OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: xpath, urn:oasis:names:tc:xacml:1.0:resource:xpath


Hello,

I have some questions about the proper behavior of the various xpath  
functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath  
Resource attribute in particular.

It seems to be used throughout the examples in the XACML 2.0 Core  
specification, but I don't find any text defining its proper values.   
The XACML 1.0 specification, on the other hand, includes the  
following: "This identifier indicates that the resource is specified  
by an XPath expression."  However, I am not sure what that means.  In  
fact, in XACML 1.0 the Attribute's value seems to be explicitly  
specified in the request context, but not in the XACML 2.0 spec,  
where it does not appear.

In general, I am a bit confused about how xpath matching is supposed  
to work.  The first example rule instance from the XACML 2.0  
specification, for example, tests that the node(s) matching  
urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of / 
md:record, but it's unclear to me in what context these xpath  
expressions are evaluated.

It seems the /md:record is not intended to be evaluated in the  
request context, as that would yield an empty set.  That means it is  
either evaluate with respect to the "ResourceContent", or perhaps to  
an external document?  On the other hand, Appendix A.3.15 says that  
"the XPath epxressions in these functions are restrict to the XACML  
request context.  The <xacml-context:Request> element is the context  
node for every XPath expresion," which would seem to mean that / 
md:record should yield an empty set after all (as the request  
context's root element is a <xacml-context:Request> element).

Can anyone help clarify things for me, or point me to an explanation?  
Thank you very much!

For reference, here is the XACML policy fragment that invokes xpath- 
match:

> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath- 
> match">
>        <AttributeValue DataType="http://www.w3.org/2001/ 
> XMLSchema#string">
> 		/md:record
>        </AttributeValue>
>        <ResourceAttributeDesignator
> 		AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
> 		DataType="http://www.w3.org/2001/XMLSchema#string"/>
> </ResourceMatch>

The example request context is in section 4.2.2.


Thanks in advance,
Niko Matsakis


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]