Re: [xacml-users] xpath access control

[Wolfgang Schreiner <wolfgang.schreiner@ec3.at>]

Thank you for your answers.

Argyn, I already thought of regular expressions and they can do a great
job, if all queries that may be used in a certain application setting
are known a priori. I believe they are insufficient if we allow ad-hoc
queries, since each nodeset may be selected using syntactically
different queries. For example some axis navigations I need to deal with
are hard to handle.

Anne's examples below illustrate my problem very well. In case of
Document 1 both queries are semantically equl, imho, since both select
the same node, but not in Document 2 (How can we know /A/B[2] looks
like?). Or referring to XPath axes you could use queries like
//Employee/Wage/@IntValue < 2000 and
//Employee/Name/sibling:node()/@IntValue < 2000, which may but need not
necessarily aim at the same node set. In my setting, I assume that if a
user has access to node A/B, then A/B/C would be legal, while A or A/D
would be rejected.

Anne, I agree with you on restricting the syntax to absolute path
queries, though I do not want to abandon operators and element orders as
shown in your example unless I absolutely have to. To a certain extent,
a query can be "reduced" or rewritten by eliminating features, e.g.
/A/B/../C -> A/C (as well as the parent axis). I just thought there is a
general solution to this problem and the xpath-node-math function gave
me some hope ;) (since I'm using XACML anyway) but it seems we have to
agree on some tradeoffs in this case.

Thanks for the paper reference btw.
Best regards


Anne Anderson - Sun Microsystems schrieb:
> Argyn,
>
> [I haven't checked my XPath syntax below, but I hope the idea is clear.]
>
> As an example of the problem, does /A/B[@x="5"]/C
> select the same nodeset as /A/B[2]/C ?
>
> They do in document 1, but not in document 2:
>
> Document 1:
>   <A>
>     <B x="6">
>        <C/>
>     </B>
>     <B x="5">
>        <C/>
>     </B>
>   </A>
>
> Document 2:
>   <A>
>     <B x="5">
>        <C/>
>     </B>
>     <B x="6">
>        <C/>
>     </B>
>   </A>
>
> The only solution to this problem is limiting your XPath expression
> syntax such that any two expressions select the same nodeset if and
> only if the expressions are syntactically equivalent.  I have no
> proof, but I hypothesize that it is sufficient to require absolute
> expressions, and disallow query operators and element order
> specifiers.  I would be interested in a proof of this or any other
> proposed limited syntax to solve this problem!
>
> [1] proves that the intersection of two XPath expression is equal to
> an XPath expression that merges the constraints at each level: i.e.
> the intersection of the above two is /A/B[@x="5"]&[2]/C (or whatever
> the correct syntax for that is), but that is not the problem to be
> solved here.
>
> Regards,
> Anne Anderson
>
> [1] B.C. Hammerschmidt, M. Kempa, V. Linnemann, "On the Intersection
> of XPath Expressions", Proceedings of the 9th International Database
> Engineering & Application Symposium (IDEAS 2005).  July 2005,
> Montreal, Canada.
>
> Argyn wrote On 11/30/06 11:35,:
>> On 11/30/06, Wolfgang Schreiner <wolfgang.schreiner@ec3.at> wrote:
>>
>>> Hi all,
>>>
>>> Following problem: I would like to control access to a set of XML
>>> documents via XPath 2.0 queries. XML fragements, which are allowed to
>>> being accessed are specified by XPath 2.0 statements as well. What I
>>> need is a method to determine whether 2 XPath statements are
>>> semantically equal or similar
>>
>>
>> i'm not sure what you mean by that. wouldn't a simple regexp match
>> work in this case?
>>
>>> , before executing the query and having to
>>> post-filter the result. What is the best way to achieve this? Does the
>>> XACML xpath-node-match function solve this problem?
>>
>>
>> it only checks if the resulting nodes are the same, imho. it may not
>> be what you are looking for
>>
>>> Is there an
>>> implementation to it? I think the Sun implementation does not include
>>> XPath functions?
>>
>>
>> sun and other implementations have xpath functionality as of xacml 2.0
>>
>> argyn
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
>>
>