[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] xpath access control
Hi Wolfgang I think you are asking about equivalence of XPath expressions. The following abstract is from "Containment and equivalence for an XPath fragment" by Miklau and Suciu (Proceedings of the 21st ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, 2002): "XPath is a simple language for navigating an XML document and selecting a set of element nodes. XPath expressions are used to query XML data, describe key constraints, express transformations, and reference elements in remote documents. This paper studies the containment and equivalence problems for a fragment of the XPath query language, with applications in all these contexts. In particular, we study a class of XPath queries that contain branching, label wildcards and can express descendant relationships between nodes. Prior work has shown that languages which combine any two of these three features have efficient containment algorithms. However, we show that for the combination of features, containment is coNP-complete. We provide a sound and complete EXPTIME algorithm for containment, and study parameterized PTIME special cases. While we identify two parameterized classes of queries for which containment can be decided efficiently, we also show that even with some bounded parameters, containment is coNP-complete. In response to these negative results, we describe a sound algorithm which is efficient for all queries, but may return false negatives in some cases." In short, the problem is difficult if you do not restrict the type of XPath expressions you use! There is also a certain amount of work in the research literature on the use of XPath to specify regions of XML documents to which access should be restricted according to some access control policy. Damiani et al have used this approach (A fine-grained access control system for XML documents, ACM Transactions on Information and Ssytem Security, 5(2), 2002), as have Bertino et al (Specifying and enforcing access control policies for XML document sources, WWW 2000), and me (http://www.isg.rhul.ac.uk/~jason/Pubs/sws04.pdf). Hope this helps. Regards Jason ------------------------------------ Information Security Group Royal Holloway, University of London http://www.isg.rhul.ac.uk/~jason ------------------------------------ -----Original Message----- From: Wolfgang Schreiner [mailto:wolfgang.schreiner@ec3.at] Sent: 30 November 2006 16:01 To: xacml-users@lists.oasis-open.org Subject: [xacml-users] xpath access control Hi all, Following problem: I would like to control access to a set of XML documents via XPath 2.0 queries. XML fragements, which are allowed to being accessed are specified by XPath 2.0 statements as well. What I need is a method to determine whether 2 XPath statements are semantically equal or similar, before executing the query and having to post-filter the result. What is the best way to achieve this? Does the XACML xpath-node-match function solve this problem? Is there an implementation to it? I think the Sun implementation does not include XPath functions? -- best regards, Wolfgang Schreiner, Mag. DI E-Commerce Competence Center (EC3) Donau-City Strasse 1, A - 1220 Vienna Tel: +43 1 522 71 71 - 14 Fax: +43 1 522 71 71 - 71 Web: http://www.ec3.at --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]