[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Multiple decision result of type xpathExpression
Hi Clement, On 26/08/2013 11:47 PM, Pellerin, Clement wrote:
I'm really struggling to write a non-trivial Policy to authorize my Multiple Decision Request.
Let's assume I want to authorize every element for XML filtering.
The XPath expression I will use to select the nodes will be //*
This will expand into multiple individual requests of the form
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">(//*)[N]</AttributeValue>
The goal is to retrieve that node and test some condition about it.
I don't have specific needs, I'm just trying to test my implementation.
I believe the functions are strongly typed in XACML.
The only standard functions that take an xpathExpression as argument are
xpath-node-count, xpath-node-equal and xpath-node-match.
It appears I have to exit the XACML language and write my whole condition
in the XPath expression of xpath-node-equal or xpath-node-match.
Is that the intention of XACML?
Suppose I want to permit elements called Amount if the text value is less than 200.
I can call xpath-node-equal with the XPath expression //Amount[text() < 200]
but it is expensive to discover all the elements that pass the test to check if the current element is one of them.
It would make more sense to retrieve the current element by evaluating (//*)[N]
and testing the node name and text value in XACML.
Unfortunately, I don't think XACML has the Node DataType.
If I could make the XPath context node be (//*)[N] itself, then I could write self::Amount[text()<200]
which is already a lot more efficient.
Any guidance or pointers to real-world examples would be appreciated.
The piece you are missing is the AttributeSelector, which turns nodes into
typed XACML attribute values.
In the context of a request for multiple decisions, your original request would
contain this resource attribute:
<Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:profile:multiple:content-selector">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>//*</AttributeValue>
</Attribute>
In each individual decision request, I, the attribute above would be replaced by
this attribute:
<Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>(//*)[I]</AttributeValue>
</Attribute>
You can test whether a node is an Amount < 200 in a policy with an expression
like the following:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"/>
<AttributeSelector
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Path="self::Amount/child::text()"
DataType="http://www.w3.org/2001/XMLSchema#integer";
MustBePresent="false"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>200</AttributeValue>
</Apply>
The AttributeSelector applies the Path to the node identified by the "content-selector"
attribute value resulting in a text() node that it turns into an XACML integer value.
Regards,
Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]