[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Re: xpath and xacml
This is a proposal for supporting target specification using XPath expression. <AttributeSelector> is used to specify XPath expression in the <target> element. I am assuming that <AttributeDesignator> will be used for the expression without XPath. Four new functions are used to compare values. function:general-string-equal function:boolean function:node-equal function:xpath-match <XPathVersion> element in <Defaults> element is used to specify the version of the XPath expression used in the policy. Schema definition will be posted by Simon. Before describing about each function definition, I start with a couple policy specification examples. == EXAMPLE 1 == <Rule> <Target> <Resources MatchId="function:general-string-equal" DataType ="xs:boolean"> <AttributeSelector Designator="//c:Subject[@Category ='req']/c:SubjectId"/> <AttributeSelector Designator="//e:employee/e:name"/> </Resource> </Target> </Rule> The above policy means general-string-equal(xpath-match(//c:Subject [@Category='req']/c:SubjectId), xpath-match(//e:employee/e:name)). general-string-equal is derived from the general comparison "=" defined in XPath 2.0 that adds existential semantics to value comparisons. While original general comparison is not aware of data type, our function is aware of data type. That's why "string" is specified in the function name. This means the comparison must be done in string data type. For example, SubjectId may return a set including two items that represent "Alice" and "Bob" and e:name may return a set including three items that represent "Alice", "Carol" and "Dave". Since "Alice" is included in both lists, then the general-string-equal returns true. In the above policy, I omitted to specify namespace URI and prefix used in the XPath for readability. It would be specified as follows: <Rule> <Target> <Resources MatchId="function:general-string-equal" DataType ="xs:boolean"> <AttributeSelector xmlns:c="urn:oasis:xacml-context" Designator ="//c:Subject[@Category='req']/c:SubjectId"/> <AttributeSelector xmlns:e="http://myNS" Designator ="//e:employee/e:name"/> </Resource> </Target> </Rule> == EXAMPLE 2 == <Rule> <Target> <Resources MatchId="function:general-string-equal" DataType ="xs:boolean"> <AttributeSelector Designator="//c:Subject[@Category ='req']/c:SubjectId"/> <Attribute DataType="xs:stiring">Alice</Attribute> </Resource> </Target> </Rule> The above policy means general-string-equal(xpath-match(//c:Subject [@Category='req']/c:SubjectId), "Alice") == EXAMPLE 3 == If two arguments of general-string-equal is the same, it is a possibility to specify that by: <Rule> <Target> <Resources MatchId="function:boolean" DataType="xs:boolean"> <AttributeSelector Designator="boolean(//c:Subject[@Category ='req']/c:SubjectId[.=//e:employee/e:name])"/> </Resource> </Target> </Rule> The above policy is valid when a target XML document is embedded in the XACML request context. (We assume that each element is distinguished using namespace). However, if two expressions refer to different XML documents, say XACML request context and target XML document that is NOT EMBEDDED in the context. It is impossible to specify it like the above. I omitted DataType attribute in the AttributeSelector because its data type is always a set and there seems no data type that represents a set. == EXAMPLE 4 == Other usage is the node comparison as I described in my XML access control proposal. Of course, this is an analogy from a node comparison "is" defined in [1]. <Rule> <Target> <Resources MatchId="function:node-equal" DataType="xs:boolean"> <AttributeSelector Designator="//c:Attribute/@value"/> <AttributeSelector Designator="//c:Attribute/@name"/> </Resource> </Target> </Rule> ---------------------- Function Definitions ---------------------- <1>. Function:general-string-equal boolean: general-string-equal(object(*1), object) The general-string-equal(A,B) is true for set A and B if the string-equal(a,b) is true for some item a in A and some item b in B. Otherwise, general-string-equal(A,B) is false. When performing string-equal function, apply the following rules in order: 1. Simple String Atomization (SSA) is applied to each operand, resulting in a single atomic value or an empty set for each operand. 2. If either operand is an empty set, the result is an empty set. 3. Cast each operand to xs:string 4. If the cast fails, the error value is returned. 5. The result of string-equal is true if the value of the first operand is equal to the value of the second operand; otherwise the result of the string-equal is false. Simple String Atomization (SSA): 1. If the value is a single atomic value or an empty set, atomization simply returns the value. 2. If the value is a single node, it must be an element node, attribute node or a text node. 2.1 If the value is a text node, returns the string content of the text node. 2.2 If the value is an attribute node, returns its string value. 2.3 If the value is an element node that does not contain element node below, returns the string content of the text node. 2.4 If the value is an element node that contain one or more element node below, returns error value as defined in [1] 3. If the value is not a single node, return error value as defined in [1] Example: <a> <b1>January</b1> <b1>February</b1> <b2> <c>January</c> <c>March</c> </b2> <b3 d="February"/> <b3 d="April"/> </a> A := xpath(/a/b1) B := xpath(/a/b2/c) C := xpath(/a/b3/@d) D := xpath(/a/b2) (1) general-string-equal(A,B) ==> true (2) general-string-equal(A,C) ==> true (3) general-string-equal(B,C) ==> false (4) general-string-equal(A,"February") ==> true (5) general-string-equal(A,D) ==> Error value (1) A returns two nodes: two <b1> elements. The SSA is applied to the first <b1> item, which returns "January". The SSA is applied to the second <b1> item, which returns "February". B returns two nodes: two <c> elements. The SSA is applied to the first <c> item, which returns "January". The SSA is applied to the second <c> item, which returns "March". String casting succeeds. Since the first value of the first operand is equal to the first value of the second operand, general-string-equal returns true. (2) C returns two nodes: two d attributes. The SSA is applied to each item, which returns "February" and "March", respectively. Since the second value of the first operand is equal to the first value of the second operand, general-string-equal returns true. (3) Since there is no identical value pair in the first operand and the second operand, general-string-equal returns false. (4) The second operand is a single atomic value "February". Since it is equal to the second value of the first operand, general-string-equal returns true. (5) The second operand returns one <b2> element that contains two <c> element. This raises error from SSA step 2.4. Therefore, general-string-equal returns error value. <2>. Function:boolean boolean boolean(object) The boolean function converts its argument to a boolean as follows: 1. a number is true if and only if it is neither positive or negative zero nor NaN 2. a node-set is true if and only if it is non-empty 3. a string is true if and only if its length is non-zero 4. an object of a type other than the four basic types is converted to a boolean in a way that is dependent on that type <3>. Function:node-equal boolean node-equal(object, object) The result of a node-equal is defined by applying the following rules, in order: 1. Both operands must be either a single node or an empty set; otherwise the error value is returned. 2. If either operand is an empty set, the result of the comparison is an empty set. 3. A comparison is true if the two operands are nodes that have the same single node; otherwise it is false. <4>. Function:xpath-match object xpath-match(string) The result of xpath-match is defined by applying the following rules, in order: 1. Find <XPath-Version> element in <Defaults> element specified in the rule/policyStatement/policySetStatement. Use corresponding XPath processor to evaluate the argument. 2. Evaluate the argument and returns object. *1 "object" type specified in each function argument is defined in [2] [1] XQuery 1.0 and XPath 2.0 Data Model, http://www.w3.org/TR/xquery-operators/ [2] XPath 1.0, http://www.w3.org/TR/xpath Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC