DataType="...XMLSchema
#integer"
The result of executing the given XPath expression within a context
where the Request
node is the context node will be a nodeset containing a single element
node. The node
will have a type of AttributeValue and a value of '123'.
If the example request contained multiple subject attributes with the
given AttributeId
then the result of the expression valuation would be a nodeset
containing multiple
element nodes. Regardless of whatever type is specified by the
AttributeSelector
and Attributes.
If you want to enforce type correctness between the selector and the
values then
you have these choices... 1) The author of the XPath expression must
write the
expression so that it matches both the AttributeId and the DataType.
Subject/Attribute[AttributeId= '...subject-id' and DataType"..."]/AttributeValue
or, 2) the processor must enforce the type correctness. Option 1 is clearly
error prone as people just won't bother, option 2 could be quite hard.
[Although using the AttributeValue as the context node you could say
"../@DataType"]
How is the selected node converted into a value? You can convert a node
into a string-value, as defined in the XPath spec. You then have a choice
of using the string to value conversions that are defined in XPath, or use
the conversions as defined in XACML. I would specify as the later, as
XPath has some oddities in this area. (ie. The string 'false' has the boolen
value true.)
The next problem is working out which type to convert the string-value
into. If we assume that the author or processor has checked that the
selector and value types match then we can use the DataType specified
in the selector.
Another example that should be explored is an XPath expression executed
over the ResourceContent. In this case there are no DataTypes provided
with the values, so there's no type checking that can be performed. We
can only assume that the value provided is a valid representation for a
an instance of the value of DataType specified in the selector. If the value
can not be coerced into that DataType then what should the processor
return?
>3.
>I think that the following XPath returns a boolean type: boolean
>("Subject/Attribute[AttributeId='...subject-id']/AttributeValue").
>
Nope. I think this is the basis of the problem in the specification.
John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC