[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] xpath access control
Thank you Jason for your reply. I did some research in the last hours and think it is not really possible to perfrom authorization checks on ad-hoc queries while supporting full XPath syntax. Seems we have to agree on some tradeoffs in this case. In the application setting I am working on, I'm fine with using some predefined query patterns anyway. Since I'm currently dealing with XACML I thought there would be some generic solution to the problem. Also thanks for the paper reference. Best regards Crampton Jason schrieb: > Hi Wolfgang > > I think you are asking about equivalence of XPath expressions. The > following abstract is from "Containment and equivalence for an XPath > fragment" by Miklau and Suciu (Proceedings of the 21st ACM > SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, 2002): > > "XPath is a simple language for navigating an XML document and selecting > a set of element nodes. XPath expressions are used to query XML data, > describe key constraints, express transformations, and reference > elements in remote documents. This paper studies the containment and > equivalence problems for a fragment of the XPath query language, with > applications in all these contexts. In particular, we study a class of > XPath queries that contain branching, label wildcards and can express > descendant relationships between nodes. Prior work has shown that > languages which combine any two of these three features have efficient > containment algorithms. However, we show that for the combination of > features, containment is coNP-complete. We provide a sound and complete > EXPTIME algorithm for containment, and study parameterized PTIME special > cases. While we identify two parameterized classes of queries for which > containment can be decided efficiently, we also show that even with some > bounded parameters, containment is coNP-complete. In response to these > negative results, we describe a sound algorithm which is efficient for > all queries, but may return false negatives in some cases." > > In short, the problem is difficult if you do not restrict the type of > XPath expressions you use! > > There is also a certain amount of work in the research literature on the > use of XPath to specify regions of XML documents to which access should > be restricted according to some access control policy. Damiani et al > have used this approach (A fine-grained access control system for XML > documents, ACM Transactions on Information and Ssytem Security, 5(2), > 2002), as have Bertino et al (Specifying and enforcing access control > policies for XML document sources, WWW 2000), and me > (http://www.isg.rhul.ac.uk/~jason/Pubs/sws04.pdf). > > Hope this helps. > > Regards > > > Jason > > ------------------------------------ > Information Security Group > Royal Holloway, University of London > http://www.isg.rhul.ac.uk/~jason > ------------------------------------ > > -----Original Message----- > From: Wolfgang Schreiner [mailto:wolfgang.schreiner@ec3.at] > Sent: 30 November 2006 16:01 > To: xacml-users@lists.oasis-open.org > Subject: [xacml-users] xpath access control > > Hi all, > > Following problem: I would like to control access to a set of XML > documents via XPath 2.0 queries. XML fragements, which are allowed to > being accessed are specified by XPath 2.0 statements as well. What I > need is a method to determine whether 2 XPath statements are > semantically equal or similar, before executing the query and having to > post-filter the result. What is the best way to achieve this? Does the > XACML xpath-node-match function solve this problem? Is there an > implementation to it? I think the Sun implementation does not include > XPath functions? > > -- best regards, Wolfgang Schreiner, Mag. DI E-Commerce Competence Center (EC3) Donau-City Strasse 1, A - 1220 Vienna Tel: +43 1 522 71 71 - 14 Fax: +43 1 522 71 71 - 71 Web: http://www.ec3.at
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]