[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: xpath, urn:oasis:names:tc:xacml:1.0:resource:xpath
Hello, I have some questions about the proper behavior of the various xpath functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath Resource attribute in particular. It seems to be used throughout the examples in the XACML 2.0 Core specification, but I don't find any text defining its proper values. The XACML 1.0 specification, on the other hand, includes the following: "This identifier indicates that the resource is specified by an XPath expression." However, I am not sure what that means. In fact, in XACML 1.0 the Attribute's value seems to be explicitly specified in the request context, but not in the XACML 2.0 spec, where it does not appear. In general, I am a bit confused about how xpath matching is supposed to work. The first example rule instance from the XACML 2.0 specification, for example, tests that the node(s) matching urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of / md:record, but it's unclear to me in what context these xpath expressions are evaluated. It seems the /md:record is not intended to be evaluated in the request context, as that would yield an empty set. That means it is either evaluate with respect to the "ResourceContent", or perhaps to an external document? On the other hand, Appendix A.3.15 says that "the XPath epxressions in these functions are restrict to the XACML request context. The <xacml-context:Request> element is the context node for every XPath expresion," which would seem to mean that / md:record should yield an empty set after all (as the request context's root element is a <xacml-context:Request> element). Can anyone help clarify things for me, or point me to an explanation? Thank you very much! For reference, here is the XACML policy fragment that invokes xpath- match: > <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath- > match"> > <AttributeValue DataType="http://www.w3.org/2001/ > XMLSchema#string"> > /md:record > </AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> The example request context is in section 4.2.2. Thanks in advance, Niko Matsakis
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]