[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XML doc hierarchical resource questions
OK, you XPath expression experts! Michiharu, I hope this includes you! :-) I am comparing the XACML 1.1 example that uses XML document access in "Section 4.2.2 Example request context" to the current XACML 2.0 Hierarchical Resource draft (http://lists.oasis-open.org/archives/xacml/200405/msg00104.html). There are some significant differences. I would like feedback on whether the differences are OK. The document being accessed is: <?xml version ...?> <record xmlns="http://www.medico.com/schemas/record.xsd" ...> <patient> .... </record> 1. 1.1 includes the actual document in the ResourceContent element. 2.0 does the same. 2.0 explicitly requires this if the resource is an XML document. 2. 1.1 uses the following "resource-id" Attribute: <Attribute AttributeId="...:resource-id" DataType="...#string"> <AttributeValue> //medico.com/records/bart-simpson.xml# xmlns(md=//http:www.medico.com/schemas/record.xsd) xpointer(/md:record/md:patient/md:patientDoB) </AttributeValue> </Attribute 2.0 says to put an XPath expression that evaluates to exactly the one node being requested into the "resource-id" Attribute, and give it the new "xpath-expression" DataType (defined as "a string that is to be interpreted as an XPath expression"). A request from the PEP might include an XPath expression that evaluates to more than one requested node in the "resource-id" Attribute. The Context Handler is responsible for converting this to a series of Requests, each of which asks for exactly one node. For each Request for exactly one node, the Context Handler is responsible for constructing an XPath expression that evaluates to only that one node, and putting it into the "resource-id" Attribute for that Request. Rationale: By putting the actual XPath expression into the "resource-id" Attribute, a "resource-id" Attribute constructed by the Context Handler is treated the same as an original request for only a single node, and we have an appropriate value to put into the ResourceId field of each Response Result. 3. 1.1 uses the following "xpath" Attribute: <Attribute AttributeId="...:xpath" DataType="...#string"> <AttributeValue> xmlns(md=http:www.medico.com/schemas/record.xsd) xpointer(/md:record/md:patient/md:patientDoB) </AttributeValue> 2.0 eliminates the "xpath" Attribute, since the information is contained in the "resource-id" Attribute. 4. 1.1 uses the following "target-namespace" Attribute that is not described in Appendix "B.6 Resource Attributes": <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" DataType="...#string"> <AttributeValue> http://www.medico.com/schemas/record.xsd </AttributeValue> </Attribute> 2.0 does not specify this Attribute, since the information is contained in the "resource-id" Attribute (I think). The point is, is an XPath expression in the "...:resource-id" Attribute, using the new "xpath-expression" DataType, sufficient to contain all the information that a policy will need to apply to this particular XML document and to the Requested node? Do we need an additional Attribute to match on separately for the document's namespace? Do we need an additional Attribute to match on for the node's "identity" (even though a Context Handler will not be able to construct an "identity" if multiple nodes are requested)? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]