OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] Help on ResourceConent!


Hi Roland! 

   Please find my comments [Balaji] below and let me know if my
understanding is corret ?.

Thanks
Balaji Kamal Kannadassan
-----Original Message-----
From: Roland Illig [mailto:roland.illig@gmx.de] 
Sent: Thursday, October 30, 2008 1:24 PM
To: Kannadassan, Balaji (AMR:8826)
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Help on ResourceConent!

Balaji Kannadassan schrieb:
> Hi All!
> 
>     I am sorry if this is too basic. I am  a new bee to XML/XACML. I 
> am trying to understand the implementation of the same from the XACML 
> 1.0v pdf. I came across this tag on a place where the doctor is 
> searching for a DOB of patient. I am baffled on whats the need of this

> piece while there is another piece of code where he picks up the 
> subject-id user and his DOB. Whats the use of this ResourceContent ? 
> Please help me in understanding the same.

There are two different ways of getting information from a <Request>:

1. The <*AttributeDesignator> can be used for getting a named attribute,
which looks like:

<Request>
 <Subject>
  <Attribute AttributeId="subject-id">
   <AttributeValue>roland</AttributeValue>
  </Attribute>
 </Subject>
</Request>

[Balaji] Here we are getting a request to pick a record with subjec-id
as roland.

In the policy, you use the following code to retrieve the attribute
values:

<SubjectMatch MatchId="string-equal">
 <AttributeValue>roland</AttributeValue>
 <SubjectAttributeDesignator AttributeId="subject-id"/> </SubjectMatch>

[Balaji] We are matching the same with "roland" so those whose name
matches roland this policy would be applicable rt ?. Please do correct
me if I am wrong on the same.

2. The <AttributeSelector> can be used for getting arbitrary XML data
from the request, which can be encoded like this:

<Request xmlns:h="http://example.org/html4.xsd";>
 <Resource>
  <ResourceContent>
   <h:html>
    <h:head>
     <h:title>Hello, World</h:title>
    </h:head>
   </h:html>
  </ResourceContent>
  <Attribute AttributeId="resource-id">
   <AttributeValue>http://example.org/hello.html</AttributeValue>
  </Attribute>
 </Resource>
</Request>

[Balaji] We are making h to point to a XML schema definition and define
record h with the contents rt ?. So whats does url with hello.html has
to play here ?

In the policy, you can use the following code:

<ResourceMatch MatchId="regexp-string-match">
<AttributeValue>.*[Hh]ell.*</AttributeValue>
 <AttributeSelector
RequestContextPath="//Request/Resource/ResourceMatch/h:html/h:head/h:tit
le/text()"/>
</ResourceMatch>

[Balaji] In here are we saying that those with the title value
containing .*[Hh]ell.* this policy will be applicable ?.

Thanks
Balaji Kamal Kannadassan

With the <AttributeSelector>, you can embed arbitrary XML in the request
context and run queries on it using XPath/XQuery. Embedding the XML
document directly is often easier than retrieving (for example) the DOB
and encoding it as a named attribute, especially if you don't know which
fields of the medical record the policy needs for deciding.

Did this clarify things a bit?

Roland


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]