[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Work continues ...
Hi,
the simple type EffectType is only specified in the XML Schema, not in
the normative text.
Is there any defined behaviour for circular <VariableDefinition>s? See
the appended file circvar.pol for an example. sunxacml currently
produces a stack overflow. Maybe it would be sane to require an
"Indeterminate" result. See section 7.7, which is currently silent about
this issue.
Please check the whole standard for instances where the XML Schema
deviates from the normative text, but is more correct than the normative
text. Especially the [Optional] text where [Any Number] is meant.
5.28 has a bug. If a <Function> element has an <Apply> with a bag
function as parent, this doesn't necessarily mean that the function is
applied to all elements of the bags. (hint: any-of-any) Please remove
this redundant and harmful statement.
In section 5.29, you mention some explicit cases where an
<AttributeDesignator> MAY appear. This doesn't imply anything, but it
sounds like you wanted to say that an <AttributeDesignator> SHALL NOT
appear directly in a <VariableDefinition>, for example.
By the way, the normative text often misses to state the data type of
the element's attributes, for example in 5.29.
5.31 misses to state that an <AttributeValue> is an <Expression>. The
normative text should be aligned to the XML Schema fragment.
What is the difference between "... element has the following ..." and
"... element contains the following ..."? Why are two different forms
used here?
Since you decided to drop the two distinct namespaces (xacml and
xacml-context), why are all XACML elements still prefixed with "xacml:"?
Isn't that redundant?
5.37: The XML Schema fragment allows arbitrary XML content, while the
normative text ("notational placeholder for additional /attributes/")
sounds a bit more restrictive. Is that restriction really intended?
Does 5.40 imply that a Deny-biased PEP (7.1.2) may silently discard any
obligations that have Effect="Deny"?
In 5.45, you should double-check whether the word "rule" really means
the one defined in the glossary or not.
5.46: <AttributeValue> is an element, not an attribute.
To be continued ...
Roland
<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:uuid:id0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Target/>
<VariableDefinition VariableId="var1">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-add">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</AttributeValue>
<VariableReference VariableId="var2"/>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="var2">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-add">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</AttributeValue>
<VariableReference VariableId="var1"/>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:uuid:id1" Effect="Permit">
<Target/>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</AttributeValue>
<VariableReference VariableId="var2"/>
</Apply>
</Condition>
</Rule>
</Policy>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]