[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Section B.6 - Resource attributes
On 27 July, Tim Moses writes: [xacml] Section B.6 - Resource attributes > Colleagues - Some proposed changes to Section B.6. Any comments? All the > best. Tim. > > Draft 13 > > These identifiers indicate attributes of the resource. The corresponding > attributes MAY appear in the <Resource> element of the request context and > be accessed by means of a <ResourceAttributeDesignator> element, or by an > <AttributeSelector> element that points into the <Resource> element of the > request context. In the former case, the attribute identifier SHALL appear > in the <ResourceAttributeDesignator> element. I don't understand why the last sentence is needed. If the attribute is in the <Resource> element and is accessed by means of a <ResourceAttributeDesignator> element, doesn't that mean the attribute identifier must by definition appear in the <ResourceAttributeDesignator> element? > This identifier indicates the URI of the resource. The type of the > corresponding attribute SHALL be "http://www.w3.org/2001/XMLSchema#anyURI". > urn:oasis:names:tc:xacml:1.0:resource:resource-id The Hierarchical Resource Profile for XML resources proposes that the DataType of the resource-id be "xpath-expression", identifying the specific node of the resource that is being requested. In this case, the optional "document-id" resource Attribute can be used to hold the URI of the entire XML document. I think Daniel also objected to forcing resource-id to be a URI. Or maybe it was just a URI conforming to my proposed hierarchical URI scheme :-) So is there a reason resource-id must be a URI? > This identifier indicates the name-space of the top element of the resource. > In the case where the resource content is supplied in the request context > and the resource namespace is defined in the resource, the PDP SHALL confirm > that the namespace defined by this attribute is the same as that defined in > the resource. The type of the corresponding attribute SHALL be > "http://www.w3.org/2001/XMLSchema#anyURI". > urn:oasis:names:tc:xacml:2.0:resource:target-namespace > This identifier indicates an xpath expression whose context node is the > <xacml-context:Request> element. This attribute SHALL only appear in the > <ResourceAttributeDesignator> element. The type of the corresponding > attribute SHALL be > "urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression". > urn:oasis:names:tc:xacml:2.0:resource:xpath I proposed that we drop the "xpath" Attribute, since there is no need for it with the Hierarchical Resource Profile. "resource-id" in that case will contain the xpath expression pointing to the requested node. Note that the reason for putting the xpath-expression pointing to the requested node into the "resource-id" Attribute is so that the Response <Result> ResourceId XML attribute can copy the resource-id Attribute and have it be an unambiguous reference to the node to which the <Result> corresponds. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]