[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] AttributeSelectorIndirect
Line 804-810 of draft 0.16e, there is a resource match in Example 2 Rule 1: <ResourceMatch MatchId="function:node-match"> <ResourceAttributeDesignator AttributeId="urn:...:xpath" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">/md:record</AttributeValue> </ResourceMatch> In the above example, the node-match function is defined as Function: node-match input: xs:string, xs:string output: xs:boolean description: receive two xpath expressions and executes xpath processor on both xpaths. It generates two objects (object type is defined in XPath 1.0, i.e. node-set, string, numeric, or boolean). When two objects have an intersection, then it returns true, otherwise return false. Instead of the above node-match function and the resource match specification, I would prefer the definition and resource match specification using <AttributeSelectorIndirect> below: Function: node-match input: object, object output: xs:boolean description: receive two objects. When two node-sets have an intersection, then it returns true, otherwise return false. <ResourceMatch MatchId="function:node-match"> <AttributeSelectorIndirect> <ResourceAttributeDesignator AttributeId="urn:...:xpath"/> </AttributeSelectorIndirect> <AttributeSelector RequestContextPath="/md:record"/> </ResourceMatch> Other example (not AttributeSelectorIndirect but AttributeSelector case) is line 825-835. The function:string-equal should be the function:general-string-equal because <AttributeSelector> returns an object data type (maybe node-set) and it is not proper to hand it to string-equal function. <Condition FunctionId="function:string-equal"> <SubjectAttributeDesignatorWhere AttributeId="urn:...:policy-number" DataType="xsi:string"/> <AttributeSelector RequestContextPath="/ctx:Request/ ... /md:policyNumber" DataType="xsi:string"/> </Condition> [should be] <Condition FunctionId="function:general-string-equal"> <SubjectAttributeDesignatorWhere AttributeId="urn:...:policy-number" DataType="xsi:string"/> <AttributeSelector RequestContextPath="/ctx:Request/ ... /md:policyNumber" DataType="xsi:string"/> </Condition> Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Polar Humenn <polar@syr.edu> To: Michiharu Kudoh/Japan/IBM@IBMJP cc: <xacml@lists.oasis-open.org> 2002/08/30 03:27 Subject: Re: [xacml] [CR] AttributeSelectorIndirect Michiharu, Is there a use case or example for this type of attribute selector? Cheers, -Polar On Thu, 29 Aug 2002, Michiharu Kudoh wrote: > Based on the discussion on Monday call, Simon and I agreed to changing the > schema to support an AttributeSelectorIndirect element to retrieve a XPath > expression from the context. I wonder whether the name of this element is > appropriate or not. > > <xs:complexType name="AttributeSelectorBaseType"> > <xs:element ref="xacml:XPathNamespace" minOccurs="0" maxOccurs > ="unbounded"/> > <xs:attribute name="DataType" type="xs:anyURI" use="optional"/> > <xs:attribute name="XPathVersion" type="xs:anyURI" use="optional" default > ="http://www.w3.org/TR/1999/Rec-xpath-19991116"/> > </xs:complexType> > > <xs:complexType name="AttributeSelectorType"> > <xs:complexContent> > <xs:extension base="AttributeSelectorBaseType"> > <xs:attribute name="RequestContextPath" type="xs:string" use > ="required"/> > </xs:extension> > </xs:complexContent> > </xs:complexType> > > <xs:complexType name="AttributeSelectorIndirectType"> > <xs:extension base="AttributeSelectorBaseType"> > <xs:choice> > <xs:element ref="xacml:SubjectAttributeDesignator"/> > <xs:element ref="xacml:ResourceAttributeDesignator"/> > <xs:element ref="xacml:ActionAttributeDesignator"/> > <xs:element ref="xacml:EnvironmentAttributeDesignator"/> > </xs:choice> > </xs:extension> > </xs:complexType> > > <xs:element name="AttributeSelector" type="AttributeSelectorType"/> > <xs:element name="AttributeSelectorIndirect" type > ="AttributeSelectorIndirectType"/> > > <xs:element name="XPathNamespace" type="xacml:XPathNamespaceType" > substitutionGroup="xacml:AbstractDefaults"/> > <xs:complexType name="XPathNamespaceType"> > <xs:attribute name="NamespaceURI" type="xs:anyURI"/> > <xs:attribute name="Prefix" type="xs:string" use="optional"/> > </xs:complexType> > > > Sample text for this element: > > 5.28. Element <AttributeSelectorIndirect> > > The <AttributeSelectorIndirect> element is a free-form pointing device into > the <xacml-context:Request> element using an attribute designator. The > actual xpath expression is retrieved from the context pointed by that > attribute designator. Other than that, the semantics is the same with > <AttributeSelector> element. Support for the <AttributeSelectorIndirect> > element is OPTIONAL. > > The <AttributeSelectorIndirect> element is of AttributeSelectorIndirectType > complex type. > The <AttributeSelectorIndirect> element has either one of the following > elements: > > SubjectAttributeDesignator > ResourceAttributeDesignator > ActionAttributeDesignator > EnvironmentAttributeDesignator > > Michiharu > > IBM Tokyo Research Laboratory, Internet Technology > Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 > > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC