[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] xpath access control
Argyn,
[I haven't checked my XPath syntax below, but I hope the idea is clear.]
As an example of the problem, does /A/B[@x="5"]/C
select the same nodeset as /A/B[2]/C ?
They do in document 1, but not in document 2:
Document 1:
<A>
<B x="6">
<C/>
</B>
<B x="5">
<C/>
</B>
</A>
Document 2:
<A>
<B x="5">
<C/>
</B>
<B x="6">
<C/>
</B>
</A>
The only solution to this problem is limiting your XPath expression
syntax such that any two expressions select the same nodeset if and only
if the expressions are syntactically equivalent. I have no proof, but I
hypothesize that it is sufficient to require absolute expressions, and
disallow query operators and element order specifiers. I would be
interested in a proof of this or any other proposed limited syntax to
solve this problem!
[1] proves that the intersection of two XPath expression is equal to an
XPath expression that merges the constraints at each level: i.e. the
intersection of the above two is /A/B[@x="5"]&[2]/C (or whatever the
correct syntax for that is), but that is not the problem to be solved here.
Regards,
Anne Anderson
[1] B.C. Hammerschmidt, M. Kempa, V. Linnemann, "On the Intersection of
XPath Expressions", Proceedings of the 9th International Database
Engineering & Application Symposium (IDEAS 2005). July 2005, Montreal,
Canada.
Argyn wrote On 11/30/06 11:35,:
> On 11/30/06, Wolfgang Schreiner <wolfgang.schreiner@ec3.at> wrote:
>
>> Hi all,
>>
>> Following problem: I would like to control access to a set of XML
>> documents via XPath 2.0 queries. XML fragements, which are allowed to
>> being accessed are specified by XPath 2.0 statements as well. What I
>> need is a method to determine whether 2 XPath statements are
>> semantically equal or similar
>
>
> i'm not sure what you mean by that. wouldn't a simple regexp match
> work in this case?
>
>> , before executing the query and having to
>> post-filter the result. What is the best way to achieve this? Does the
>> XACML xpath-node-match function solve this problem?
>
>
> it only checks if the resulting nodes are the same, imho. it may not
> be what you are looking for
>
>> Is there an
>> implementation to it? I think the Sun implementation does not include
>> XPath functions?
>
>
> sun and other implementations have xpath functionality as of xacml 2.0
>
> argyn
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
>
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]