OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] xpath, urn:oasis:names:tc:xacml:1.0:resource:xpath


Hi Niko,

I have looked into this before and agree with your conclusions.

You are correct that resource:xpath needs to be added to XACML 2.0. This
was identified as an errata:

    http://lists.oasis-open.org/archives/xacml/200702/msg00001.html

however, I don't think it has made it to the errata spec yet:

    
http://www.oasis-open.org/committees/download.php/24815/access_control-xacml-2.0-core-spec-os-errata.doc

This should be added to the errata list.

On the second part of your question, I think the answer is in section 
B.6 p 129:

5036 This attribute identifies the resource to which access is 
requested. If an <xacml
5037 context:ResourceContent> element is provided, then the resource to 
which access is
5038 requested SHALL be all or a portion of the resource supplied in the 
<xacml
5039 context:ResourceContent> element.
5040 *urn:oasis:names:tc:xacml:1.0:resource:resource-id*

I interpret this to mean that the presence of this attribute combined 
with the
presence of the ResourceContent element makes that element the default
root xpath from which other xpaths are derived.

Note also that the example appears to have an error in the text of
the document where line 1064 should read:

 [a185] xmlns(md=http:www.med.example.com/schemas/record.xsd)xpointer

(the "http:www" looks suspicious but matches line 1053).

Note to TC:
The 2 errata here are to add resource:xpath to section B.6 and
to fix line 1064.

    Thanks,
    Rich


Niko Matsakis wrote:
> Hello,
>
> I have some questions about the proper behavior of the various xpath 
> functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath 
> Resource attribute in particular.
>
> It seems to be used throughout the examples in the XACML 2.0 Core 
> specification, but I don't find any text defining its proper values.  
> The XACML 1.0 specification, on the other hand, includes the 
> following: "This identifier indicates that the resource is specified 
> by an XPath expression."  However, I am not sure what that means.  In 
> fact, in XACML 1.0 the Attribute's value seems to be explicitly 
> specified in the request context, but not in the XACML 2.0 spec, where 
> it does not appear.
>
> In general, I am a bit confused about how xpath matching is supposed 
> to work.  The first example rule instance from the XACML 2.0 
> specification, for example, tests that the node(s) matching 
> urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of 
> /md:record, but it's unclear to me in what context these xpath 
> expressions are evaluated.
>
> It seems the /md:record is not intended to be evaluated in the request 
> context, as that would yield an empty set.  That means it is either 
> evaluate with respect to the "ResourceContent", or perhaps to an 
> external document?  On the other hand, Appendix A.3.15 says that "the 
> XPath epxressions in these functions are restrict to the XACML request 
> context.  The <xacml-context:Request> element is the context node for 
> every XPath expresion," which would seem to mean that /md:record 
> should yield an empty set after all (as the request context's root 
> element is a <xacml-context:Request> element).
>
> Can anyone help clarify things for me, or point me to an explanation? 
> Thank you very much!
>
> For reference, here is the XACML policy fragment that invokes 
> xpath-match:
>
>> <ResourceMatch 
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-match">
>>        <AttributeValue 
>> DataType="http://www.w3.org/2001/XMLSchema#string";>
>>         /md:record
>>        </AttributeValue>
>>        <ResourceAttributeDesignator
>>         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
>>         DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>
> The example request context is in section 4.2.2.
>
>
> Thanks in advance,
> Niko Matsakis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]