OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: use of xpath in XACML policy file



Dear all

I have a question regarding the use of Xpath

Considor the XML Data file (with a hospital package having 2 records of
patients):

<!-- XML document-->
<Hospital>

<Patient>

        <patID>123ABC</patID>

        <dob>09-dec-1978</dob>

        <gender>Male</gender>

        <age>26</age>

        <patientName>

                <first>Muhammad</first>

                <last>Ali</last>

        </patientName>

        <patientContact>

                <street>13</street>

                <city>Innsbruck</city>

                <state>Austria</state>

        </patientContact>

        <primaryCarePhysician>

                <phyID>13</phyID>

        </primaryCarePhysician>

</Patient>

    <Patient>

            <patID>122ABC</patID>

            <dob>09-dec-1977</dob>

            <gender>Female</gender>

            <age>22</age>

       <patientName>

               <first>Andrea</first>

                <last>Juman</last>

        </patientName>

        <patientContact>

                <street>13</street>

                <city>Innbruck</city>

                <state>Austria</state>

        </patientContact>

        <primaryCarePhysician>

                <phyID>13</phyID>

        </primaryCarePhysician>

   </Patient>



<!--XML document Ends-->


Now i want to implement an access control condition on this XML file by the
rule that "A Patient can check his/her own medical record if he/she is the
designated patient and his/her contact city should be Innsbruck"




//hospital/Patient/PatID = PatientId (we got PatientId  from request through
AttributeDesignator function)  And
//hospital/Patient/patientContact/city = "Innsbruck" (Explicitly given in
the policy)

with suppose PatientId = 122ABC


dont u all think  that both of them will be selected becaz one condition
will be true for the 2nd record and 2nd condtion will be true for either
record, so is there is any other means to specify Xpath condition for the
same XML record.


The problem is that for Xpath every time i have to navigate from start of
the document (and that creates problem) is there is any way to specify a
condition in Xpath so that after checking the first condition i can move
forward down the same element (just like Databases e.g. along the same row)
and not from start of the document again . ??


I had one solution from l Xpath expression i.e.





//hospital/Patient  [PatID = PatientId]  /patientContact/city = "Innsbruck"

but how this solution can be implemented in XACML becaz any way i need the
value of the parameter PatientId from the request using AttributeDesignator
Functions ??

I am attaching a part of XACML policy file, if anybody of U knows the
solution , let me know , or otherwise i have to implement my own funtion

<!--policy starts here-->

<Condition function:And>

<Apply FunctionId="function:string-equal">
<Apply FunctionId="function:string-one-and-only">
                   <SubjectAttributeDesignator AttributeID="PatientId"
DataType="String"/>
 </Apply>
  <Apply FunctionId="String-one-and-only">
<AttributeSelectorRequestContextpath="
//Hosptial/Physician/patients/patID/text()"

DateType="String">
         </AttributeSelector>
 </Apply>




<!-- actual point that i am stuck here-->

<Apply function:And>
<Apply FunctionId="function:string-one-and-only">
            <Apply FunctionId="function:string-one-and-only">
                           <SubjectAttributeDesignator AttributeID="
PatientId" DataType="String"/>
            </Apply>
 <Apply FunctionId="String-one-and-only">
<AttributeSelectorRequestContextpath="//Hosptial/Patient//patID/text()"

DateType="String">
         </AttributeSelector>
         </Apply>

</Apply>

<Apply FunctionId="function:string-one-and-only">
              <Apply FunctionId="function:string-one-and-only">
                           <AttributevalueDataType="String">
Innsbruck<Attributevalue>
 </Apply>

                <Apply FunctionId="String-one-and-only">
                            <AttributeSelectorRequestContextpath="
//Hosptial/Patient//PatientContact/city/text()"

DateType="String">
         </AttributeSelector>
                 </Apply>

</Apply>

</Apply>
</Condtion>







with Best regards.


Muhammad Masoom Alam
University of Innsbruck Austria
+43 512 507 6462
+43 512 22455 410



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]