[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Request and Response Context Schemas - Take 2
I have modified Simon's proposed schemas according to my proposed
ContextPrincipals definition. I have also made the following
further changes based on comments from my group here and from the
concalls. This has NOT been run through a validator.
- SimplePrincipal is now just Principal.
- ContextResource has been expanded to ContextResources,
comparable to the expansion of Principal/ContextPrincipal to
ContextPrincipals. I think Michiharu suggested that we may
want to allow for multiple resources, and I think it is also a
good idea.
- I added a saml:IDType attribute to the RequestContext and the
ResponseContext. This is so that a response decision can be
matched against a specific request.
- ContextActions is now an element under a Resource. If we ever
expect to have multiple resources, we need to know which
actions go with which resource, and this makes that
association.
- AttributeFamily is eliminated, and AttributeName is
type="xs:anyURI".
- Issuer, IssueInstant attributes are made optional.
- AbstractPrincipal is eliminated. In its place, a PrincipalID
element is defined to hold the ways of identifying a given
principal, either in a Principal or in an Attribute.
- HolderType is eliminated. It is now PrincipalID.
Polar, I don't think we are ready to define ComplexPrincipalType.
I left a place-holder for it, but I think it needs a lot more
discussion. The sequence of role-identified Principals is an
attempt to deal with what we know now.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
<!-- Title: Proposed Request and Response Context Schemas -->
<!-- Version: 1.1, 02/06/04 (yy/mm/dd) -->
<!-- Author: Anne Anderson -->
<!-- Source: /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt -->
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:xacml="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd"; elementFormDefault="qualified" attributeFormDefault="unqualified">
<!-- -->
<xs:element name="RequestContext" type="xacml:RequestContextType"/>
<xs:complexType name="RequestContextType">
<xs:sequence>
<xs:element ref="xacml:ContextPrincipals"/>
<xs:element ref="xacml:ContextResources"/>
<xs:element ref="xacml:ContextOther"/>
</xs:sequence>
<!-- IDType must be unique identifier -->
<xs:attribute name="RequestID" type="saml:IDType" use="required"/>
</xs:complexType>
<!-- -->
<xs:element name="ResponseContext" type="xacml:ResponseContextType"/>
<xs:complexType name="ResponseContextType">
<xs:choice>
<xs:element ref="xacml:Permit"/>
<xs:element ref="xacml:Deny"/>
<xs:element ref="xacml:Indeterminate"/>
</xs:choice>
<!-- RequestID must be copied from the request context
for which this is the response. -->
<xs:attribute name="RequestID" type="saml:IDType" use="required"/>
</xs:complexType>
<!-- -->
<xs:element name="ContextPrincipals" type="xacml:ContextPrincipalsType"/>
<xs:complexType name="ContextPrincipalsType">
<xs:choice>
<!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1" maxOccurs="1"/-->
<xs:element ref="xacml:Principal" minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
</xs:complexType>
<!-- -->
<xs:element name="Principal" type="xacml:PrincipalType"/>
<xs:complexType name="PrincipalType">
<xs:sequence>
<xs:element ref="xacml:PrincipalID" minOccurs="0" maxOccurs="1"/>
<xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser -->
<xs:attribute name="PrincipalType" type="xs:anyURI" use="required"/>
</xs:complexType>
<!-- -->
<!--xs:element name="ComplexPrincipal" type="xacml:ComplexPrincipalType"/-->
<!--xs:complexType name="ComplexPrincipalType"-->
<!-- Not yet defined: a relational tree structure of Principal -->
<!--/xs:complexType-->
<!-- -->
<xs:element name="PrincipalID" type="xacml:PrincipalIDType"/>
</xs:complexType name="PrincipalIDType">
<xs:choice>
<xs:element ref="xacml:NameIdentifier"/>
<!-- did we agree on the 'ds:key' here? -->
<!--xs:element ref="ds:KeyInfo"/-->
</xs:choice>
</xs:complexType>
<!-- -->
<xs:element name="NameIdentifier" type="xacml:NameIdentifierType"/>
<xs:complexType name="NameIdentifierType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="Format" type="xs:anyURI" use="required"/>
<xs:attribute name="NameQualifier" type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!-- -->
<xs:element name="AnyURI" type="xs:anyURI"/>
<!-- -->
<xs:element name="AttributeDesignator" type="xacml:AttributeDesignatorType"/>
<xs:complexType name="AttributeDesignatorType">
<xs:sequence>
<!-- Holder is the PrincipalID element value when
Attribute is used in a Principal -->
<xs:element ref="xacml:Holder" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="AttributeName" type="xs:anyURI" use="required"/>
<xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
<xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/>
<xs:attribute name="AttributeLocator" type="xs:string" use="optional"/>
</xs:complexType>
<!-- -->
<xs:element name="Holder" type="xacml:PrincipalIDType"/>
<!-- -->
<xs:element name="Attribute" type="xacml:AttributeType"/>
<xs:complexType name="AttributeType">
<xs:complexContent>
<xs:extension base="xacml:AttributeDesignatorType">
<xs:sequence>
<xs:element ref="xacml:AttributeValue"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- -->
<xs:element name="AttributeValue" type="xacml:AttributeValueType"/>
<xs:complexType name="AttributeValueType">
<xs:sequence>
<xs:any maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:element name="ContextResources" type="xacml:ContextResourcesType"/>
<xs:complexType name="ContextResourcesType">
<xs:choice>
<!--xs:element ref="xacml:ComplexResource" minOcurs="1" maxOccurs="1"/-->
<xs:element ref="xacml:Resource" minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
</xs:complexType>
<!-- -->
<xs:element name="Resource" type="xacml:ResourceType"/>
<xs:complexType name="ResourceType">
<xs:sequence>
<xs:element ref="xacml:ResourceSpecifier" maxOccurs="1"/>
<xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="xacml:Action" minOccurs="0" maxOccurs="unbounded"/>
<xs:
</xs:sequence>
</xs:complexType>
<!-- -->
<!--xs:element name="ComplexResource" type="xacml:ComplexResourceType"/-->
<!--xs:complexType name="ComplexResourceType"-->
<!-- Not yet defined: a relational tree structure of Resource -->
<!--/xs:complexType-->
<!-- -->
<xs:element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/>
<xs:complexType name="ResourceSpecifierType">
<xs:sequence>
<xs:element ref="xacml:ResourceContent" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ResourceURI" type="xs:anyURI" use="optional"/>
</xs:complexType>
<!-- -->
<xs:element name="ResourceContent" type="xacml:ResourceContentType"/>
<xs:complexType name="ResourceContentType">
<xs:sequence>
<xs:any maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:element name="Action" type="xs:string"/>
<!-- -->
<xs:element name="ContextOther" type="xacml:ContextOtherType"/>
<xs:complexType name="ContextOtherType">
<xs:sequence>
<xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:complexType name="DecisionType">
<xs:attribute name="ResourceName" type="xs:anyURI"/>
<xs:attribute name="Action" type="xs:anyURI"/>
</xs:complexType>
<!-- -->
<xs:element name="Permit" type="xacml:EffectDecisionType"/>
<xs:element name="Deny" type="xacml:EffectDecisionType"/>
<xs:complexType name="EffectDecisionType">
<xs:complexContent>
<xs:extension base="xacml:DecisionType">
<xs:sequence>
<xs:element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- -->
<xs:element name="Obligation" type="xacml:ObligationType"/>
<xs:complexType name="ObligationType">
<xs:sequence>
<xs:any minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="ObligationName" type="xs:anyURI"/>
</xs:complexType>
<!-- -->
<xs:element name="Indeterminate" type="xacml:IndeterminateType"/>
<xs:complexType name="IndeterminateType">
<xs:complexContent>
<xs:extension base="xacml:DecisionType">
<xs:sequence>
<xs:element ref="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- -->
<xs:element name="Advice" type="xacml:AdviceType"/>
<xs:complexType name="AdviceType">
<xs:sequence>
<xs:any minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="AdviceName" type="xs:anyURI"/>
</xs:complexType>
</xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC