OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Use of Xquery with XACML

>If u can kindly 
>tell me the flow that will take place for the population of
ResourceContent 
>between PDP and Context handler , i will b in a better position to 
>understand your point

Transformations (using XQuery, XLST, or any other similar mechanisms)
are happening between the context handler and the outside world - out of
the scope for XACML.  Typical application may employ XQuery data
aggregation and transformation to construct evidence that is later
presented to the authorization system.  Advantage of this approach is
that accumulation of evidence for access decision and using this
evidence in an XACML predicate expression are separated.  How you
construct your context is out of scope for XACML on purpose.

Daniel;


-----Original Message-----
From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
Sent: Tuesday, December 07, 2004 1:25 AM
To: Daniel Engovatov; xacml-dev@lists.oasis-open.org
Cc: Seth Proctor; sunxacml-discuss@lists.sourceforge.net
Subject: Re: Use of Xquery with XACML

>>As I am a member of W3C XQuery working group, I may try to answer.

>>XPath 2.0 and XQuery 1.0 (which are both still not in the last call
>>stage yet) are using the same underlying data model.  For most intends
>>and purposes XPath 2.0 is a subset of XQuery, lacking such facilities
as
>>full FLWOR expression and element constructors.

u r right   but suppose i have a rule
 "A Physician can check the medical records of a patient, if any of his
two 
patietns have the same city"
Now these kind of rules cant be expressed just by Xpath.

>>I seriously doubt that adding those data transformation facilities
will
>>add any value to the XACML representation, but will make it much more
>>cumbersome to implement and use.  We really refer to data as being
>>evidence - transient result of an XQuery expression does not fit well
>>with this notion.

>>It seems to me that you may achieve the result you want in a much more
>>straightforward way if you use some stand alone XQuery engine, such as
>>SAXON (http://saxon.sourceforge.net/) from Michael Kay, to construct
the
>>resource content document.  You may then refer to the constructed data
>>using XPath expressions, or populate notional context using those
>>results.


well, u r 110% right that it will make the XACML very cumbersome , but i

dont understand the population mechanism into the ResourceContent
element 
prior to PolicyEvalutation, Becaz in my opionon (what i have understood)
is 
that PDP asks for the attributes and ContextHandler then provide the 
Attributes, now whereis the Xquery expression stored , with Context
Handler 
or with PDP in the Policy , this is really confusing for me. If u can
kindly 
tell me the flow that will take place for the population of
ResourceContent 
between PDP and Context handler , i will b in a better position to 
understand your point

Regards
Muhammad.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]