[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Qeuestion about Obligations
On May 30, 2005, at 10:52 PM, Rich Salz wrote: > I am unsure what the proper behavior is with regard to Obligations. > The schema for AttributeAssignments seems to allow arbitrary content, > lazily validated. Is it the intention that if an Obligation is > required by a Policy, then the PDP should simply copy the content of > the AttributeAssignment verbatim into the response context? Clearly > it is not expected to understand the semantics of such an obligation. That's correct. The PDP does not understand any semantic meaning in the contents of an Obligation. It's also correct that an AttributeAssignment can have arbitrary content. This is because an AttributeAssignment is an AttributeValue, which is allowed to have arbitrary, mixed content. That, however, is only part of the explaination... > All of the examples in the spec show escaped XML (i.e., text > content), but the Conformance Tests that I have include elements, and > these would seem to be allowed by the schema; it seems odd, though, > that one would go through the trouble of escaping the XML into text > content if the XML elements themselves were permitted. Because an AttributeAssignment is an AttributeValue, the contents need to be valid XML, but they also need to conform to the specified datatype. In the core XACML specification there are no datatypes that allow mixed content. So, in order to provide a valid assignment, the typical approach is to specify the datatype as a string and then escape the elements it contains. Since the PDP doesn't interpret the assignments, it's good enough just to use a string and copy the value. The PEP will see an AttributeAssignment and presumably do the right thing with the data. Not that you could also introduce a new datatype, for instance "DOMNode", and then not worry about escaping the tags. There's nothing wrong with this approach, it just isn't supported in the core spec. > So, in short the question is: is the intention that I capture the > XML source for obligations and emit it verbatim into the resulting > document? Basically, yes. :) seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]