OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Qeuestion about Obligations



On May 30, 2005, at 10:52 PM, Rich Salz wrote:
> I am unsure what the proper behavior is with regard to Obligations.
> The schema for AttributeAssignments seems to allow arbitrary content,
> lazily validated.  Is it the intention that if an Obligation is
> required by a Policy, then the PDP should simply copy the content of
> the AttributeAssignment verbatim into the response context?  Clearly
> it is not expected to understand the semantics of such an obligation.

That's correct. The PDP does not understand any semantic meaning in  
the contents of an Obligation. It's also correct that an  
AttributeAssignment can have arbitrary content. This is because an  
AttributeAssignment is an AttributeValue, which is allowed to have  
arbitrary, mixed content. That, however, is only part of the  
explaination...

> All of the examples in the spec show escaped XML (i.e., text
> content), but the Conformance Tests that I have include elements, and
> these would seem to be allowed by the schema; it seems odd, though,
> that one would go through the trouble of escaping the XML into text
> content if the XML elements themselves were permitted.

Because an AttributeAssignment is an AttributeValue, the contents  
need to be valid XML, but they also need to conform to the specified  
datatype. In the core XACML specification there are no datatypes that  
allow mixed content. So, in order to provide a valid assignment, the  
typical approach is to specify the datatype as a  string and then  
escape the elements it contains. Since the PDP doesn't interpret the  
assignments, it's good enough just to use a string and copy the  
value. The PEP will see an AttributeAssignment and presumably do the  
right thing with the data.

Not that you could also introduce a new datatype, for instance  
"DOMNode", and then not worry about escaping the tags. There's  
nothing wrong with this approach, it just isn't supported in the core  
spec.

> So, in short the question is:  is the intention that I capture the
> XML source for obligations and emit it verbatim into the resulting
> document?

Basically, yes. :)


seth


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]