OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] URI-match function proposal

Tim Moses wrote:
 > Bill - Are you (furthermore) claiming that your proposal addresses my
 > use-case (i.e. locating and retrieving applicable policies from an SQL
 > database)?  If so, I would like to understand how.  All the best.  Tim.

well, my thinking is this:

[...]
   <Resources>
    <Resource>
*   <ResourceMatch MatchId=”url-subtree-match”>
*    <AttributeValue>www.example.com</AttributeValue>
      <ResourceAttributeDesignator AttributeId=”resource-id”/>
     </ResourceMatch>
*   <ResourceMatch MatchId=”url-subtree-match”>
*    <AttributeValue>\/.*\.cgi</AttributeValue>
      <ResourceAttributeDesignator AttributeId=”resource-id”/>
     </ResourceMatch>
    </Resource>
   </Resources>
[...]

OR , if we wanted to express the matching of "cgi" files anywhere in the universe:

[...]
   <Resources>
    <Resource>
*   <ResourceMatch MatchId=”url-subtree-match”>
*    <AttributeValue></AttributeValue>
      <ResourceAttributeDesignator AttributeId=”resource-id”/>
     </ResourceMatch>
*   <ResourceMatch MatchId=”url-subtree-match”>
*    <AttributeValue>\/.*\.cgi</AttributeValue>
      <ResourceAttributeDesignator AttributeId=”resource-id”/>
     </ResourceMatch>
    </Resource>
   </Resources>
[...]

in both cases the first resource attribute refers to the host (uri match) and 
the second to the host resources (regex match).  this would also work for all 
other url matches without creating another function. seems straightforward to me 
(which usually means i am missing something ;o)

does this make sense?

b

as an aside, i would access applicable policies using resource from an RDBMS 
using something like this:

SELECT * from policies where REGEXP_LIKE (resource, 
'^[hH][tT][tT][pP]:\/\/[eE][xX][aA][mM][pP][lL][eE]\.[cC][oO][mM]\/.*\.cgi');

assuming you are using oracle. db/2 (with extensions) and mysql can be used 
similarly. sqlserver requires some creative programming (i think). anyway, my 
position is that anything we create with our policy definitions will require 
some form of mapping to the policy store retrieval language, so precision is 
highly desirable (all of the SQL LIKE variants i have seen haven't been much 
prettier than regex ;o)

for 3 of the 4 DBMSs listed, the query string mapping is actually fairly trivial 
since they support POSIX derivatives of regex natively.

now if the idea is to search for policies that themselves contain macro 
expressions for resources then the complexity of the description language 
argument becomes moot because this would almost have to be an (internal) 
mnemonic that is managed by the interface between the policy developer and the 
policy store (the UI in my twisted world). free form definition of 
macros--particularly if they are non-standard--will not work in my opinion (it 
is effectively "ANY" on steroids ;o)

ok, i am way out in the weeds here. sorry about that.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]